Recovery-Key Attacks against TMN-family Framework for Mobile Wireless Networks

Abstract

The proliferation of the Internet of Things (IoT) technologies and applications, especially the rapid rise in the use of mobile devices, from individuals to organizations, has led to the fundamental role of secure wireless networks in all aspects of services that presented with many opportunities and challenges. To ensure the CIA (confidentiality, integrity and accessibility) security model of the networks security and high efficiency of performance results in various resource-constrained applications and environments of the IoT platform, DDO-(data-driven operation) based constructions have been introduced as a primitive design that meet the demand of high speed encryption systems. Among of them, the TMN-family ciphers which were proposed by Tuan P.M., Do Thi B., etc., in 2016, are entirely suitable approaches for various communication applications of wireless mobile networks (WMNs) and advanced wireless sensor networks (WSNs) with high flexibility, applicability and mobility shown in two different algorithm selections, TMN64 and TMN128. The two ciphers provide strong security against known cryptanalysis, such as linear attacks and differential attacks. In this study, we demonstrate new probability results on the security of the two TMN construction versions - TMN64 and TMN128, by proposing efficient related-key recovery attacks. The high probability characteristics (DCs) are constructed under the related-key differential properties on a full number of function rounds of TMN64 and TMN128, as 10-rounds and 12-rounds, respectively. Hence, the amplified boomerang attacks can be applied to break these two ciphers with appropriate complexity of data and time consumptions. The work is expected to be extended and improved with the latest BCT technique for better cryptanalytic results in further research.

1. Introduction

The explosion of mobile devices and services, as smart phones and tablets becoming an essential part of modern society, along with the rapid development and spread of the IoT technologies, is leading to the significant challenges of secure and trustworthy service composition that requires the balance the inherent tension between security and accessibility of wireless technologies and networks employed in the constrained IoT environments. In the context of unreliable constrained wireless networks for IoT networks, the specific secure requirements and needs of these networks are needed as not only dealing with the unauthorized access to systems and data, but also ensuring the suitability, mobility and applicability on both software and hardware performances when operating and integrating in such environments.

With the limitations about the processing capacity and resources, the deployment results seem not suitable for the constrained IoT environments in handling with both secure highspeed encryption and high efficiency in hardware integration. To address those issues, the prominent solution focuses on improving the protection of cipher designs by distinct switch operations and functions, like the Data-Dependent Permutation-based constructions (such as CIKS-1 [18], SCO-family [7] and Cobra-family [19] [20]), the Data-Dependent Operationbased constructions (such as CIKS-128 [8], CIKS-128H [13], MD-64 [5] and DDO-64 [14]) and the Switchable Data-Dependent Operation-based constructions (such as BMD-128 [4], XO-64 [6], BM123-64 [2]). However, the fact is, for as long as there have been wireless communication networks, there have been fatal weaknesses that were still vulnerable to wellknown related attacks. One of them, simple key scheduling generator in the cipher structures for high speed transformation and lightweight targets gives cryptanalytic possibility for attackers to exploit these mechanisms by applying common related-key differential attack methods.

TMN block cipher [1] is kind of DDO-based construction proposed by Tuan P.M., Do Thi B., etc., in 2016. It has two different versions: TMN64 with 64-bits block size, covering 128- bits key size and total 10 function rounds; and TMN128 with block size of 128-bits, having 256-bits secret key size and 12 function rounds in total. These are designed in combination of new concept in functions and attributes of the data-dependent operations (DDOs) and the Controlled Substitution-Permutation Network (CSPN) frameworks [13]. Hence, the two ciphers are regarded as an effective solution with more adjustable and desirable approach for fitting targets of application and system with particular fixed designs. In the designs, the authors showed high suitability, applicability in characteristics of various other algorithms for specific high-speed networks targets, as well as high authenticity of protecting against types of popular cryptanalysis, such as differential and linear attacks, by using the improvement of on-the-fly round key generator.

1.1 Related Study

Related-key differential amplified boomerang attack was evolved by Kelsey et al. [16], which is a pure adaptive chosen-plaintext attack and is an upgrade model of the related-key boomerang attack developed by Wagner, 1999 [17] and Biham et al., 2005 [15]. Particularly, the attack had become effective cryptanalysis technique applying for various cipher mechanisms since the target aims to exploit two distinctive related-key differential characteristics for finding right quartets with high probability. Some of the previous cryptanalysis that used this attack scenario on DDO-based ciphers had given high efficiency and high probability in cryptanalytic results, like on BMD-128 [9], XO-64 [10], DDO-64 [11], MD-64 [12], and BM123-64 [3].

Fig. 1. The related-key boomerang characteristics.

In the model of related-key boomerang attack, the cipher E is divided into two sub-ciphers, depicted as E = E¹ ○ E⁰. In addition, for E⁰ and E¹, the related-key differentials are integrated into an adaptive chosen-plaintext and chosen-ciphertext characteristics of the cipher E, as the characteristics based on the encryption/ decryption process covering the related keys.

We suppose that α → β is a related-key differential for E⁰ with probability p using key difference ∆K, and δ → γ is another related-key differential for E¹ with probability q using key difference ∆K’. With the related keys K, K*, K’, K’* where ∆K = K ⊕ K* and ∆K’ = K’ ⊕ K’*, we can execute the attack as follows.

(1) Pick up two random plaintexts P and P’, and then assign P* = P ⊕ α, P’* = P’ ⊕ α to get the quartet of plaintext (P, P*, P’, P’*).

(2) Gain the matching quartet of ciphertext (C, C*, C’, C’*), as C = E_K(P), C* = E_K*(P*), C’ = E_K’(P’) and C’* = E_K’*(P’*), using the secret key differences, as ∆K = K ⊕ K* = K’ ⊕ K’* and ∆K’ = K ⊕ K’ = K* ⊕ K’*.

(3) Examine whether C ⊕ C’ = C* ⊕ C’* = δ or not.

If the quartet of plaintext (P, P*, P’, P’*) progresses through Stage 3, we output it as a correct quartet in the model of related-key amplified boomerang attack.

The correct plaintext quartets must satisfy the following conditions:

(a) P ⊕ P* = P’ ⊕ P’* = α

(b) I ⊕ I* = I’ ⊕ I’* = β

(c) I ⊕ I’ = γ

(d) C ⊕ C’ = C* ⊕ C’* = δ.

while I and I’ is the intermediate encryption values after E⁰.

We choose m₁ and m₂ are number of pairs of (P, P*) and number of pairs of (P’, P’*), respectively, with difference α. As we also suppose that α → β is the first related-key differential for E⁰ under the probability of p using the key difference ∆K, and δ → γ is the second related-key differential for E¹ under the probability of q using the key difference ∆K’, there exists the number of pairs (m₁∙p) and (m₂∙p) fulfill the first related-key differential α → β for E⁰ using the key difference ∆K. Then, the quartets meet the conditions (a) and (b) are about m₁∙m₂∙ p². Similarly, if we obtain I ⊕ I’ = γ under the probability of 2^-n in all possible values, we get m₁∙m₂∙2^-n∙p² quartets meet the requirements of (a), (b) and (c). And the relatedkey differential boomerang characteristic can differentiate a cipher E from a perfect cipher if the probability p∙q > 2^-n/2, when the supposed number of correct quartets is approximately m₁∙m₂∙2^-n∙p²∙q².

1.2 Research Contributions

In this paper, we demonstrate the related-key recovery attacks on the two variants of TMN constructions, TMN64 and TMN128. The attack, by obtaining the two related-key boomerang distinguishers with high probabilities in distinct designs, can exploit a full 10-rounds and 12 rounds of TMN64 and TMN128, respectively with highly favorable cryptanalytic results. The proposed amplified boomerang attacks require about 2⁴⁷ in complexity of data, memory bytes of 2⁵⁰ and complexity of time using 2⁶⁵ encryptions for the TMN64 design; and about 2⁶⁹ complexity of data, memory bytes of 2⁷² and complexity of time using 2¹²⁹ encryptions for TMN128 model of TMN schemes. These cryptanalytic results are the first security results on the two variants of the TMN-family so far. In this way, we prove that the TMN-family constructions, like other previous research of DDP-based or DDO-based schemes, are still vulnerable and being insecure against related-key differential cryptanalysis. The assurance of the security on these types of cipher constructions remains unclear and should be designed with a better security primitive approach.

The remainder of this paper is structured as follows; the two TMN-family constructions, TMN64 and TMN128, are described in Section 2. In Section 3, we define the related-key boomerang differential properties in each round function of these two designs based on the controlled element CE F_2/2 that allows us to build the high probability of differential characteristics (DCs) presented in Section 4. Then, the recovery attacks on the TMN64 and TMN128 ciphers are proposed with the analysis methods and complexity assessments shown in Section 5. Lastly, in Section 6, we give the conclusion of all our study.

2. TMN64, TMN128 Block Ciphers Description

2.1 Preliminaries

Some notations are concisely described in this section that they are used throughout the paper. As c₁ denotes the MSB (the most significant bit) and cn denotes the LSB (the least significant bit), a cipher C can be defined as C = (c₁, c₂, …, c_n).

The related-key differential characteristics applied to the amplified boomerang attack methods are combining with related differential components of block ciphers, like the input, the output, and the key of a round function.

- r : round function of a block cipher.

- ∆Q_r, ∆Q_r : round key difference values for each round r.

- ∆X_r / ∆Y_r : input / output difference values for each round r.

- e_i,j : binary data bit adjusting for a round r, as the active bit values i and j; at the i^th and j th positions, the bit value are ‘1’, and the others are ‘0s’ for each block data. (e.g., e_3,5 = (0, 0, 1, 0, 1,…, 0)).

- ⊕ : bitwise XOR operation.

- ⋘, ⋙ : bitwise left, right rotation.

2.2 TMN64, TMN128 Constructions

TMN64, TMN128 [1] are designed as DDO-based block cipher mechanisms with different data block sizes, 64-bits and 128-bits under 128-bits and 256-bits secret keys, respectively. Totally, it covers 10 rounds function for TMN64 and 12 rounds function for TMN128. A round function Crypt^(e) for each construction will do same switchable data operations from the 1^st round to the last round (the FT function) for yielding the appropriate ciphertext as output.

The round function Crypt^(e) of TMN64, TMN128 is based on the controlled substitution permutation networks (CSPNs), an extension function E, two specified permutations (I₁ and I₂) and DDO-based functions \(F_{n / m}^{V / e}\left(F_{32 / 384}, F_{32 / 384}^{-1}, F_{64 / 768}, F_{64 / 768}^{-1}\right)\) including basic controlled element function F_2/2.

The encryption algorithm of TMN128 can be define as:

1. Input with 128-bit block size as plaintext is divided into two sub-blocks A and B, with 64-bits for each block.

2. From the 1^st round to the 11^th round (as r = 1 to 11), for each round r, execute identical operations:

(A, B) = Crypt⁽⁰⁾ (A, B, Q_r, Q_r)

(A, B) = (B, A)

3. Generate the 12^th round (last round) integrating with the FT (final transformation):

(A, B) = Crypt⁽⁰⁾ (A, B, Q₁₂, Q₁₂)

(A, B) = (L ⊕ Q_FT, R ⊕ Q_FT)

(A, B) = (A, B).

Fig. 2 and Fig. 3 illustrates the round function Crypt⁽⁰⁾ of TMN64 and TMN128 in details. Refer to [1] for more description of the TMN64 and TMN128 constructions.

Fig. 2. The overall construction and the Crypt⁽⁰⁾ of TMN64.

Fig. 3. The overall construction and Round function Crypt⁽⁰⁾ of TMN128.

The DDO functions \(F_{n / m}^{V / e}: F_{32 / 384}, F_{32 / 384}^{-1}, F_{64 / 768} \text {, and } F_{64 / 768}^{-1}\) are built based on CE F_2/2, as F_2/2 is defined by \(\left(\left(x_{1}, x_{2}\right),[v, z] /\left(y_{1}, y_{2}\right)\right)\) (see Fig. 4). As the authors of TMN ciphers did not mention clearly about the way of executing F_2/2, we can refer it as same previous DDObased schemes using for the high-speed wireless communication networks.

Fig. 4. DDO-based functions (a) F_32/192, F^-1_32/192; (b) F_64/384, F^-1_64/384; (c) F_8/24, F^-1_8/24 and (d) CE F_2/2.

y₁ = vz ⊕ vzx₁ ⊕ zx₁ ⊕ zx₂ ⊕ x₁ ⊕ v ⊕ 1

y₂ = zx₁ ⊕ vzx₂ ⊕ z ⊕ vx₁ ⊕ zx₂ ⊕ vz ⊕ v ⊕ x₂ ⊕ 1

y₃ = x₁ ⊕ vzx₂ ⊕ vx₁ ⊕ x₂ ⊕ vzx₁ ⊕ z.

The extension function E does output controlling vector as (V,Z) = (V₁, V₂, V₃, V₄, V₅, V₆, Z₁, Z₂, Z₃, Z₄, Z₅, Z₆), taking a 32-bits input X then produce 192-bits output Y for TMN64, and 64-bits input X then produce 384-bits output Y for TMN128.

The fixed permutations are used at the right branch between two DDO operations \(F_{n / m}^{V / e}\) and at the left branch of the hybrid CSPNs S_i (see Fig. 5 and Fig. 6) within the two structures.

Fig. 5. CSPNs S_i , S_d and S^-1_d.

Fig. 6. Different 4 X 4 bit S-boxes.

The extension boxes E(X) of TMN-64 and TMN-128.

The secret key scheduling is improved to deal with the weaknesses of simple weak key genegator in most DDP-based constructions, by using a on-the-fly expansion round key. The target of this function is creating the key for the next round while implementing encryption (or decryption) at same time.

Fig. 7. On-the-fly secret round key expansion procedure.

3. Differential Properties of TMN64, TMN128

This section presents the differential properties of DDO operations in Crypt⁽⁰⁾ round function of the two ciphers TMN64 and TMN128, based on the differential properties of CE F_2/2. These properties enable us to construct effective differential boomerang characteristics later.

3.1 Differential Properties of CE F_2/2

We assume that x1 and x2 are two input values and a (v, z) pair is a controlling vector of controlled element F_2/2. So, the CE F_2/2 can be depicted as F_2/2 (x₁, x₂, v, z). According to the differential distribution put in to definitions of CE F_2/2 in TMN structures, we can obtain differential properties as:

y₁ = vz ⊕ vzx₁ ⊕ zx₁ ⊕ zx₂ ⊕ x₁ ⊕ v ⊕ 1

y₂ = zx₁ ⊕ vzx₂ ⊕ z ⊕ vx₁ ⊕ zx₂ ⊕ vz ⊕ v ⊕ x₂ ⊕ 1

Pr[F_2/2(x₁, x₂, v, z) ⊕ F_2/2(x₁ ⊕ 1, x₂, v, z) = (1, 0)] = 2^-2.

It means, for the difference (x₁ ⊕ 1, 0) of the input and the (0, 0) difference of the controlling vector, we can gain the probability of 2^-2 with the output difference of (1, 0). This differential property can be found as same distribution with other DDO-based cipher mechanisms.

3.2 Differential Properties of TMN64 and TMN128

Applying the same method, we can distribute differential properties of DDO operations: F_32/192, F^-1_32/192, F_64/384 and F^-1_64/384. We mark X as input value and (V, Z) pair as controlling vector, and since for each TMN64 and TMN128 structure has same 3 active layers F_2/2 (within F_8/24 and F^-1_8/24 functions), then we have the differential properties as following:

\(\begin{aligned} &\operatorname{Pr}\left[F_{32 / 192}(X, V, Z) \oplus F_{32 / 192}\left(X \oplus e_{32}, V, Z\right)=e_{32}\right]=2^{-6} \\ &\operatorname{Pr}\left[F^{-1}{ }_{32 / 192}(X, V, Z) \oplus F^{-1}{ }_{32 / 192}\left(X \oplus \mathrm{e}_{32}, V, Z\right)=e_{32}\right]=2^{-6} \\ &\operatorname{Pr}\left[F_{64 / 384}(X, V, Z) \oplus F_{64 / 384}\left(X \oplus e_{64}, V, Z\right)=e_{64}\right]=2^{-6} \\ &\operatorname{Pr}\left[F^{-1}{ }_{64 / 384}(X, V, Z) \oplus F_{64 / 384}^{-1}\left(X \oplus e_{64}, V, Z\right)=e_{64}\right]=2^{-6} . \end{aligned}\)

4. Related-key Amplified Boomerang Characteristics of TMN64, TMN128

In this section, we indicate the way of establishing the related-key differential boomerang characteristics with high probability based on the differential properties we explored before on full 10-rounds and 12-rounds of TMN64 and TMN128 block ciphers, respectively.

4.1 Related-key Amplified Boomerang Characteristic of TMN64

We suppose that the (P, P*, P’, P’*) plaintexts with difference α = P ⊕ P* = P’ ⊕ P’* = (e₃₂, e₃₂) are encrypted to get appropriate ciphertext (C, C*, C’, C’*) using the master keys (K, K*, K’, K’*) satisfying the key difference ∆K = K ⊕ K* = K’ ⊕ K’* = (e₃₂, 0, 0, 0).

By this way, we can generate the 1st related-key propagation of differential distinguisher (α → β) from the 1^st round to the 5^th round of TMN64 to get the corresponding output difference β = (0, 0), with probability of 1.

Then, we mark the transitional values as (I, I*, I’, I’*) with the difference γ = I ⊕ I* = I’ ⊕ I’* = (0, 0). These values are encoded using the master key (K, K*, K’, K’*) satisfying the key difference ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e₃₂, 0, 0). Overall, we can yield the 2nd related-key propagation of differential distinguisher (γ → δ) from the round 6^th to the last round 10^th with a probability of 2^-12, to get the final corresponding output difference δ = (e₃₂, 0).

Table 1. Related-key propagation of differential distinguisher on full-round of TMN64.

Fig. 8. Differential propagation at the 10^th round and the FT on the TMN64.

For further definitions of related-key DCs on the TMN64 cipher, refer to [Appendix A].

4.2 Related-key Amplified Boomerang Characteristic of TMN128

We similarly do as the same methods applied to TMN64, by assuming the plaintexts (P, P*, P’, P’*) with difference value 𝛼𝛼 = P ⊕ P* = P’ ⊕ P’* = (e64, e64) are encrypted to get appropriate ciphertext (C, C*, C’, C’*) using the master keys (K, K*, K’, K’*), as the key difference is ∆K = K ⊕ K* = K’ ⊕ K’* = (e₆₄, 0, 0, 0).

In this manner, we can obtain the 1st related-key propagation of differential distinguisher (α → β) from the 1^st round to the 5^th round of TMN128 for obtaining the output difference β = (0, 0), with probability of 1.

Then, we assign the transitional values as (I, I*, I’, I’*) with the difference 𝛾𝛾 = I ⊕ I* = I’ ⊕ I’* = (e₆₄, e₆₄). These values are encoded using the master key (K, K*, K’, K’*), as the key difference is ∆K’ = K ⊕ K’ = K* ⊕ K’* = (e₆₄, e₆₄, 0, 0). Finally, we can yield the 2nd relatedkey propagation of differential distinguisher (γ → δ) from round 6^th to the last round 12^th with a probability of 2^-24, to get the final corresponding output difference δ = (e₆₄, e₆₄).

Table 2. Related-key propagation of differential distinguisher on full-round of TMN128.

Fig. 9. Differential propagation at the 12^th round and the FT on the TMN128.

For further definitions of related-key DCs on the TMN128 cipher, refer to [Appendix A].

5. Proposed Key Recovery Attacks on TMN64, TMN128

This section illustrates the methods we apply to employ the recovery attacks on the TMN-64 and TMN-128 constructions.

5.1 Amplified Boomerang Attack Method on TMN64

According to the obtained related-key DCs in Section 4 for TMN64, we expect m²∙2^-88 correct quartets when executing with m RK-CP (related-key chosen-plaintext) pairs, depicted as (P, P*) and (P’, P’*), and the related-key amplified boomerang distribution constructed reach to the 10th round of TMN64 with probability of 2^-88 (that is 2^-n∙p²∙q²). And then, we select a set of 2⁴⁶ plaintext pairs (that is m²∙2^-88 = 2³) for the attack while we look for 8(2³) correct amplified boomerang quartets.

The proposed related-key recovery attack based on the amplified boomerang cryptanalytic method on full 10-rounds TMN64 as follows.

1) We firstly select a group of 2⁴⁶ pairs of plaintext (P_j, P_j*), (where j = 1, …, 2⁶⁶), and construct 2⁹¹ quartets of plaintext (P_i, P_i*, P_i’, P_i’*), (where i = 1, …, 2⁹¹) under the input difference α = (e₃₂, e₃₂). Then, the quartets of plaintext (P_i ,P_i*, P_i’, P_i’*) are encrypted using the master key (K, K*, K’, K’*) satisfying the differences of keys, those are ∆K = K ⊕ K* = K’ ⊕ K’* = (e₃₂, 0, 0, 0) and ∆K’ = K ⊕ K’ = K* ⊕ K’* = (0, e₃₂, 0, 0), to obtain the appropriate quartets of ciphertext (C_i, C_i*, C_i’, C_i’*).

2) We examine with each i, that C_i ⊕ C_i’ = C_i* ⊕ C_i’* = (e₃₂, 0) for each route.

3) At this step, we predict a sub-key (K₁) with 32-bit key size of the FT, and gain the subkeys (K₁*, K₁’ and K₁’*) using the guessed key K₁. 

(a.) We do decrypt for all the quartets of ciphertext (C_i, C_i*, C_i’, C_i’*) progressing through Stage 2, with the predicted quartets of sub-key to obtain 32-bit left inputs (X_i, X_i*, X_i’, X_i’*) on the 10^th round prior the additional layer of key (⊕ XOR operation) at the final transformation.

(b.) Then, we check that X_i ⊕ X_i’ = X_i* ⊕ X_i’* = (0, 0) for each i value.

4) Finally, for the recovery attacks, we generate a brute-force search for catching the remaining 96-bit (K₂, K₃, K₄) with all the predicted sub-keys progressing through Stage 3. When any predicted 128-bits key is satisfying the pairs of two plaintext/ ciphertext, we can then do output the key as the correct 128-bits master key of the TMN64. In other ways, we return to the method at Stage 3.

The proposed attack on TMN64 requires 2⁴⁶ pairs of plaintext and 2⁴⁷ RK-CPs (related-key chosen plaintexts) as the complexity of data, under the total related-key DC of 2^-12 probability. The requirement of memory is approximately 2⁵⁰(= 2⁴⁷ ∙ 8) bytes during the attack. The complexity of time at Stage 1 is around 2⁴⁷ full 10-rounds encryptions of TMN64. We expect that each ciphertext progressing through Stage 2 with 2^-64 probability. Therefore, we expect around 2²⁸ (that is 2⁹² ∙ 2^-64) correct quartets of ciphertext go by this stage. We look forward the complexity of time at Stage 3 and Stage 4 is around 2⁶² (that is 2⁶⁴ ∙ 4 ∙ 1/8 ∙ 1/2) and 2⁶⁵ (that is 2⁶⁴ ∙ 1 ∙ 2) data encryptions, respectively. Overall, the complexity of time executing all the attack is approximately 2⁶⁵ (that is 2⁴⁷ + 2⁶² + 2⁶⁵) TMN64 computational encryptions on average.

5.2 Amplified Boomerang Attack Method on TMN128

Following the obtained related-key DCs in Section 4 for TMN128, we look for m² ∙ 2^-176 correct quartets when executing with m RK-CP (related-key chosen-plaintext) pairs, depicted as (P, P*) and (P’, P’*), as the related-key amplified boomerang distribution constructed reach to the 12^th round of TMN128 with probability of 2^-176 (that is 2^-n ∙ p² ∙ q²). And then, we select a set of 290 plaintext pairs (m 2 ∙ 2^-176 = 2³) for the attack while we suppose 8(2³) correct amplified boomerang quartets.

The proposed related-key recovery attack based on the amplified boomerang cryptanalytic method on full 12-rounds TMN128 as follows.

1) To begin with, we prepare a group of 2⁹⁰ pairs of plaintext (P_j, P_j*), (j = 1, …, 2⁹⁰), and construct corresponding 2¹⁷⁹ quartets of plaintext (P_i, P_i*, P_i’, P_i’*), (i = 1, …, 2¹⁷⁹) under the input difference 𝛼𝛼 = (e₆₄, e₆₄). Then, we encode the quartets of plaintext (P_i, P_i*, P_i’, P_i’*) using the unknown sub-keys (K, K*, K’, K’*) having ∆K = K ⊕ K* = K’ ⊕ K’* = (e₆₄, 0, 0, 0) and ∆K’ = K ⊕ K’ = K* ⊕ K’* = (e₆₄, e₆₄, 0, 0) key difference, for catching the matching quartets of ciphertext (C_i, C_i*, C_i’, C_i’*).

2) We examine with each i, that C_i ⊕ C_i’ = C_i* ⊕ C_i’* = (e₆₄, e₆₄) for each route.

3) At this step, we predict a sub-key (K₁) with 64-bit key size of the FT, and gain the subkeys (K₁*, K₁’ and K₁’*) using the guessed key K₁.

(a.) We do decrypt for all the quartets of ciphertext (C_i, C_i*, C_i’, C_i’*) progressing through Stage 2, with the predicted quartets of sub-key to obtain 64-bit left inputs (X_i, X_i*, X_i’, X_i’*) on the 12^th round prior the additional layer of key (⊕ XOR operation) at the final transformation.

(b.) Then, we check that X_i ⊕ X_i’ = X_i* ⊕ X_i’* = (0, 0) for each i value.

4) Lastly, we generate a brute-force search for catching the remaining 192-bit (K₂, K₃, K₄) with all the predicted sub-keys progressing through Stage 3. When any predicted 256-bits key is satisfying the pairs of two plaintext/ ciphertext, we can then do output the key as the correct 256-bits master key of the TMN64. In other ways, we return to the method at Stage 3.

The proposed attack on TMN128 requires 2⁹⁰ pairs of plaintext and and 2⁹¹ RK-CPs (related-key chosen plaintexts) as the complexity of data, under the total related-key DC of 2^-24 probability. The requirement of memory is approximately 2⁹⁴ (= 2⁹¹ ∙ 8) bytes during the attack. The complexity of time at Stage 1 is around 2⁹¹ full 10-rounds encryptions of TMN128. Similarly, we also expect that each ciphertext progressing through Stage 2 with 2^-128 probability. Therefore, we expect around 2⁵² (that is 2¹⁸⁰ ∙ 2^-128) correct quartets of ciphertext go by this stage. We look forward the complexity of time at Stage 3 and Stage 4 is around 2¹²⁶ (that is 2¹²⁸ ∙ 4 ∙ 1/8 ∙ 1/2) and 2¹²⁹ (that is 2¹²⁸ ∙ 1 ∙ 2) data encryptions, respectively. Overall, the complexity of time executing all the attack is approximately 2¹²⁹ (≈ 2⁹¹ + 2¹²⁶ + 2¹²⁹) TMN128 computational encryptions on average.

6. Conclusion

In this paper, we discussed the security of the TMN-family framework: TMN64 and TMN128, resisting against the related-key recovery attack based on the differential boomerang cryptanalytic method. Depending on high probability of differential characteristics we constructed, we suggested a kind of related-key recovery attacks as the amplified boomerang cryptanalysis in different two versions: on a full 10-rounds of TMN64 and 12-rounds of TMN128. The attack requires about 2⁴⁷ RK-CP (related-key chosen plaintexts), 2⁵⁰ memory bytes and 2⁶⁵ complexity of time for all encryptions unit of the TMN64; and 2⁹¹ RK-CP (related-key chosen plaintexts), 2⁹⁴ memory bytes and 2¹²⁹ complexity of time for all encryptions unit of the TMN128. According to our cryptanalytic results, although the TMN constructions had enhanced the way of generating round keys to handle with the weak key scheduling problems, the full-round of TMN64 and TMN128 were distinguished from an ideal cipher properly, that proved the TMN constructions are still vulnerable to related-key differential attacks. We suggest a better primitive approach in designing the block ciphers, especially the structures based on DDP or DDO functions in the further research.

Appendix