INNOVATIVE CRYPTOGRAPHY

Second Edition
This page intentionally left blank
INNOVATIVE CRYPTOGRAPHY
Second Edition

NICK MOLDOVYAN

ALEX MOLDOVYAN

CHARLES RIVER MEDIA

Boston, Massachusetts
Copyright 2007 Career & Professional Group, a division of Thomson Learning Inc.
Published by Charles River Media, an imprint of Thomson Learning Inc.
All rights reserved.
No part of this publication may be reproduced in any way, stored in a retrieval system of any type, or
transmitted by any means or media, electronic or mechanical, including, but not limited to, photocopy,
recording, or scanning, without prior permission in writing from the publisher.
Cover Design: Tyler Creative
CHARLES RIVER MEDIA
25 Thomson Place
Boston, Massachusetts 02210
617-757-7900
617-757-7969 (FAX)
[email protected]
www.charlesriver.com
This book is printed on acid-free paper.
Nick Moldovyan. Innovative Cryptography.
ISBN: 1-58450-467-6
eISBN: 1-58450-654-7
All brand names and product names mentioned in this book are trademarks or service marks of their
respective companies. Any omission or misuse (of any kind) of service marks or trademarks should not
be regarded as intent to infringe on the property of others. The publisher recognizes and respects all
marks used by companies, manufacturers, and developers as a means to distinguish their products.
Library of Congress Cataloging-in-Publication Data
Moldovyan, Alex.
Innovative cryptography / A. Moldovyan and N. Moldovyan. -- 2nd ed.
p. cm.
Includes bibliographical references and index.
ISBN 1-58450-467-6 (pbk. : alk. paper) 1. Data encryption (Computer science)
2. Telecommunication--Security measures. 3. Cryptography. I. Moldovyan, Nick. II. Title.
QA76.9.A25M665 2006
005.8'2--dc22
2006009839
06 7 6 5 4 3 2 First Edition
CHARLES RIVER MEDIA titles are available for site license or bulk purchase by institutions, user
groups, corporations, etc. For additional information, please contact the Special Sales Department
at 800-347-7707.
Requests for replacement of a defective CD-ROM must be accompanied by the original disc, your
mailing address, telephone number, date of purchase and purchase price. Please state the nature of
the problem, and send the information to CHARLES RIVER MEDIA, 25 Thomson Place, Boston,
Massachusetts 02210. CRM’s sole obligation to the purchaser is to replace the disc, based on defective
materials or faulty workmanship, but not on the operation or functionality of the product.
 Contents

Introduction xi

1 Cryptography in the Information Age 1

1.1 Information Protection Problems in Computer Systems 1
1.2 Problems in Cryptography 6
1.2.1 Traditional Cryptography Issues 7
1.2.2 Modern Applications 12
1.2.3 Information Protection Technology 19
1.3 The Fundamentals of One-Key Cryptography 22
1.3.1 Conditional and Unconditional Security 22
1.3.2 General Issues of Cipher Design 25
1.3.3 Product and Iterated Block Ciphers 27
1.3.4 Controlled Operations—a New Cryptographic Primitive 32
1.4 Two-Key Cryptosystems 37
1.4.1 The Public Key Distribution System 37
1.4.2 The Notion of a Cryptographic Protocol 39
1.4.3 Digital Signatures 41
1.4.4 The RSA Cryptosystem 42
1.4.5 The El Gamal Digital Signature 45
1.4.6 The Chaum Blind Signature 47
1.4.7 Types of Attacks on a Digital Signature 48
1.5 Probabilistic Ciphers 50
1.5.1 Homophonic Ciphers 50
1.5.2 Ciphers with a Simple Probabilistic Mechanism 51
1.5.3 Probabilistic Combination of Data Bits and Randon Bits 52
1.5.4 Probabilistic Mechanisms in Two-Key Ciphers 56

v
vi Contents

1.5.5 The El Gamal Public Cipher 57

1.6 Using Encryption in Practice 58
1.6.1 Encryption Algorithms in Protection Tools 58
1.6.2 Some Features of Applications 63
1.6.3 Standardization of Encryption Algorithms 66
1.6.4 Built-in Trapdoor Issues 68
1.6.5 Cryptography and Steganography 70

2 Flexible Software Ciphers 71

2.1 The Secrecy and Cryptogrraphic Strength of the Algorithm 71
2.2 The Principles of Designing Software Ciphers 74
2.3 Initializing Software Ciphers 77
2.4 Non-Deterministic Software Ciphers 79
2.4.1 The Principles of Designing Flexible Ciphers 79
2.4.2 A Cryptoscheme with Permutations of Fixed Procedures 82
2.4.3 Multi-Pass Cryptoschemes with Flexible Algorithms 82
2.4.4 A Cryptosystem Adjusting of Transformation Operations 83
2.4.5 A Pseudo-Probabilistic Non-Deterministic Cipher 84
2.4.6 Flexible Ciphers with a Provable Non-Equivalence of
Cryptalgorithm Modifications 86
2.5 The Combinational-Probabilistic Model 88
2.6 Fast Software Ciphers—Designations and Terminology 90
2.7 Ciphers Based on Subkey Sampling Depending on the Data 91
2.8 Encryption Algorithms in Contemporary Computer Security Systems 92
2.8.1 Fast Encryption of Disk Data 93
2.8.2 Precomputations 96
2.8.3 Disk Encryption Algorithms 99
2.8.4 Evaluating the Cryptographic Strength 104
2.8.5 File Encryption Algorithm 109
2.8.6 Transformation of the Boot Sector Data 111
2.9 Software Cipher with Flexible Input 113
 Contents vii

3 Substituion—Permutation Networks with Minimal

Controlled Elements 123
3.1 Controlled Bit Permutations as Cryptographic Primitive 123
3.2 Block Cipher Based on Variable Permutations 128
3.3 Extending the Class of Controlled Operations Using
Elementary Controlled Involutions 136
3.4 Full Classification of F2/1 Nonlinear Elements 144
3.5 Synthesis of Controlled Operational Substitutions
Based on F2/1 Elements 151
3.5.1 Principles of Building Controlled Operational Substitutions 151
3.5.2 Probilistic Characteristics of Controlled Operational
Substitutions 154
3.5.3 Evaluation of the Complexity of Circuit Design when
Implementing Controlled Operational Substitutions 161
3.6 Variants of Representation and Criteria for Selection of
F2/2 Controlled Elements 162

4 Switched Controlled Operations 169

4.1 Building Controlled Substitution-Permutation Networks
of Different Orders 169
4.2 Problems with Building Block Ciphers with Simple Key
Use Schedule 182
4.3 The Notion of Switched Operation 185
4.4 Controlled Operational Substitutions as a Class of Pairwise
Mutually Inverse Modifications 187
4.5 Switched Controlled Operational Substitutions with Symmetric
Topological Structure 194
4.6 Switched Controlled Substitution-Permutation Networks of
Different Orders 199
4.7 Simplification of the Hardware Implementation of
Switched Controlled Operational Substitutions 201
4.8 Switched Controlled Substitution-Permutation Networks
with Controlled Elements Including Pairs of Mutually
Inverse Modifications 204
viii Contents

4.8.1 Switched Controllede Substutution-Permutation Networks

on the Basis of F2/1 Elements 205
4.8.2 Switched Controlled Substitution-Permutation Networks on
the Basis of F2/2 Elements 207
4.9 Extension of the Switching Property of Controlled Operational
Substitutions 208
Summary 212

5 Designing Fast Ciphers Based on Controlled Operations 215

5.1 The SPECTR-H64 Block Cipher 215
5.1.1 The General Scheme of Block Encryption 216
5.1.2 The Encryption Algorithm 216
5.1.3 The Schedule for Using Round Keys 225
5.2 The SPECTR-128 Cipher (Algorithm) 227
5.2.1 A General Scheme of Block Encryption 227
5.2.2 The Encryption Algorithm 228
5.2.3 The Schedule for Using Round Keys 234
5.3 The CIKS-128 Cipher (Algorithm) 236
5.3.1 A General Scheme of Block Encryption 236
5.3.2 The Encryption Algorithm 237
5.3.3 The Schedule for Using Round Keys 243
5.4 Prospective Program Ciphers Based on Controlled Permutations 246
5.4.1 Description of the Hypothetical DDP32 Command 246
5.4.2 The SPECTR-SZ Software Cipher 249
5.4.3 The COBRA-F64a and COBRA-64b Block Ciphers 258
5.4.4 The DDP-S64 and DDP-S128 Algorithms 263
5.5 Statistical Properties of Algorithms 270
5.5.1 Criteria for Estimating the Properties of the “Avalanche Effect” 270
5.5.2 Estimating the Influence of Incoming Text Bits on the
Transformed Text 271
5.5.3 Extimating the Influence of Key Bits on the Transformed Text 272
 Contents ix

5.6 Elements of the Cryptanalysis of Ciphers Based on

Controlled Operations 274
5.6.1 Estimating Flexible Ciphers 274
5.6.2 Differential Characteristics of Controlled Permutation Boxes 278
5.6.3 Analysis of the SPECTR-H64 Cryptosystem 284
5.6.4 Differential Cryptanalysis of the SPECTR-128 Cipher 291
5.6.5 Main Differential Characteristics of the DDP-S64 and
DDP-S128 Ciphers 301
5.6.6 Estimating the Security of the COBRA-F64a and
COBRA-F64b Ciphers 305
5.6.7 Attacks Based on Hardware Errors 310
5.7 Fast Ciphers with Simple Key Schedule 318
5.7.1 Cryptoschemes and Ciphers Based on Controlled and
Switched Operations 318
5.7.2 The COBRA-H64 Cryptoscheme 333
5.7.3 The COBRA-H128 Block Cipher 341
5.7.4 Block Ciphers on the Basis of Controlled Substitution-
Permutation Networks 345
5.7.5 Analysis of Cryptographic Strength and Statistical Testing of
Ciphers Built on the Basis of Controlled and Switched Operatons 347
Summary 370

Recommended Reading 371

Index 377
This page intentionally left blank
 Introduction

urrently, cryptographic transformations are widely used as an efficient and

C flexible method for solving various problems of information protection in

computer networks and communications systems. Three main tasks of
cryptography are the most important:

Ensuring information confidentiality

Authentication of the information and message source
Ensuring user anonymity

For several thousand years, ensuring information confidentiality was consid-

ered the only task of cryptography, and many various approaches and methods
have been suggested for doing so. The common feature of all these methods was
the use of the secret key—certain information providing the key owner with the
possibility of obtaining information from the cryptogram. Such systems of impos-
ing secrecy are called secret-key ciphers, also known as single-key (or symmetric)
cryptosystems. Tasks of the second and the third types emerged as a consequence of
wide use of electric methods of information processing and transmission, and the
development of computer technologies. They became especially urgent due to the
necessity of validating electronic messages and ensuring anonymity in such appli-
cations as electronic commerce and secret electronic voting. Efficient methods of
solving problems of this type are related to the use of public key cryptography,
which was developed about 30 years ago. Starting from that moment, problems
with public key ciphers became the most rapidly and intensely developing area of
contemporary cryptography. Cryptographic systems of this type use the secret key,
too, and are called two-key or asymmetric cryptosystems. However, despite the de-
velopment of principally new cryptosystems, secret key ciphers have not lost their
practical importance. They continue to attract considerable attention from devel-
opers of IT security tools and cryptanalysts, mainly because such ciphers ensure

xi
xii Introduction

considerably higher performance and the possibility of secure transformation of

relatively small data blocks (64- or 128-bit).
The first chapter of this book is a general discussion of cryptographic problems.
It demonstrates the place and role of symmetric ciphers and issues of their practi-
cal application. Other chapters describe symmetric block ciphers. The practice has
demonstrated the need for development of fast symmetric ciphers for the following
applications:

Hardware implementation (for example, DES)

Software implementation (RC5, Blowfish)
Universal (both software and hardware) implementation (AES, RC6, TwoFish,
IDEA, GOST)

After completion of the AES contest, the number of newly suggested solutions
in the field of symmetric cryptography has considerably reduced; however, some
application still require further increase of the encryption speed both for software
and hardware implementations. At the same time, in the case of hardware imple-
mentation, it is important to meet the requirements of reducing the cost and energy
consumption (for example, when solving the problems of information security in
mobile networks). The efficiency of ciphers being developed specially for such ap-
plications can be considerably improved by using innovative approaches to cipher
design and abandoning the implementation universality; that is, orientation toward
the highest performance either for hardware or software orientation. This book
covers the issues of design and analysis of ciphers of this type based on the approach
including data-dependent transformation operations characterized by exceedingly
large numbers of potential modifications. Elements of this approach were earlier
known in such ciphers as DES, RC5, and RC6. However, in the aforementioned
ciphers, operations of this type had a small number of modifications possible to im-
plement, which reduced the efficiency of such primitives. To make variable opera-
tions applicable as a basic cryptographic primitive, the authors have suggested the
use of controlled substitution-permutation networks (CSPNs) and permutation
networks (PNs) for implementing data-dependent operations. Substantiation of
these primitives, and results of the research of several new hardware-oriented ci-
phers, are provided in a range of newly published articles. The obtained results are
generalized in this book.
Also covered are the issues of development and design of software-oriented ci-
phers, including ciphers based on the algorithm formed depending on the secret
key. The main primitive of these ciphers is the sample of subkeys depending on the
 Introduction xiii

data being transformed (data-dependent subkey selection). Some specific issues of

evaluation of the cryptographic strength of ciphers with flexible algorithms of data
transformation are considered, and a combinational-probabilistic model is sug-
gested oriented toward obtaining minimal evaluations of the series of software ci-
phers being considered. The issue of introducing a new command into universal
processors is discussed. The suggested command must execute controlled bit per-
mutation. It is expected to sharply increase the performance of cryptographic algo-
rithms, including bit permutations of an arbitrary type. This command is highly
promising for various applications, including cryptographic problems and prob-
lems in many other areas. It is demonstrated that the presence of such a command
in the standard command set of a commercial processor makes some of the sug-
gested hardware ciphers universal and allows for ensuring higher transformation
speeds in comparison to known universal ciphers.
This book is intended for a wide community of users, including students,
teachers, engineers, researchers, and IT security professionals. The authors hope
this book will attract the readers’ attention to new interesting problems related to
contemporary cryptography, which are described with orientation to the practical
application.
This page intentionally left blank
 1 Cryptography in the
Information Age

1.1 INFORMATION PROTECTION PROBLEMS IN

COMPUTER SYSTEMS

Historically, cryptography has emerged as a response to the requirement of trans-

mitting secret information. For a long time, it was only concerned with designing
special methods of information transformation to represent it in a form incom-
prehensible to a potential opponent. After electronic methods of information pro-
cessing and transmitting had developed, cryptography’s tasks became more varied.
Nowadays, when computer information technologies have become widely applic-
able, cryptography includes an abundant number of tasks not directly related to
making information secret, such as developing digital signature systems, comput-
erized voting systems, coin-tossing protocols, remote user authentication proto-
cols, and protection against creating false messages.

1
2 Innovative Cryptography, Second Edition

Many of software technology’s actual problems are effectively solved using

cryptographic methods. In cryptography, you must assume the existence of a po-
tentially malicious person (an opponent, an enemy’s cryptanalyst, an adversary, an
unauthorized user) who is aware of the cryptographic algorithms, protocols and
methods used, and tries to compromise them. Compromising a cryptosystem can
involve, for example, unauthorized data reading, forging someone else’s signature,
modifying voting results, infringing on voting secrecy, or modifying data that won’t
be detected by the intended receiver. The opponent’s actions are generally called a
cryptographic attack (or simply an attack). One specific feature of cryptography is
that it is aimed at developing methods that protect you against any opponent’s
actions, but when designing a cryptosystem, it is impossible to foresee the types of
attacks that will be invented in the future, due to theoretical and technological ad-
vances. The main question is, how reliable is the solution of a certain cryptographic
problem? The answer is directly related to estimating the effort required to attack the
cryptosystem. As a rule, the solution to this problem is extremely complex and an
individual research topic in itself, called cryptanalysis. Cryptography and cryptanaly-
sis comprise a unified scientific area, called cryptology. Currently, new areas of math-
ematics has important applications in modern information technologies.
The wide use of computer technologies in data processing and control systems
has aggravated the problem of protecting information from unauthorized access.
Information protection in computer systems has certain specific features related to
the fact that information isn’t rigidly bound to a medium—it can be easily and
quickly copied and transmitted over communication channels. There are many
known threats to information, and they can be implemented both by inside and
outside adversaries.
A radical solution to the problem of protecting information that flows in high-
performance computer systems can be obtained using cryptographic methods. In
this case, it is important to use fast enciphering algorithms that don’t decrease the
performance of the computer or telecommunication systems. Cryptographic data
transformations are a flexible and effective tool for providing data privacy, in-
tegrity, and authenticity. Using cryptographic methods in combination with tech-
nological and organizational methods can protect against a wide range of potential
threats.
The demands of modern software technologies have led to the emergence of
nontraditional data protection tasks, one of which is information authentication in
situations in which the parties exchanging information don’t trust each other—a
problem related to the design of digital signature systems. The theoretical founda-
tion of the solution of this problem was the invention of two-key cryptography by
American researchers Diffie and Hellman in the mid-1970s, which was a brilliant
breakthrough in the centuries-old evolution of cryptography. The revolutionary
idea of two-key cryptography led to a drastic growth in public research in this area,
 Cryptography in the Information Age 3

and revealed new directions for the development of cryptography and its unique
worth in the present context of rapidly developing electronic information tech-
nologies.
The technological basis of the transition to an information society is modern
microelectronic technology, which provides for a continuous growth in the quality
of computers, and in turn is the basis for their main design tendencies:

Decreasing the size and power consumption of the hardware

Increasing the capacity of the random-access memory and built-in and remov-
able disks
Increasing the performance and reliability of computer systems
Expanding the areas for and increasing the intensity of computer use

These trends in computer development have led to a situation in which mod-

ern protection of computer systems against unauthorized access requires using soft-
ware cryptographic protection tools.
As recent practice shows, the use of hardware ciphers has gained popularity.
One of the currently central problems in applied cryptography is designing algo-
rithms that will provide a speed of 1500 MBits/sec or more when implemented as
inexpensive microcircuits (cryptochips). First, this is related to the wide use of enci-
phering in commercial TV. Another popular area using cryptochips is mobile tele-
phony. Recently, information security specialists and users have become aware of
the need to cryptographically protect information transmitted from video security
cameras and other security devices. This area of using cryptography requires that
enciphering devices with a low hardware complexity be designed.
One of the important social and ethical problems that arose due to the ex-
panding use of cryptographic data protection methods was the conflict between the
users’ desire to protect their information and messages transmitted and the desire
of government intelligence services to access companies’ and individuals’ informa-
tion to prevent illegal activities. In industrial countries, there is a wide range of
opinions concerning regulations on the use of enciphering algorithms. The sugges-
tions vary from total prohibition of using cryptographic methods on a large scale,
to unlimited freedom in using them. Some proposals only give permission to use
weak algorithms, or require the mandatory registration of encryption keys.
It is extremely difficult to solve this problem. How can one estimate the rela-
tionship between the losses of law-abiding citizens due to the illegal use of their pri-
vate information and the losses of the government due to the impossibility of
accessing the cryptographically protected information of certain groups trying to
conceal criminal activities? How can one ensure that cryptalgorithms will not be
used illegally by people who violate other laws? Besides that, there are various other
4 Innovative Cryptography, Second Edition

ways to secretly store and transmit information. The answers to these questions
have yet to be found by sociologists, psychologists, lawyers, and politicians.
As for research in the area of cryptography that can result in convenient and
practically secure algorithms, hindering it doesn’t seem to be reasonable. Law-
abiding citizens and organizations should be provided an equal opportunity to
protect their information, because criminals who use cryptographic advances
would thus be in a much better position if this were not the case.
Furthermore, limiting research in the field of cryptography would most likely
slow the development of cryptography, but it will by no means prevent criminals
from using modern cryptographic methods obtained, for example, from other
countries. As a result, law-abiding citizens’ and organizations’ rights will be most
seriously infringed upon. In many countries, this problem is fully understood,
which has increased the number of industrial countries in which rigid limits on
using encryption have been removed.
Regardless of the progress in developing cryptographic methods of data pro-
tection, the government can always require by law that all users of ciphers must reg-
ister their keys (or a necessary portion of key data) with specially organized
institutions. In this case, information is controlled, no matter how secure the algo-
rithms used are. This and other issues demonstrate that hindering research in the
area of cryptography is not objectively justified. As far back as the early 1970s, the
demands of practice in Western industrial countries aroused an interest in cryp-
tography in many researchers in different areas, and gave the impetus to public re-
search in this area, which was previously considered exclusive and was a matter of
concern only to intelligence services.
There are a number of examples in which secrecy in the field of cryptography
has led to significant failures in producing enciphering devices, and even to falling
behind scientific and technological progress. Intensive activities in such a “hot” do-
main of science created conditions ripe for increasing the quality of cryptographic
research, which thus allowed Diffie and Hellman to discover two-key cryptography.
Their ideas brought into existence new, nontraditional divisions of cryptography,
and made it one of the most rapidly developing trends in modern mathematics.
The discovery of two-key cryptography is a vivid example of the interaction be-
tween theory and practice, and an example of how politics influences theoretical
advances.
Hindering research in the realm of cryptography simplifies some problems for
intelligence services. However, the nation as a whole strongly suffers from it, and
the negative effect is related to falling behind in designing modern data protection
systems, spreading computer crimes, and so forth. Examples are found in global
computer networks, such as the Internet, which are revolutionary achievements of
computer technologies, but also are playgrounds for a great number of crimes and
infringements.
 Cryptography in the Information Age 5

As a result of working in the Internet, the vulnerabilities and shortcomings of

traditional administrative and system mechanisms of data protection became
clearer. Cryptography presents fundamentally new possibilities in providing infor-
mation security in computer systems, and nowadays its methods have been widely
introduced into global network technologies. It is not the refusal of progress in in-
formatization, but rather the use of modern cryptography advances that has turned
out to be the strategically correct decision, verified in practice. The possibility of
widely using cryptography in computer networks is a great achievement and a sign
of a democratic society.
Knowing the basics of cryptography in an information society cannot objec-
tively be a privilege of individual government services, but is a vital necessity for
scientists and engineers who use computer data processing or develop information
systems, employees of security departments, and upper management in various
organizations and companies. Only this approach can be a basis for introducing
and operating high-quality tools for information protection.
A single organization cannot provide sufficient control over information
streams within a whole country, and it cannot provide proper protection for na-
tional distributed information resources. However, certain government organiza-
tions can create conditions that allow a market of high-quality protection tools to
emerge, a sufficient number of specialists to be trained, and “common users” to be
taught the basics of data protection and cryptography.
In the early 1990s, in Russia and the countries of the former Soviet Union, there
was a distinct trend in which the intensity and propagation of the use of informa-
tion technologies was getting ahead of the development of data protection systems.
This situation, to some extent, is typical for certain industrial countries. This is a
natural order: first, practical problems must emerge, and then their solutions will
be found. The turning point in the situation of the late 1980s, when the countries
of the former Soviet Union were falling behind in the domain of informatization,
created fertile ground for overcoming the aforementioned trend. The example of
the industrial countries and the possibility of purchasing system software and com-
puters encouraged Russian users. A wide range of users concerned with online data
processing and other advantages of modern computer systems were involved in
solving the problem of expanding computer technologies, which led to a very high
rate of development in this area in Russia and the other countries of the former So-
viet Union. However, the natural joint development of information processing
tools and information protecting tools was broken, which was the cause of abun-
dant computer crimes. It’s no secret that these crimes have now become an urgent
problem.
Using foreign protection tools can’t correct this imbalance. Because software
products of this type available in the Russian market don’t satisfy modern require-
ments due to the export limitations adopted in the U.S., the main vendor of data
6 Innovative Cryptography, Second Edition

protection tools. Another issue of prime importance is that software products of

this type are subject to an established certification procedure in authorized organi-
zations. Checking encryption algorithms, software, and hardware for various bugs
and viruses is an extremely labor-consuming task. Recent investigations of cryp-
tographers revealed that it is possible to design trapdoor encryption algorithms,
these trapdoors being practically impossible to detect in a reasonable time, even by
high-class specialists.
Certificates given by foreign companies and organizations cannot be a substi-
tute for national ones. Just the fact of using foreign system and application software
in crucial areas creates a threat for information resources. Using foreign protection
tools without proper analysis of their correspondence to the functions performed
and the security level provided can drastically complicate the situation.
Speeding up the informatization process requires that users be adequately pro-
vided with protection tools. An insufficient supply of tools that protect the infor-
mation in computer systems in the internal market hampers top-quality data
protection on the necessary scale for a long time. The situation is aggravated by the
lack of a sufficient number of data protection specialists, because such profession-
als are usually only trained to work in intelligence services. The restructuring of
these intelligence organizations caused by the processes taking place in Russia has
led to independent firms that specialize in data protection absorbing the available
staff. As a result, there arose competition, which produced a sufficiently large num-
ber of certified Russian-produced data protection tools.
One of the important features of the wide use of information technologies is
that an effective solution of the problem of protecting national information resources
requires distributing data protection measures to all users. Information must first
be protected where it is created, gathered, and processed, and by the organizations
that would suffer from unauthorized access to their data. This principle is both rea-
sonable and effective: protecting individual organizations’ interests is the basis of
protecting national interests as a whole.

1.2 PROBLEMS IN CRYPTOGRAPHY

The word cryptography, taken from Greek, means “secret writing,” which well re-
flects its original purpose. Cryptographic methods that seem primitive from the
modern viewpoint have been known since antiquity, and have long been treated as
puzzles rather than as a strict branch of science. The classical cryptographic task is
to provide for a reversible transformation of an understandable plaintext (original
text) to a seemingly random character sequence called a ciphertext or a cryptogram.
The ciphertext can contain both new characters and those present in the original
message. Generally, the number of characters in a cryptogram and the number in
 Cryptography in the Information Age 7

the plaintext may differ. A mandatory requirement is the possibility of uniquely

and fully restoring the plaintext by simply performing some logical operations with
the characters of the ciphertext. In old times, the security of the information was
determined by how well the transformation method was kept secret.
However, a secret algorithm alone cannot provide absolute security, the impos-
sibility of reading a cryptogram by an opponent possessing infinite computing
resources. Because secret algorithms aren’t available for large-scale cryptanalytical
research, there is a much higher probability, as compared to public algorithms,
that the vulnerabilities of secret algorithms will be found, and thus so will effective
ways of breaking them. In addition, public algorithms that have undergone long-
term testing and discussions in public cryptographic literature are more widely
used nowadays.

1.2.1 Traditional Cryptography Issues

The security of modern cryptosystems is not based on the secrecy of the algorithm,
but on the secrecy of a relatively small amount of information, called a secret key.
The key is used to control the process of cryptographic transformation (ciphering),
and it is an easily changeable element of a cryptosystem. Users can change the key
at any time, whereas the ciphering algorithm itself is a constant element of the
cryptosystem, and it is the result of long-term research and testing.
Other things being equal, the lack of comprehensive information on the ci-
phering algorithm (provided it is implemented properly) significantly hampers any
cryptanalytical attack. This is why modern ciphers with a ciphering algorithm di-
rectly being a pseudo-random changeable element were proposed. The information
about the overall structure of such cryptosystems is available, thus making it possi-
ble to estimate its security as a whole. Such ciphers are implemented as flexible
cryptosystems in which an algorithm used in a ciphering session is created accord-
ing to a special initializing algorithm. This latter algorithm is public, and the algo-
rithm used is unknown and depends on the user’s secret key.
Many ages have passed, during which cryptography was mostly the occupation
of the elite—priests, kings, military leaders, and diplomats. Although uncommon,
cryptographic methods of breaking the opponent’s ciphers had a significant influ-
ence on the results of important historical events. There are many examples where
overestimating ciphering methods led to military and diplomatic losses. Despite
using cryptographic methods in important areas, the occasional usage of cryptog-
raphy didn’t have anywhere near the importance it now has in modern society.
Cryptography owes the fact that it has turned into a scientific discipline to practi-
cal demands and the development of electronic information technologies.
In the 19th century, a significant interest in cryptography led to further devel-
opment in connection with emerging electrical means of communication. In the
8 Innovative Cryptography, Second Edition

20th century, the intelligence services of most industrial countries began to regard
it as an essential tool for their activities.
When speaking about the historic aspects of scientific research in cryptography,
we must mention the fact that the whole period from ancient times to 1949 can be
called pre-scientific, since methods of making written information private had no
strict mathematical grounds. The turning point that made cryptography scientific
and set it off as an individual branch of mathematics was the publication of C. E.
Shannon’s article “Communication Theory of Secrecy Systems” in 1949. This work
was the basis for the emergence of one-key symmetric cryptosystems, in which it was
necessary to exchange secret keys between the correspondents. Later, due to some
peculiarities of their design, symmetrical ciphers were divided into two cryptosys-
tems: stream ciphers and block ciphers. A distinguishing feature of the former is that
individual characters in the input data stream are converted, whereas the latter
converts whole blocks of data.
A fundamental conclusion in Shannon’s work was that the reliability of an algo-
rithm depends on the size and quality of the secret key, and on the informational
redundancy of the original text. Shannon introduced the formal definition of infor-
mation and a key’s unreliability as a function of the number of known bits in cipher
text. Furthermore, he introduced the important notion of unicity distance as the min-
imum text size for which only one decryption of an original text is possible. He showed
that the unicity distance is in direct proportion to the key length and in inverse pro-
portion to the redundancy of the original text. One result of Shannon’s work was
proof of the possibility of perfectly secure ciphers, such as Vernam’s cryptosystem.
Another fundamental impetus in the development of cryptography was the
publication of Diffie and Hellman’s article “New Directions in Cryptography” in
1976. In this work, it was shown for the first time that information secrecy can be
provided without exchanging secret keys. This was the beginning of the epoch of
two-key asymmetric cryptosystems, which are manifest in digital signature systems,
online secret voting, protection against false messages creation, computerized coin-
tossing, remote user identification and authentication, and other systems.
Over the past few years, due to the progress in electronic technologies, a num-
ber of theoretical works have appeared in the area of quantum cryptography, based
on Heisenberg’s uncertainty principle.
In parallel with the development of cryptographic systems, methods have been
developed that make it possible to restore an original message based on the cipher-
text and other known information. These methods are collectively known as crypt-
analysis. Advances in cryptanalysis have led to tightening the requirements on
cryptographic algorithms. The reliability of cryptosystems has always been of fun-
damental importance. This problem has been treated differently throughout the
history of cryptography.
 Cryptography in the Information Age 9

The Dutch cryptographer Kerkhoff (1835–1903) was the first to formulate the
cipher security rule, according to which the complete transformation mechanism is
assumed to be known by the opponent, and the security of an algorithm can only
be determined by the unknown value of a secret key. This means that an opponent
has no way of unlocking the protection, or of finding the true key in a time signif-
icantly shorter than the time it would take to try every possible secret key.
Apparently, one of the tasks for estimating a cipher’s security, according to
Kerkhoff, is testing cryptosystems under conditions more favorable for attacks than
the conditions under which a potential violator usually acts. Kerkhoff’s principle
stimulated the emergence of higher-quality ciphering algorithms. One could say
that here we have the first element of cryptography standardization, since it as-
sumes the development of public methods of transformation. At present, this rule
is more widely interpreted: it is assumed that all persistent elements of a security
system are known to the potential opponent. This last definition of a cryptosystem
includes security systems as a special case. The extended interpretation of Kerk-
hoff’s principle assumes that all elements of a cryptosystem are divided into two
categories—constant and easily changeable. Constant elements are those related to
the cryptosystem structure, and can only be changed by specialists. Easily change-
able elements of a cryptosystem are those intended for frequent modification in ac-
cordance with a specified procedure. For example, the easily changeable elements
of a cipher are the secret key, the password, the identifier, and so forth. Kerkhoff’s
principle reflects the fact that the required secrecy level must be achieved only by
using the secret easily changeable elements of the cipher.
According to modern requirements posed on cryptosystems with a secret key
of a limited size (128–256 bits), such ciphers must be secure when facing a crypt-
analysis based on a known algorithm, a great amount of plaintext, and its
corresponding ciphertext. Despite these general requirements, ciphers used by
intelligence organizations are usually kept secret. This is due to the necessity of
having an additional safety margin to protect secret information, since creating
cryptosystems with provable security is nowadays a developing theory, and a rather
complex problem. To avoid any possible weaknesses, a ciphering algorithm can be
built on the basis of much-studied and approved principles and methods of trans-
formation. Currently, no serious user will rely on simply keeping his algorithm
secret, since it is extremely difficult to guarantee that information about the algo-
rithm will remain unknown to a potential attacker.
Proving the reliability of systems being used is done both theoretically and
experimentally, by modeling cryptattacks with the help of a team of experienced
specialists to whom much more favorable conditions are given than the conditions
under which the cryptalgorithm will actually be used. For example, the cryptana-
lysts are provided not only with a ciphertext and a transformation algorithm, but
also with an original text or some part of it, several independent ciphertexts
10 Innovative Cryptography, Second Edition

obtained using the same key, or ciphertexts obtained from the given plaintext using
different keys. The security of the tested cryptosystem is estimated against all
known cryptanalytical methods, and ways of breaking the system are invented if
possible. If the cryptosystem appears secure, it is recommended for actual use.
Modern cryptanalysis considers attacks on encrypting systems based on the
following known data:

Ciphertext
Plaintext and its corresponding ciphertext
Chosen plaintext
Chosen ciphertext
Adapted plaintext
Adapted ciphertext

Additionally, some attacks use:

Hardware faults
Power consumption measurements
Calculation time measurements

We detailed the types of attacks on cryptosystems designed to cipher data for

protecting against unauthorized reading. As for other kinds of cryptosystems, there
are a number of other attacks that will be discussed later. In the case of known
ciphertext cryptanalysis, it is assumed that the opponent knows the ciphering mech-
anism, and that only the ciphertext is available to him. This assumption corre-
sponds to the model of an external interceptor who has physical access to the
communication line, but doesn’t access the enciphering/deciphering device.
With known plaintext cryptanalysis, it is assumed that the cryptanalyst knows the
ciphertext and a portion of the original text, and in special cases knows the corre-
spondence between the ciphertext and the original text. The possibility of such an
attack appears when enciphering standard documents are prepared according to stan-
dard forms under conditions in which certain data blocks are known and repeated. In
some modern tools intended for protecting information circulating over computer
systems, the total ciphering mode is used, in which all information on the hard disk is
written down as a ciphertext, including the main boot record, the boot sector, system
programs, and so forth. If this hard disk (or the computer) is stolen, it will be easy to
determine which part of the cryptogram corresponds to the standard system informa-
tion, and obtain the bulk of a known original text to perform a cryptanalysis.
In chosen plaintext cryptanalysis, it is assumed that the cryptanalyst can enter a
specially chosen text into the enciphering device and get a cryptogram created
under the control of the secret key. This corresponds to the inside adversary model.
In practice, this situation emerges when an attack on the cipher involves people
 Cryptography in the Information Age 11

who don’t know the secret key, but, according to their given rights, can use the en-
ciphering device to encrypt transmitted messages. To perform such an attack,
lower-level employees can also be involved, who can prepare document forms,
electronic spreadsheets, and so forth.
Chosen ciphertext cryptanalysis assumes that the opponent can use ciphertexts
created by him or her for deciphering. The texts were specially chosen to most easily
compute the secret key from texts obtained at the output of the deciphering device.
Adapted text cryptanalysis corresponds to a case in which the attacker repeat-
edly submits texts for encryption (or decryption), with each new portion being
chosen depending on previously obtained cryptanalysis results. This kind of attack
is the one most favorable for the opponent.
Currently, the most powerful kinds of attacks based on chosen or adapted texts
are differential cryptanalysis (DCA) and linear cryptanalysis (LCA), along with some
methods derived from them.
When testing new cryptosystems, of special interest are attacks based on a
known secret key, or an extended (working) key. We’ll make a distinction between
a secret key and a working key because the secret key isn’t necessarily used in trans-
forming a text being encrypted, but is often just used to create an extended key,
which is what is actually used in enciphering. There are ciphers (such as the GOST
block cipher) in which the secret key is used directly when enciphering data; in
other words, the secret key is also the working key. Obviously, the extended key is
a secret element. When carrying out a cryptanalysis based on known elements of
the key (whether it is secret or extended), it is assumed that the cryptanalyst
possesses some information about a part of the working key. The larger the known
portion of the key that still doesn't provide enough information to uniquely deter-
mine the plaintext using which the cipher remains secure, the less concern there
will be over the cipher in actual attack conditions, where the attacker doesn’t know
the key, but attempts to restore its elements. When comparing two ciphers, the
cipher that better meets the aforementioned criteria should be chosen.
One of the current trends in designing fast software-oriented ciphers is to have
the ciphering algorithm depend on the secret key. In such cryptosystems, a certain
ciphering algorithm is known to the attacker, and it is changed simultaneously
when the secret key is changed. Such ciphers are called non-deterministic or flexible
ciphers. When testing flexible ciphers, it seems reasonable to analyze their secure-
ness against attacks based on a chosen modification of the enciphering algorithm.
In this kind of cryptanalysis, the attacker has the possibility of choosing the weak-
est (in his opinion) modification of the cryptalgorithm among those that can be
implemented. Cryptanalysis is then carried out for the chosen algorithm modifica-
tion based on specially selected texts, with a variant of the attack where there is a
partially known ciphering key also conceivable. If the cryptanalyst fails to find the
12 Innovative Cryptography, Second Edition

weakest modification of the cryptalgorithm, the flexible cipher in question can be

called secure.

1.2.2 Modern Applications

The importance of cryptography goes far beyond providing data secrecy. As data
transmission and processing become more automated, and the information flow
becomes more intense, cryptographic methods gain greater importance. New in-
formation technologies are founded on two-key cryptography, which makes it pos-
sible to implement protocols that assume the secret key is only known to a single
user—in other words, protocols oriented toward the mutual distrust of the inter-
acting parties. Here are the main applications of modern cryptography:

Protection against unauthorized reading (or providing information privacy)

Protection against creating false messages (both intentional and unpremedi-
tated)
Valid user authentication
Information integrity control
Information authentication
Digital signatures
Computerized secret voting
Digital cash
Computerized coin-tossing
Protection against the repudiation of the receipt of a message
Simultaneous contract signing
Protection against document forgery

The first application was discussed previously. We’ll now briefly explain the
other uses for cryptography. Data ciphering itself isn’t sufficient to protect against
creating false messages, but in many cases a valid receiver can easily detect that a
cryptogram has been modified or substituted; for example, while being transmitted
over the communication line. This can be done by analyzing the semantics of the
message. However, when digital data are distorted, and in some other cases, it is
extremely difficult to detect the fact that the data has been distorted judging by just
semantics. One of the methods of protection against creating false messages by
intentional or accidental ciphertext tainting is a message integrity check. Message
integrity check is a notion related to protecting against creating false messages by
generating some special additional information, depending on the secret key. This
information is called the message integrity detection code, and is transmitted with the
cryptogram. To compute the message integrity detection code, an algorithm is used
 Cryptography in the Information Age 13

that specifies how the message integrity detection code depends on each bit of the
message. Here, two variants are possible: computing the message integrity detection
code from the plaintext, and computing the message integrity detection code from
the ciphertext. The longer the message integrity detection code, the higher the
probability that ciphertext distortion will be detected by the authorized (valid) re-
ceiver. An opponent can modify the ciphertext, but since he doesn’t know the secret
key, the new value of the message integrity detection code that corresponds to the
modified message can’t be computed. The opponent either doesn’t change the mes-
sage integrity detection code, or replaces it with a random value. If the algorithm
used for the message integrity detection code computation has good cryptographic
properties, the probability that the modification won’t be detected by the valid user
is P = 2–n, where n is the length of the message integrity detection code in bits.
Valid user authentication involves user recognition, after which the users are
provided with certain access permissions to the resources of computational and
automated information systems. Authentication is based on the fact that valid users
possess some information unknown to outsiders. A special case of the authenti-
cation procedure is password protection of logging in to a computer system. For
example, the user generates some random information and uses it as a password,
while keeping it secret. The password isn’t explicitly stored in the memory of a
computer or other device used to perform authentication. This requirement is
aimed at preventing a possible inside adversary from reading a user’s password and
misappropriating the user’s authorization. For a security system to be able to iden-
tify valid (authorized) users, the images of their passwords, which were computed
according to a special cryptographic algorithm that implements a so-called one-
way function—y = F(x)—are stored in the computer’s memory. The main re-
quirement to this function is that the complexity of computing its value from an
argument be low, but the complexity of computing the argument from a function
value be high (for example, it should be impossible to do in 10 years, provided all
the computational resources of humanity are used).
User authentication on a workstation can be carried out in the following way:

1. The security system asks for an identifier.

2. The user enters his or her identifier (username) NAME.
3. The security system asks for a password.
4. The user enters his or her password P.
5. The system computes the value of the one-way function y corresponding to
the argument value x = P.
6. The security system compares the F(P) value with the password image
value (S) that relates the user to the NAME identifier.
14 Innovative Cryptography, Second Edition

If F(P) = S, the security system gives the user the access rights (authorization)
corresponding to the NAME identifier. Otherwise, an attempt at unauthorized ac-
cess is registered in the user log. To pretend to be an authorized user, an intruder
has to enter a valid password. It is computationally impossible to find the P pass-
word from the S image. If the security system is provided with mechanisms pre-
venting the interception of a password by introducing software viruses or hardware
bugs, or with induced electromagnetic radiation, or through an acoustic or optic
channel, this user authentication method provides high-level protection against
the misappropriation of someone else’s access rights.
This example concerns user authentication on a workstation; in other words,
logging in to a computer. For mutual authentication of remote workstations, it is
important to assume that an eavesdropper is listening in on the communication
line, and, therefore, the described authentication method is unsuitable, because
password transmission via an unsecure channel is unacceptable. Remote worksta-
tion authentication can be done according to the following procedure, using the
E enciphering algorithm and the K secret key shared by remote stations A and B:

1. The A workstation sends a request for connection to the B workstation.

2. The B workstation sends A a random number R.
3. The A workstation encrypts R with the K secret key, thus obtaining the
Ca = EK(R) ciphertext, and sends B the value Ca.
4. The B workstation computes Cb = EK(R) and compares Cb with Ca. If
Cb = Ca, it concludes that the request for connection was sent by the
A workstation; otherwise, it hangs up.

Only one who knows the secret key can correctly encrypt a random text. If a
violator intercepts correct cryptograms of random numbers with a key length of no
less than 64 bits, he won’t encounter two equal numbers in any reasonable amount
of time. Therefore, he won’t be able to replace a previously intercepted correct
cryptogram. In this scheme, a LAN server can take on the B workstation’s role.
We’d like to note that this scheme allows the B workstation to make sure the con-
nection is established to the A workstation. However, the A workstation can face a
similar problem authenticating the B workstation. In this case, a similar authenti-
cation procedure is carried out to let A authenticate B. Such a scheme of mutual
recognition by two remote parties (workstations) is called a handshake protocol.
Information integrity control means detecting any unauthorized modification of
information stored in a computer, such as data or programs. In fact, a message in-
tegrity check is an important special case of the integrity control of information
transmitted as a ciphertext. In practice, you often need to make sure that some pro-
grams, initial data, or databases haven’t been modified by some unauthorized
 Cryptography in the Information Age 15

method when the data themselves aren’t secret and are stored in public. Informa-
tion integrity control is founded on using a cryptographic scheme to build a mod-
ification detecting code (MDC) that has a much smaller size than the information
being protected against modifications. The basic requirement of the MDC com-
puting algorithm is to specify how the MDC’s value will depend on each binary rep-
resentation bit of all the characters in the original text.
Checking that the information corresponds to its reference state (information
integrity control) is done as follows. When freezing a reference state, say, of the
FILE.EXE program, the MDC value that corresponds to this file is computed. The
value obtained is written in a table that will be used for every check of information
integrity. Suppose that the FILE.EXE program controls a complex and important
technological process, and its failure can lead to downtimes that result in financial
losses. If this is the case, it makes sense to check its integrity before every start. To
do so, we compute the MDC and compare it to the corresponding value stored in
the code table. This method is effective for detecting occasional data distortions.
This scheme of data integrity control isn’t suitable when information is modi-
fied intentionally, since a violator can get around it. He can change the data at will,
compute the new MDC value for the modified data, and substitute this value in the
code table for the reference one (which corresponds to the reference state of the
data). To prevent such an attack, you’ll have to use one of the following additional
techniques:

Use a secret algorithm to compute the MDC.

Use an MDC computing algorithm with a secret key that determines the MDC
value.
Keep the code table in a protected memory area or on portable media, access to
which is controlled by organizational arrangements.

In the first case, it is difficult to keep the algorithm secret, since it is a constant
element of the cryptosystem. The third case requires significant effort in order to
provide organizational arrangements. The second variant is probably the best.
However, all three cases still require protection against spy programs.
Methods used for integrity control must ensure that the probability of inten-
tional or occasional data modification that will not affect the code’s representation
is extremely small. Here, the task of cryptanalysis is to study the weaknesses of the
MDC generating algorithm and modify the original information so that the control
code doesn’t change. MDC computing algorithms are called checksumming algo-
rithms, and the generated value is called a checksum. In modern cryptographic
protocols and systems, hash functions, which are a special case of checksumming
algorithms, are of great importance.
16 Innovative Cryptography, Second Edition

Information authentication is an action performed by an authorized receiver to

establish the fact that a received message was sent by an authorized sender. Follow-
ing a previously agreed protocol (a set of rules and procedures) should provide the
maximum probability of this. Obviously, this also includes integrity checks to avoid
replacement or distortion of the message. The accepted protocol must provide for
counteractions against an opponent using previously sent messages. In symmetric
cryptosystems, authentication is performed using one or more secret keys and
checksums. In asymmetric cryptosystems, authentication is performed using pub-
lic keys. For this to be possible, when public keys are distributed, they are authen-
ticated using organizational arrangements.
The problem of open key authentication explicitly appeared as a fundamental
cryptographic problem as soon as public-key cryptography (two-key asymmetrical
cryptography) was invented in the mid-1970s. Public-key cryptography provided a
very convenient solution to the secret key distribution problem, but using it re-
quires performing a public key authentication procedure. It should be mentioned
that the key authentication problem wasn’t caused by two-key cryptography; it has
always implicitly existed in secret key cryptography. Indeed, when distributing
secret keys via a secure channel, their authentication is done at the same time. For
example, when receiving a sealed package with a secret key inside, the receiver
checks to make sure the package and the seal aren’t damaged.
While Shannon’s work “Communication Theory of Secrecy Systems” laid the
foundation for cryptology to become a science, the invention of two-key cryptog-
raphy marked the shift to a radically new stage of its development. This became the
basis for the exhaustive solution to such problems as information authentication
and creating digital signature systems that were to legalize documents and other
messages transmitted in electronic form.
Digital signature (DS) is based on two-key cryptographic algorithms that in-
volve using two keys—one public and one private. The idea of using a public key
(i.e., a key known to all users of a cryptosystem, including a potential attacker) is
fundamental, and so two-key cryptosystems are also called public ciphers, and the
transformations performed are called public ciphering. Two-key cryptalgorithms
make it possible to provide strict proof as to whether a certain message has been
composed by certain subscribers (users) of the cryptosystem. The proof is based on
the fact that two-key cryptosystems operate under conditions in which the user
doesn’t have to tell his private key to anyone else. The fact of using a private key
when generating a digital signature on a particular electronic document is verified
with a public key. Knowledge of the public key doesn’t make it possible to generate
the correct digital signature. Thus, the responsibility for keeping the private key and
for observing the rules of using it is wholly on the owner of this key. The private key
makes it possible to compose a message with a special internal structure related to
the document being signed and the public key. The fact that the message structure
 Cryptography in the Information Age 17

was built with the private key is verified with the public key, a procedure called dig-
ital signature verification. The probability that a message composed by an intruder
could be mistaken for a message signed by a subscriber to the DS system is ex-
tremely low—say, 10–30.
Thus, the DS verification procedure using a public key makes it possible to state
with a high degree of assurance that a received message was composed by the owner
of the private key. The public key is derived from the private key, or both are
simultaneously generated according to special procedures, computing the private
key from the public key being a computationally complex mathematical problem.
Computationally complex (hard-to-solve) problems definitely have a solution,
but finding it requires an extremely large number of computational operations
(performed by a computer or other device). The number must be large enough so
that using all the computational resources that might be involved in the process
won’t make it possible to find the solution with a significant probability (say, 0.001)
in a reasonable time (decades, centuries, millennia, etc.). The average number of
operations required to find the solution with the help of the best algorithm is used
as a quantitative measure of the complexity of a hard problem. The problem of
estimating the complexity is itself difficult because the complexity depends on the
algorithm used to solve the problem. In general, different complexity values are
obtained for different algorithms. Given a particular hard problem, it is difficult to
prove that the minimum-effort algorithm has been found (in other words, the best
algorithm). Using two-key ciphers is based on the assumption that hard problems
do exist—problems for which no solution can be achieved with comparatively little
effort.
Based on two-key cryptographic algorithms, computerized secret voting systems
use a blind signature mechanism, which makes it possible to sign a message with-
out knowing its contents. Various methods of computerized secret voting are very
promising when it comes to improving political systems in modern societies with
an advanced information infrastructure.
A blind signature protocol makes it possible to build various digital cash systems.
The difference between digital cash and payments using DS is that the former ensures
the purchaser’s secrecy. Also of social interest are computerized coin-tossing systems,
a variant of which is playing poker by telephone. In a broader approach, computer-
ized gambling houses can be opened, in which protection against cheating will be
guaranteed on a higher level than in conventional gambling houses.
Let’s consider the simplest variant of computerized coin tossing. Suppose A and
B are telephone subscribers who wish to play chess by telephone. They want to
fairly decide who gets to be white; in other words, to provide an equal probability
of the white color being selected for either player. Cryptography allows them to
implement such coin tossing according to the following procedure, in which the
18 Innovative Cryptography, Second Edition

y = F(x) one-way function is used. It is stipulated that the player who guesses the
result of an experiment with two equally probable results will move first.

1. Player A chooses a random value—xa—whose binary representation is,

say, 80 bits long, computes the ya = F(xa) value, and tells B the ya value
(B must guess whether xa is odd or even).
2. Because the function used is one-way, B cannot compute xa from ya, so he
has to guess whether xa is even or odd. Let’s say that B guesses that it is even
and tells A this.
3. A tells B the number xa.
4. Player B computes the value of y = F(xa). If y = ya, he is convinced
that his partner actually did provide the initially chosen number for
verification.

If the result of the coin tossing is not to decide the color selection in an amateur
chess game, but to deal cards when playing poker for money by telephone (dealing
cards by telephone is only technically more complex), a DS system can be addi-
tionally provided to sign all messages concerning dealing cards and making bets by
telephone.
As an example of how computerized coin tossing can be economically justified,
consider it being used in world (European, etc.) soccer (basketball, volleyball, etc.)
championships. To make traditional lot-casting decisions, representatives of par-
ticipant teams and international sport organizations periodically come together at
the same place, spending a lot of time and money. If this procedure is replaced with
computerized coin tossing, time will be saved, and expenses will be kept to a min-
imum. Other examples of using coin tossing are organizing lotteries and fairly dis-
tributing limited resources.
Cryptographic protection against document forgery is the most reliable modern
method of preventing the forgery of documents, and so forth. It is based on the mi-
crostructural uniqueness of a particular physical medium. Given the appropriate
equipment (such as a high-resolution scanner to analyze the paper), it is possible to
reveal unique structural peculiarities of every piece from the same “factory lot.”
Cryptographic protection against forgery is done as follows. The unique peculiari-
ties of the particular medium are scanned, and a digital passport is created, which
includes the document’s contents and information about the paper’s (etc.) mi-
crostructure. Then, the legitimate document issuer uses his (or its) private key to
generate a digital signature for the passport, and writes the passport and the corre-
sponding digital signature to the medium.
Validation of the document is done by scanning the microstructure of the
medium on which the document is issued, reading the information it contains, and
verifying the digital signature of the issuer using a public key that was published,
 Cryptography in the Information Age 19

say, in a number of official publications, or distributed through official channels.

Forgery of the document on another physical medium, or modification of the doc-
ument’s contents (or its digital passport), is impossible without knowing the pri-
vate key used to generate the digital signature. Any forgery will be detected by
reading the digital passport and digital signature, comparing the passport with the
document’s contents, and verifying the digital signature with the public key (as-
suming this method of protection against document forgery uses a cryptographi-
cally secure digital signature system).

1.2.3 Information Protection Technology

When developing a computer security system for general use, the topic of protect-
ing information technologically becomes imperative. One peculiarity of this prob-
lem is that it is necessary to build a security system that allows the user to configure
it according to specific operational conditions.
The best opportunities to launch an attack on a computer system (CS) are
available to valid users who are technically involved in the operational process, and
who can abuse their access rights. Generally, the complex part of technological in-
formation protection is that it is necessary to provide operators with certain access
rights, and at the same time prevent them from abusing these access rights. Strongly
limiting access rights results in the users’ performance decreasing, and therefore the
performance of the CS itself decreasing. To keep performance high, CS’s security
mechanisms must work in real time, which will minimize nonproductive delays re-
lated to data protection transformations or to control any analytical functions of
the security system.
One of the most effective and flexible security mechanisms is cryptographic trans-
formations. In connection with this, the problem of creating fast software-oriented
ciphering algorithms is an obvious one. The solution to this problem is a major stage
in the development of a computer security system that can be widely used.
Thus, using data encryption in computer security systems that are widely used
is mostly technological, and requires maximum speed for the cryptographic trans-
formation methods used, provided they are secure enough. This is only one of the
problems confronting developers of computer security systems. Another specific
problem is creating various types of computer-oriented transformation algorithms.
From the technological point of view, it is important to solve the following
problems:

Creating real-time algorithms for file encryption (transparent file encryption

algorithms)
Creating algorithms to encrypt the information in the hard drive boot sector
(so-called mini-algorithms)
20 Innovative Cryptography, Second Edition

Creating fast algorithms to encrypt data before writing them to the built-in
hard disk (transparent disk encryption algorithms)

Each of these algorithm types must satisfy particular requirements related to its
specific role in the security systems. The disk encryption procedure is very impor-
tant, due to how intensely it is used. Obviously, it must operate automatically and
in real time; that is, in transparent mode.
It is possible to give some requirements to computer security systems that
would correspond to the viewpoints of the various parties participating in creating
and using security systems. From an operator’s (user’s) point of view, a computer
security system should satisfy the following requirements:

It shouldn’t alter the regular way of working with the computer.

It shouldn’t demand excessive action from users.
It should allow users to use the applications they need.
It shouldn’t result in additional delays.

From the point of view of economic efficiency, the following requirements

could be placed on a security system:

Low cost
Ease of maintenance and operation that would allow you to decrease the tech-
nical staff
Full-scale functionality that would allow you to decrease the number of secu-
rity tools used to provide overall security
The possibility of enabling security tools without having to stop data pro-
cessing
Operating in real-time mode

To develop a security system that complies with these requirements, it seems

reasonable to observe the following design principles:

Total disk encryption

Multilevel encryption (disk encryption, transparent file encryption, encryp-
tion on demand)
Keeping the basic operating system untouched
Controlling information integrity in real-time mode

The types of common computer security threats are shown in Figure 1.1. Ex-
ternal, internal, and combined threats are the reasons for the three main types of
potential losses: information privacy violation, information integrity violation, and
 Cryptography in the Information Age 21

Classification and analysis

of computer security threats

General threat types The results of the threats

External threats Privacy violation

Internal threats Data integrity violation

Combined threats Combined threats

FIGURE 1.1 The types of common computer security threats

and the analysis of potential losses.

CS operation violation. In Figure 1.2, various types of external threats and their
goals are shown. Internal threats are oriented toward the same goals as external
ones, but are implemented in other ways, using other kinds of attacks (Figure 1.3).

Goals of the threats Types of internal threats Goals of the threats

Types of external threats (technological threats)

Information interception Unauthorized copying

in the communications onto removable media
channels Data privacy violation
Data privacy violation
Unauthorized modification
Intrusion through of access rights
the network
Password interception
Password interception
Out-of-control data saving

Unauthorized access
during maintenance
Unauthorized modification Modification of programs
of programs and data
Modification of programs

Viruses Unauthorized printing and

transmitting of data over
communication channels Modification of data

Modification of data
Spy programs Introducting hidden
programs and viruses

FIGURE 1.2 The classification of external FIGURE 1.3 The classification of internal threats
threats and the analysis of their goals. and the analysis of their goals.

In general, computer security mechanisms must provide data privacy and in-
tegrity, and failure protection. The three main security mechanisms (Figure 1.4)
are data enciphering, controlling the bootstrap procedure, and using cryptographic
22 Innovative Cryptography, Second Edition

Tasks of technological Implementation mechanisms Additional protection Goals

protection against threats mechanisms

Providing privacy when Logging and auditing Protection against

operating in a network the operator’s actions repudiation of
performed actions

Providing privacy when

Enciphering Keyboard and display locks
operating a computer
Protection against
privacy violation
Demarcation of access rights Using alternate passwords
to computer resources

Data integrity support Checksum Backup of main system programs

computing Protection against
computer failures
Secure copying onto Creating a standard system
removable media floppy disk

Bootstrap Protection against

Automatic restoration Using a user’s shell
control access right
of system programs
violation

Secure maintenance work Prohibiting the use of program

development tools
Additional Protection against
mechanisms introducting
Anti-virus protection Erasing remainder information viruses

FIGURE 1.4 Security tasks and FIGURE 1.5 Additional protection mechanisms
mechanisms of their implementation. and their goals.

checksums. These mechanisms must be built into the security system in various
forms, depending on the peculiarities of its development for particular operating
conditions. The main mechanisms must be combined with additional ones (Figure
1.5), which will provide for the completeness of the security system and its effi-
ciency in technological data protection.

1.3 THE FUNDAMENTALS OF ONE-KEY CRYPTOGRAPHY

In this section, our main attention is on symmetric-key cryptography, which refers

to encryption methods in which either both the sender and the recipient use the
same key, or in which their keys are different, but interrelated in an easily pre-
dictable way. Other terms designating one-key cryptography are secret-key, private-
key, one-key and single-key cryptography.

1.3.1 Conditional and Unconditional Security

Claude Shannon published a remarkable theoretical paper on cryptography in the
late 1940s. This fundamental work devoted to the theoretical analysis of secret sys-
tems (ciphers) triggered the development of modern cryptology and became the
basis for creating new cryptosystems. Shannon looked at enciphering as mapping
 Cryptography in the Information Age 23

an original message into a ciphered one (a cryptogram): C = Fi(M), where C is a

cryptogram, Fi is the mapping, M is an original message, and the i index is to the
particular key used. For the message to be deciphered uniquely, the Fi mapping
must have a unique reverse mapping, so that FiFi–1 = I, where I is the identity
mapping: M = Fi–1(C).
It is assumed that the source of keys is a statistical process or a device that cre-
ates mappings F1, F2, …, FN1 with probabilities p1, p2, …, pN1, the number of
possible messages N2 is finite, and messages M1, M2, …, MN2 have a priori prob-
abilities q1, q2, …, qN2 (qi is the probability that can be assigned to the fact that an
intercepted cryptogram contains the Mi message, without performing a crypt-
analysis).
Let’s look at a simple cipher, in which the initial character set of the message is
the same as that of the key and of the cryptogram, and encryption is done using a
sequential substitution of the characters of the original message with the characters
of the cryptogram according to the next character of the key. In this case, the mes-
sage, the key, and the cryptogram look like a series of characters from the same
character set: M = (m1, m2, …, mn), K = (k1, k2, …, kn), C = (c1, c2, …, cn).
This step of encryption is described by the equation ci = f(mi, ki). In actual
cryptosystems, the length of the key is usually much smaller than the length of a
message being encrypted, so the series k1, k2, …, kn (called a keystream) is computed
based on a primary key, or can even be periodical.
The task of cryptanalysis is to compute the original message from a cryp-
togram, provided the set of mappings F1, F2, …, FN1 is known. There are cryp-
tosystems, for which any amount of intercepted information isn’t sufficient to find
the encrypting mappings, and this doesn’t depend on the computational resources
available to a cryptanalyst. This type of cipher is called unconditionally secure.
Strictly speaking, ciphers are unconditionally secure if a cryptanalyst (even one
possessing infinite computational resources) cannot improve the evaluation of the
original message M based on his knowledge of the C cryptogram, as compared
to an evaluation when the cryptogram is unknown. This is possible only when M
and C are statistically independent; in other words, the condition P(M = Mi /
C = Ci) = P(M = Mi) is true for all possible messages M. This condition means
that the probability that the M message is contained in the cryptogram being ana-
lyzed doesn’t depend on the cryptogram’s look, or rather, on the sequence of char-
acters in the ciphertext.
There are unconditionally secure systems that can be easily proved. In
the simple cipher discussed earlier, let a character set of L characters be used, and
the next character of the cryptogram be computed according to the ci = f(mi,
ki) = (mi + ki) mod L formula, where each character ci, mi, and ki is matched with
its ordinal number in the character set. For a keystream, let’s take the sequence of
n random characters k1, k2, …, kn; in other words, we take a random key whose
24 Innovative Cryptography, Second Edition

length is equal to the message length. To generate the key, let’s use a physical ran-
dom number generator that provides an equal probability for each element from
the {1, 2, ..., L} number set at its output. A number generated by this generator will
be taken as the index of the chosen key character. This source will provide equal
probability for any key having the n length. In this case, the probability of choosing
a given random key having a length of n is P(K = Ki) = L–n.
The ciphering method used can transform any message Mi into the cryptogram
Ci by using a Ki key whose value depends on M and Ci. Since P(K = Ki) = const
for every i, an arbitrary message Mi can be transformed into any cryptogram Mi and
Ci with equal probability; in other words, the P(M = Mi / C = Ci) = L–n con-
dition is true.
This last statement means that a given cryptogram with the length n can corre-
spond to any original message with the n length with the L–n probability. When en-
crypting a new message, we’ll take a new random key. The described encryption
procedures provide unconditional security. Cryptosystems that use an equally
probable random key having a length equal to the length of the message are called
ciphers with a one-time tape, or ciphers with an infinite keystream. In practice, such
cryptosystems are of limited use, since they require transmitting very long keys.
It can be clearly proven that, to achieve unconditional security, it is necessary
to use an equally probable random key having a length equal to the length of the
message, regardless of the encryption procedure used. This means that these cryp-
tographic transformation procedures play a secondary role for these types of ci-
phers, while it is principally important to use an infinite random key.
Cryptosystems of the second type have a feature that states that as the amount
of the cryptogram available to the cryptanalyst increases when n = n0, there is
only one solution to the cryptanalytic problem. The minimum amount of a cryp-
togram for which only one solution exists is called the unicity distance. With a one-
time tape, n0 tends to infinity: n0 → ∞. When the length of a private key is finite,
the n0 value is also finite. We know that for a given cryptogram having a length
greater than the unicity distance, it is possible to find the only solution to the crypt-
analytic problem. However, for a cryptanalyst possessing limited computational
resources, the probability of finding this solution (in the time for which the infor-
mation remains valuable) is extremely small (10–30 or less).
These type of ciphers are called conditionally secure. Their security is based on
the high computational complexity of the cryptanalytic problem.
The goal of a developer of secure cryptosystems is to decrease the costs of en-
crypting/decrypting procedures, and at the same time set such a level of complex-
ity for the cryptanalytic problem that finding its solution becomes economically
inexpedient. Problems that require such an amount of computations are called
hard or computationally complex, and their solutions are called computationally un-
feasible. Ciphers based on problems for which finding the solution is computation-
 Cryptography in the Information Age 25

ally unfeasible are also called computationally secure. Computationally secure cryp-
tosystems are most commonly used.
By the security of cryptosystems of this type, we mean the complexity of solv-
ing the cryptanalytic problem under certain conditions. Shannon introduced the
notion of the work factor W(n) as the average amount of work required to compute
the key from n known characters of a cryptogram, provided the best cryptanalytic
algorithm is used. The amount of work can be measured, say, by the number of
operations needed to compute the key. This parameter is directly related to the key-
computing algorithm. The difficulty of determining W(n) is related to that of find-
ing the best algorithm. Of special interest is the limiting W(n) value, when n → ∞.
At present, no computationally secure cryptosystems are known for which the
lower boundary W(∞) has been definitely found. In light of the complexity of such
estimations, actual ciphers are characterized by an estimation of the W ′(∞) work
factor, which is obtained for the best of the known key computing methods.
Shannon suggested a model for estimating the unicity distance, from which the
equation n0 = H(K)/D is obtained, where H(K) is the entropy of the key (for a
random key, this is the key length in bits), and D is the redundancy of the language
in bits per character. This relation can be rewritten as H(K) ≤ nD, where H(K) is
the number of unknowns in the binary representation of the key, and nD is the
number of equations available for computing the key. If the number of equations
is less than the number of unknowns, there is no one solution to the system of
equations, and therefore the cryptosystem is unconditionally secure. If the number
of equations is greater than the number of unknowns, there is only one solution,
and the cryptosystem isn’t unconditionally secure. However, it can remain condi-
tionally secure when n >> n0. The security level of conditionally secure cryptosys-
tems heavily depends on the particular type of encrypting procedure (here we don’t
consider the case in which a very small private key is selected, where the complex-
ity of trying every possible key is low). Certain transformation procedures also
determine the profile of the work factor; in other words, the specific type of the
W(n) dependency. In the following sections, we’ll look at two-key ciphers, which
are determining modern trend in the development of cryptography. By their na-
ture, they are computationally, but not unconditionally, secure cryptosystems. The
assumption that computationally complex problems exist is fundamental in mod-
ern cryptography.

1.3.2 General Issues of Cipher Design

In the last section, we showed that an unconditionally secure cipher can be built
only by using an equally probable random key having a length equal to the length
of the message, a new key being used for each new message. Since the key is used
once and chosen at random, one might speak about an infinite random key. We’d
26 Innovative Cryptography, Second Edition

like to note that, when using an infinite key, there is no need for any complex pro-
cedures that transform the characters of the original text into the characters of the
ciphertext, since it will suffice to use the simple operation of applying key charac-
ters to the corresponding plaintext characters (for example, the operation of bitwise
addition modulo 2).
Practical secrecy most often means the work effort needed to solve the crypt-
analytic problem for ciphers with finite keys. This concerns a theoretical model of
a cryptosystem that is disassociated from specific conditions of cipher usage; in
other words, it has to do with a theoretical estimation of the computational com-
plexity of the cryptanalytic problem. It seems best to describe ciphers having finite
keys as computationally secure cryptosystems. This is because by practical secrecy
we can also mean secrecy that depends on a theoretical security level and on the
organizational and technical conditions of the cipher’s use. For example, when
using ciphers with infinite keys, practical secrecy is determined by various leakage
channels related to processing the original message in the cryptosystem. These tap-
ping channels can be used to intercept a part of the message or key. Actually, even
when these ciphers are used, there is some probability that the transmitted infor-
mation will become known to an interceptor.
In a broad sense, we can also understand practical security to mean the ci-
pher’s security, taking into account a great number of things that happen under the
actual operating conditions of a cryptosystem, and that are related to the integrity
control of all components of the actual cryptosystem. These are things like the
cryptographic protocol, the enciphering device, the secure channel used to transmit
the secret key, the key controlling procedures, and the environmental elements
(such as a protected premises, staff, physical and technical means of protection,
etc.). In the theoretical model of a cryptosystem, only security that is related to solv-
ing the cryptanalytic problem and that determines the maximum achievable secrecy
level is considered. (Under the actual operating conditions of cryptosystems, their
secrecy may be much lower than this limiting value.)
Since actual practical secrecy cannot guarantee complete security of informa-
tion, even when ciphers with an infinite keystream are used, using practically con-
venient cryptosystems with finite keys based on the high computational complexity
of the cryptanalytic problem is completely justified. The fact that computationally
secure ciphers can be decoded doesn’t indicate the work effort such disclosure would
take. When decoding a cipher in practice, the effort the cryptanalytic task takes is the
most important feature, because an attacker’s resources are limited in practice.
When using ciphers with keys that have a finite length, the specific choice of en-
ciphering algorithm is crucial to ensure practical security. The transformation pro-
cedures determine the complexity of the cryptanalysis. It is also important to keep
in mind that the key length must be large enough to prevent completely the
exhaustive search (i.e., to make it computationally impossible to try every possible
 Cryptography in the Information Age 27

key when using modern computing systems). With a key length of 128 bits or more,
this requirement is satisfied.
If a computationally secure cipher doesn’t allow key disclosure with a proba-
bility greater than the probability of information leakage through the channels con-
nected to the actual operating conditions of a cryptosystem, using this cipher is
preferable. Besides which, there are a number of applications in which ciphers with
infinite keys cannot be used (for example, when protecting information that flows
in a computer system where all data stored on the hard drive is encrypted). In such
cases, it is better to use ciphers with finite keys (provided the computational secu-
rity of such cryptosystems is high enough).
When developing computationally secure ciphers, two general techniques are
used: confusion and diffusion.
Confusion is the extension of the influence of one character of a plaintext over
several characters of a ciphertext. This begins an avalanche effect (in the case of
block ciphers, it is necessary to extend the effect of every bit of an input text over all
bits of the output text). Diffusion is a ciphering transformation that destroys the re-
lationships between the statistical characteristics of the input and output texts; in
other words, obscures the statistical characteristics of the input message. An exam-
ple of a procedure that performs diffusion is a transposition of plaintext characters
that leads to an equal redundancy distribution over the entire text. (Note that the
redundancy of an original text plays a significant role in a cryptanalysis based on a
ciphertext. However, when performing a cryptanalysis based on a known or chosen
text, there is no point in considering this.)
To prevent the possibility of computing the key in parts, it is also commonplace
to implement a principle of extending the effect of one key character over many
characters of the cryptogram. In cryptosystems in which several successive simple
ciphering procedures are carried out, this principle is automatically implemented
during diffusion.

1.3.3 Product and Iterated Block Ciphers

In modern automated information processing systems, it is often preferable to use
block ciphers. Block ciphers are cryptosystems that encrypt information in blocks of
a fixed length; for example, n bits. This type of cryptographic transformation is
called block ciphering. For block ciphering, data are represented as a series of n-bit
blocks. In actual practice, files, certain fields in spreadsheets, and other types of
computer messages have an arbitrary length, which usually isn’t a multiple of the
block length. This is why a method of complementing the last data block is used.
The last data block is often complemented with a binary vector (1, 0, 0, ...,
0), in which the number of zeroes can be anywhere from 0 to (n – 2). If the length
of the last block is n, an additional n-bit block, having the (1, 0, 0, ..., 0) structure,
28 Innovative Cryptography, Second Edition

is appended to the message. This method makes it possible to unambiguously de-

termine the appended binary vector and drop it if necessary. Using such a way of
complementing a message up to a length that is a multiple of n, one can represent
any message M as a series (concatenation) of n-bit subblocks Mi: M = M1||M2|| ...
||Mi|| ... ||Mm. Each block of the original message can be transformed independent
of the other blocks, and so, when using block ciphers, direct access to encrypted
data is possible. The most general mechanism of block enciphering is one that
makes it possible to transform any input block into any output block, the size of the
output block being greater than or equal to the size of the input block. A block of a
ciphertext cannot be less than a plaintext block, because in that case several differ-
ent plaintext blocks would correspond to the same ciphertext block. This would
mean ambiguous decryption. If the length of the output block is greater than n, sev-
eral different ciphertext blocks will correspond to the same plaintext block. In that
case, deciphering is possible and unique. (Examples of such cryptosystems are
probabilistic ciphers.) Since an increased length of encrypted data places certain
limitations on the areas in which it can be applied, the most commonly used ci-
phers have the size of output blocks equal to that of input blocks. Block ciphers
specify a one-to-one correspondence between possible input and output blocks.
Since input and output block sets coincide, encryption makes a substitution on the
0, 1, …, 2n – 1 set of numbers, which can be presented as:
⎛ 0 1 2 ... 2n − 1⎞
⎜ ⎟,
⎝ E K (0) E K (1) E K (2) ... EK (2n − 1) ⎠

where EK(M) is a function of enciphering with the K key; in other words, a function
specified by enciphering procedures using the K enciphering key.
The enciphering function sets the correspondence between a plaintext block M
and a cryptogram block C, which is written as C = EK(M). For a given key, one
substitution is implemented. In general, different substitutions correspond to dif-
ferent keys. If a cipher uses a key that is k bits long, this cipher specifies no more
than 2k different substitutions, which is usually an extremely small portion of the
number of all possible substitutions, equal to 2n!. To implement all possible substi-
tutions, you need to use a key with the length of k = log2(2n!) ≈ n2n bits.
One of the statistical methods of breaking ciphers is a frequency cryptanalysis.
This method is based on the examination of the frequency of characters in the
cryptogram, and then making a correlation with the frequency of characters in the
original text. The frequency method makes it possible to break mono-alphabetic
substitution ciphers that correspond to block ciphering when small input blocks are
used (for example, when n = 8). As the input block size increases, the frequency
properties of the language of the plaintext become less pronounced, but even with
 Cryptography in the Information Age 29

n = 16, the unevenness of the frequency properties of the original text can be ef-
fectively used to break the cipher. With n = 32, frequency cryptanalysis becomes
extremely complex, and a block cipher with such an input size can be used in some
cases. The minimum secure block length is considered to be n = 64. The greater
the input block size, the higher the security that can be achieved. However, for
large block sizes, manufacturing ciphering devices becomes more complex. When
developing the American DES standard, the choice of the n = 64 value was a cer-
tain compromise between security and implementation convenience. This size was
commonly used for over 25 years. Currently, the potentialities of microelectronics
have dramatically increased, and the n = 128 input block size is now standard.
A large input block size itself is simply a necessary condition for the high secu-
rity of the algorithm being developed. Designing secure block ciphers is associated
with using nonlinear transformations that have good diffusion and confusion
properties, or with combining linear and nonlinear transformations. The advan-
tages of linear transformations are ease of implementation, small operating time,
and the convenience of using the secret key as the transformation parameter. How-
ever, using only linear transformations isn’t sufficient to design secure ciphers.
One method of achieving good diffusion and confusion is building a com-
pound (product) cipher that includes a number of sequentially used simple ciphers,
each of which makes a small contribution to diffusion and confusion. The idea
of building product ciphers was suggested and justified by Shannon. In product
ciphers, ciphering procedures of one type alternate with those of another type.
For simple ciphers, substitutions (S), transpositions (T), and linear transforma-
tions (L) can be used. In such a case, the resulting cipher can be presented as
F = SnTnLn ... S2T2L2S1T1L1.
A secret key can be used with procedures of any one type (T, L, or S). The key
can be also used with procedures of all (or some) types.
The simplest product cipher is shown in Figure 1.6, where the S boxes denote
a substitution operation on 4-bit subblocks of the input message, T means a trans-
position on a 4k-bit data block being transformed, and L is a linear transformation
operation, using which the mixing of encrypted data is performed with a secret key
represented as the K1, K2, …, Kr subkey set. In this r-cascade cryptoscheme, the
encrypting procedure consists of r successive rounds of transformation using dif-
ferent round keys. A substitution operation involves replacing a 4-bit input binary
vector with a 4-bit output binary vector according to a substitution table. If we rep-
resent 4-bit binary vectors with their numeric values (i.e., interpret a binary vector
as a binary number), we can write the substitution table as

⎛ 0 1 2 ... 15 ⎞
⎜ α ,
⎝ 0 α1 α2 ... α15 ⎟⎠
30 Innovative Cryptography, Second Edition

where ∀i, αi∈{0, 1, …, 15}, and the columns set up a correspondence between
the 4-bit input value (the upper row) and the 4-bit output value (the lower row).

FIGURE 1.6 The structure of a product cipher based on substitutions

and transpositions.

For an arbitrary substitution table, it is easy to write a table that specifies the in-
verse substitution. Similarly, the bit transposition operation T and the correspond-
ing inverse transposition T–1 can be specified. For the linear transformation L, it is
also easy to specify the corresponding inverse transposition L–1. The deciphering
procedure is performed according to the scheme shown in Figure 1.7.

FIGURE 1.7 The deciphering procedure scheme in a product cipher.

The discussed cipher belongs to the so-called iterated ciphers, in which ciphering
is done in the form of repeatedly performing a standard transformation procedure
 Cryptography in the Information Age 31

(called a ciphering round, or a round ciphering function), which is a composition of

three simple transformations of different types. In the process, different keys called
round keys are used in different rounds.
When implemented as a high-speed device, the enciphering/deciphering pro-
cedure for a product cipher will be performed using various electronic circuits.
Later in this book, we look at special cryptoschemes that make it possible to use the
same electronic circuit for both encrypting and decrypting, thus making the hard-
ware implementation more cost-effective. In such ciphers, changing the ciphering
mode is done by changing the order of round keys.

Feistel’s Cryptoscheme
Feistel’s cryptoscheme (Figure 1.8) is a general scheme for designing an n-bit
block cipher based on an arbitrary function F with the n/2 input block size. An
important advantage of this structure is that it specifies the same algorithm
for both encrypting and decrypting. Specifying a particular enciphering mode
is determined by the order of using the round keys. Changing the ciphering
mode is done by inverting the order of the round keys.
The security of ciphers designed using this scheme is determined by the
properties of the F round function. A great many various ciphers are known
that are designed according to this scheme, and only differ in the number of
rounds and the structure of the round function.

FIGURE 1.8 Feistel’s cryptoscheme: a—enciphering, b—

deciphering.
32 Innovative Cryptography, Second Edition

1.3.4 Controlled Operations—a New Cryptographic Primitive

Controlled operations are essential to the entire concept of contemporary cryp-
tography. In general, a controlled operation is an operation on one data block that
is carried out conditionally on the state of another data block. This section covers
the use of controlled operations as a cryptographic primitive.

General Characteristics of Controlled Operations

Modern applied cryptography increasingly tends to take into account requirements
related to the peculiarities of electronic information technologies. At present, using
encryption to protect information is becoming increasingly technological. The
technological nature of using encryption manifests itself in:

Common use
The variety of tasks fulfilled
The variety of operational conditions
Specialization to solve specific problems

This has led to increasing requirements imposed on:

Security (in various operating conditions, new kinds of cryptanalytic attacks,

such as a so-called differential fault analysis, become relevant)
Encryption speed (this follows from the need to keep a high performance of the
computer system and telecommunications after placing the security system in
operation)
Cost-effectiveness of the hardware implementation (this is related to the wide
use of enciphering devices)

The fact that contests for designing new ciphers take place in the United States
(the AES contest), Europe (the NESSIE contest), and Japan indicates the recogni-
tion of encryption’s technological role. The technological areas of application are so
varied that designing new specialized encryption algorithms will still be an urgent
topic for a long time. In modern cryptography, there is significant interest in look-
ing for new cryptographic primitives to build block ciphers that may prove promis-
ing for technological applications, and that will provide:

High speed
High security
A low complexity of implementation

The cryptographic primitives traditionally used when designing one-key cryp-

tosystems are substitutions, transpositions (permutations), arithmetic and algebraic
operations, and some other auxiliary operations. The most frequently used opera-
 Cryptography in the Information Age 33

tion is substitution, which is also the most general. This operation is the crypto-
graphic primitive on which the security of most block ciphers is based. The follow-
ing ways of implementing substitutions are known:

In software and software-hardware ciphers, substitutions are implemented as

substitution tables stored in the computer memory. In this case, it is easy to im-
plement substitution over binary vectors that are 13-bits long (the required
memory is about 10 KB). Despite the large memory size of modern comput-
ers, implementing substitution operations over vectors longer than 16 bits is
problematic.
In hardware ciphers, substitutions are implemented as complex electronic cir-
cuits. General substitutions over binary vectors longer than 13 bits are very
hard to implement.

An advantage of general substitution operations is that the best substitutions

that comply with certain cryptographic criteria can be found. In the case of substi-
tutions with a small size (say, 6×4), many effective substitutions can be found.
However, for substitutions having a size of 8×8 or larger, choosing the best variants
is problematic. In connection with this, choosing substitutions with big sizes is
done in some ciphers by using certain known operations with certain properties. A
typical example is the SAFER cipher, in which substitutions are defined by raising
to a discrete power and performing a discrete logarithm operation on a modulo 257
residue field.
Because of some problems that emerge when designing fast block ciphers based
on substitutions, alternative solutions were suggested. One such solution is the
RC5 cipher, in which the only nonlinear operation is rotation (end-around shift),
which depends on the data being transformed, and is easily implemented on mod-
ern widely used processors. Despite its extreme simplicity, the RC5 cipher has
proven to be very secure against linear and differential cryptanalysis. Theoretical
investigations have revealed that having the selection of the rotation operation
depend on the transformed data is an effective way to protect against these two
important types of attacks. Due to its effectiveness, data-dependent rotation has
found a use in such new ciphers as RC5 and MARS.
If a fixed rotation operation that is a special case of a substitution operation is
linear, making it dependent on the transformed data leads to the creation of a new
nonlinear operation with good cryptographic properties. Apparently, besides the data-
dependent rotation operation, there are other types of controlled operations. Their
important features are their type, and the number of different variants from which
the current modification used to transform a data subblock is chosen. The second
parameter determines how many additional data bits can be used when performing
a controlled operation on the current n-bit data subblock. For a controlled rotation
34 Innovative Cryptography, Second Edition

operation, there are n modifications. Despite such a small number of modifica-

tions, this controlled operation appears to be an effective cryptographic primitive.
One can expect that operations with an essentially greater number of modifica-
tions—say, from 2n to 23n or more—will prove to be more effective. An example of
such a controlled operation is a bit permutation operation that depends on data
being transformed, and is a generalized case of controlled rotation.
A different important direction is the design of special controlled operational
substitutions for cryptographic applications—in particular, controlled binary oper-
ations. The simplest way to implement such operations is by using a controlled
adder (Figure 1.9), which makes it possible to specify 2n different modifications of
the Y = X ∗V A addition operation, including the bitwise addition modulo two
(“∗V” = XOR) for V = (0, 0, 0, ..., 0), and the addition modulo 2n (“∗V” =
”+”) for V = (1, 1, 1, …, 1) as a special case.

FIGURE 1.9 A controlled adder (e = 0—“addition,” e = 1—“subtraction”).

As opposed to table substitutions, it is possible to create a great many different

types of controlled transformation operations with a sufficiently large input block size
(32, 64, or 128 bits) that can be easily implemented as hardware. In this case, the op-
erations actually implement a special substitution subclass. However, this substitution
subclass belongs to substitutions of a much greater size, which creates prerequisites for
designing secure fast ciphers with a low hardware implementation complexity.
Traditionally used table substitutions, and arithmetic and other operations that
were initially used to solve other problems, aren’t oriented toward cryptographic
applications. From a cryptographic point of view, they have both advantages (for
example, the bitwise addition modulo 2 is easy to implement and very fast) and
disadvantages (for example, linearity). For cryptographic usage, it is best to develop
 Cryptography in the Information Age 35

operations that are adjusted for cryptographic applications and possess the special
properties necessary for high security encryption algorithms. As a prototype for such
operations, we can use the data-dependent rotation operation that was used as a
basic cryptographic primitive in such ciphers as RC5, RC6, and MARS. Specifying
the current modification of such an operation depending on the data being trans-
formed determines its nonlinear properties. Despite the fact that the choice can only
be made from n different modifications (n is the length of the binary vector on
which the rotation is performed), this cryptographic primitive appears to be quite ef-
fective. Its merits are the simplicity of program implementation, nonlinearity, and
increasing the effective input size to log2n bits (this is the number of data bits that
specify the choice of the current modification; in other words, of control bits).
In general, controlled permutations (CP) and controlled binary operations (CBO)
seem to be more effective for cryptographic applications, since they include a very
large number of possible modifications, which makes it possible to implement a
control input with a size from n to 3n (and in some cases even more). Preliminary
investigations of algebraic and probability-statistical properties of CP and CBO
showed their usability for developing secure fast ciphers.
The structure and working principles of controlled permutations and con-
trolled adders are quite descriptive, so these variants of controlled operations are
thought of as an individual class of cryptographic primitives. Controlled operational
substitutions (COS) are an even wider class of controlled operations. However, this
type of operation isn’t so clearly perceived as an individual class of cryptographic
operations. In connection with this, it is worth stressing how controlled operations
differ from substitution operations of an m×n size, where m > n.
In essence, controlled operational substitutions are specially designed cryptog-
raphy-oriented operations performed over two or more binary vectors. They are
built according to a special rule that allows you to design operations for trans-
forming binary vectors of arbitrary size. These operations have a structure that
makes the complexity of their hardware implementation increase approximately
according to a linear law, while increasing the size of binary vectors being trans-
formed. COSs have the following features:

Use standard boolean functions that specify the relationship between the input
and output bits
The possibility of designing COSs to transform binary vectors that are from 32
to 256 bits
A low complexity of hardware implementation
High performance
The possibility of a theoretical justification for choosing a COS of a certain type
for an arbitrary input size
36 Innovative Cryptography, Second Edition

Figure 1.10 illustrates the possible types of controlled operational substitutions.

Controlled operational Other types of

substitutions controlled operations

Controlled binary
Controlled substitutions operations (CBO)

Various types
Controlled rotations of CBOs

Controlled
permutational
Controlled one-cycle involutions
permutations

FIGURE 1.10 Types of controlled operational substitutions.

Controlled operations have the following advantages:

They make it possible to use all the bits of the data block being transformed
when a unified nonlinear operation is performed. They also make it possible to
reverse a direct operation by inverting a special bit that specifies the encryption
or decryption mode.
They make it possible to design new types of cryptoschemes that allow you to
change the transformation mode by changing the order of the subkeys used.
They make it possible to design effective mechanisms of internal key extension,
which provides a high encryption speed in applications with frequent changes
of secret keys.

Despite the initial hardware orientation, designing effective controlled opera-

tions can potentially lead to a significant leap in the performance of software-
oriented ciphers. This is related to the fact that some types of controlled operations,
such as controlled substitutions, are extremely effective as cryptographic primitives,
and the cost of their hardware implementation is very low. This cost/effectiveness
ratio makes it very attractive for processor vendors to include a new command—
controlled permutation—among the standard processor commands. The possibility
of providing a high software encryption speed, from 800 to 2000 Mbit/sec, signifi-
cantly increases the competitiveness of such processors, with minimum hardware
 Cryptography in the Information Age 37

costs. For example, implementing an operational controlled permutation box (CPB)

with a 64-bit transformed data input and a 192-bit control input requires less than
1200 transistors, and implementing a CPB with a 32-bit transformed data input and
an 80-bit control input requires less than 1000 transistors.

1.4 TWO-KEY CRYPTOSYSTEMS

Symmetric-key cryptosystems considered earlier in this chapter either use the same
key for encryption and decryption, or the key used for decryption is easily com-
puted on the basis of the encryption key. The main drawback of such ciphers is that
the two parties that exchange data must share a secret key, which results in diffi-
culties in initially establishing secret communications. Two-key cryptosystems (also
known as asymmetric key or public key cryptosystems) considered in this section are
free from this drawback

1.4.1 The Public Key Distribution System

In 1976, Diffie and Hellman published a paper that marked the birth of two-key cryp-
tography and led to increasing the number of public investigations in the area of cryp-
tography. This work contained a stunning conclusion: it is possible to design practically
secure secret systems that don’t require secret key sending. Diffie and Hellman intro-
duced the notion of a trapdoor one-way function. A one-way function f means that the
f(x) function is easily computable for any argument x from the area of definition, but
for a randomly chosen y from the area of values, it is computationally difficult to find
a value of the x argument so that f(x) = y. Using such functions to protect login using
a one-way password transformation is common. However, how can you use a one-way
function in cryptographic systems if even the valid receiver cannot perform the de-
cryption procedure? For encryption, a trapdoor one-way function was suggested.
A trapdoor one-way function is a family of invertible functions fz with the z
parameter such that for a given z it is possible to find the Ez and Dz algorithms that
make it easy to compute the fz(x) value for all x from the area of definition, and also
to compute the fz–1(y) value for all y from the area of values. However, for essentially
all values of the z parameter and essentially all values of y from the area of values of
fz, finding fz–1(y) is computationally impossible, even when Ez is known. As a one-
way function, Diffie and Hellman suggested the discrete exponentiation function

f(x) = α x(mod p),

where x is an integer, 1≤ x ≤ p – 1, and p is a k-bit prime number. The α < p num-

ber is chosen so that its power modulo p is an ordered set of numbers {α1, α2, ..., α p–1}
38 Innovative Cryptography, Second Edition

that is a permutation of the {1, 2, ..., p – 1} number set. (Such a number α is called
the primitive element modulo p.)
Even for a very large modulo p (for example, when k = 1024 bits), it is easy to
compute the value of this function from a given x. The procedure of computing the
function is called discrete exponentiation. To perform this procedure, it would suf-
fice to perform about 2log2p multiplications of k-bit numbers (or log2p multiplica-
tions and log2p divisions of 2k-bit numbers by k-bit numbers). The procedure of
discrete exponentiation is based on the preliminary computation of the α 1, α 2,
k–1
α 4, α 8, ..., α 2 values (modulo p).
The inverse function for the discrete exponentiation is the f-–1(y) function,
which sets the correspondence between the given value y and a value x for which the
α x = y (mod p) condition is true. The problem of finding such an x is called the
discrete logarithm problem (finding the discrete logarithm). Discrete logarithms are
hard to compute when the p – 1 number includes one large prime factor—for ex-
ample, when it can be presented as p – 1 = 2p′, where p′ is a prime number. Under
this condition, the complexity of the discrete logarithm problem is approximately
equal to performing p1/2 multiplied by modulo p. The solution to this problem is
computationally impossible for large k values (for example, when k ≥ 512), and
therefore, for the conditions posed on the choice of the p and α numbers, the dis-
crete exponentiation function is one-way.
The Diffie-Hellman method of public key distribution is the following method
of using discrete exponentiation to exchange private keys between network users,
using only public messages. A large prime number p is chosen, as well as the corre-
sponding primitive element α < p. (To provide for the security of the public en-
cryption system being discussed, the following requirement is posed on the p
number: the expansion of this number into factors must include at least one large
prime factor; the size of the p number must be no less than 512 bits.)
The mechanism of private key distribution over a public channel is as follows.
Every subscriber chooses a random private key x and computes the corresponding
public key y according to the formula y = α x (mod p).
It is easy to compute y from any value of x. However, when the size of the p
number is 512 bits or more, it is computationally impossible to find the discrete
logarithm, and therefore to find the number x for which α x mod p is equal to the
given y value. All subscribers place their public keys in a commonly available di-
rectory. This directory must be certified by a specially founded certification center,
in order to exclude possible attacks involving public key substitution or using false
public keys. If two subscribers, A and B, want to establish a secret connection, they
act in the following way. Subscriber A takes B’s public key from the directory, and
computes the shared private key using his (i.e., A’s) private key:

( )
xA
Z AB = ( yB )xA = α xB = α xB xA ( mod p )
 Cryptography in the Information Age 39

where yA and yB are A and B’s public keys, and xA and xB are the corresponding pri-
vate keys. There is no need to transmit the shared private key ZAB over a commu-
nication network because subscriber B computes its value in a similar fashion from
A’s public key taken from the directory

ZAB = (yA)xB = (α xA)xB = α xBxA(mod p).

An opponent (a possible intruder) knows the yB = α xB(mod p) and

yA = α xA(mod p) values, but, to compute ZAB, he must solve a complex discrete log-
arithm problem. The shared private key can be used by the subscribers to encrypt
session secret keys, and those can be used to encrypt messages using symmetric en-
cryption methods. The solution to the discrete logarithm problem exists, but it is
computationally impossible. Thus, the security of the Diffie-Hellman method is
based on the complexity of finding the discrete logarithm.
There are two basic problems in one-key cryptosystems:

Secret key distribution over a secure channel

Secret key authentication

By authentication, we mean a procedure that allows the receiver to become

convinced that the secret key belongs to a valid sender (for example, a key distrib-
ution center).
The public key distribution system solves the first problem; in other words, it
makes it possible to do without a secure channel when distributing secret keys.
However, it doesn’t eliminate the necessity of authentication. It should be noted
that in two-key cryptography, the authentication problem doesn’t arise, but rather
moves to the foreground, since the key distribution problem is solved using its
methods.

1.4.2 The Notion of a Cryptographic Protocol

The terms algorithm and protocol are often used in cryptography. Intuitively, their
meaning is clear enough. They are widely used in other areas of science and tech-
nology. An algorithm is one of the main notions in programming and applied
mathematics, just as a protocol is in communications. From now on in this book,
by an algorithm we will mean a set of commands, actions, instructions, or compu-
tations that must be performed to obtain some result. In the process, new data can
appear as the result of source data transformation, a random choice at some step of
the algorithm, or the computer taking some measurements of the environmental
parameters (the parameters of external objects). The algorithm is performed by a
subject (computer).
40 Innovative Cryptography, Second Edition

By a protocol, we mean a collection of actions (instructions, commands, com-

putations, algorithms) performed in a specified order by two or more subjects to
obtain a certain result. The correctness of performing a protocol depends on the ac-
tions performed by each subject (user, subscriber) of the cryptosystem. A subject
can be a workstation, a computer program, a radio transmitter, an artificial satel-
lite, an operator, a server, an authority, and so forth. Subjects participating in pro-
tocols of a system usually act according to specified algorithms; in other words, an
algorithm appears as an internal element of the protocol. For a protocol to lead to
a desired goal, it is necessary to satisfy the following requirements:

The protocol must be correct—the set of actions specified by the protocol must
allow you to obtain the required result under all possible conditions.
Completeness and unambiguity—the protocol must specify the actions of each
participant for every possible situation.
Consistency—the results obtained by different participants mustn’t contradict
each other.
Awareness and agreement of all the participants—each subject must know the
protocol and all the steps he or she (or it) must perform; all the subjects must
agree to play their roles.

Cryptographic protocols are protocols in which cryptographic data transfor-

mations are used. Even though cryptographic protocols often use some encryption
algorithm, secrecy isn’t always their goal. For example, the parties of a crypto-
graphic protocol may wish to simultaneously sign a contract, carry out computer-
ized coin tossing, authenticate the participants of a conference, and so forth.
Enciphering data and computing one-way functions constitute the execution
of corresponding algorithms. The schemes of user or remote workstation authen-
tication and computerized coin tossing we discussed previously are examples of
protocols. If a protocol uses a cryptographic function, the function must be secure.
Even if encryption algorithms used are secure, this doesn’t ensure the protocol’s
security. For a cryptographic protocol to be secure, it is necessary that the cryp-
tographic algorithms used are secure under the conditions of this particular
application.
In cryptosystems, the existence of a probable adversary is assumed (in practice,
this theoretic notion is quite real). Developers of cryptographic algorithms and pro-
tocols take precautions, as far as possible, against an adversary’s (or adversaries’)
possible actions, and try to ensure that the protocol’s goal is achieved with regard to
all possible attacks. An attack on an algorithm, protocol, or cryptosystem is made up
of the adversary’s actions, using which he or she tries to read a cryptogram, break a
one-way function (i.e., compute the argument value by a function value), pretend
to be another subject, create false messages, widen his authorization, and in general,
 Cryptography in the Information Age 41

create conditions under which the correctness of using the algorithms and proto-
cols of the cryptosystem will be violated. If such actions are possible, it is said that
the cryptosystem is vulnerable with respect to such-and-such an attack. Two types
of adversaries can be distinguished by their actions: active and passive.
A passive adversary doesn’t take any action that causes the disorganization of a
cryptographic protocol. His goal is to intercept messages that pass over the cryp-
tosystem in order to read their contents, compute distributed keys, or discover the
results of a vote or a coin tossing. Using radio communication to transfer messages
creates conditions favorable for a passive adversary, under which an attack on the
cryptosystem can be detected only indirectly. When using a wired means of commu-
nication, unauthorized connections reveal a passive adversary. However, it must be
taken into account that he can use induced electromagnetic radiation.
An active adversary tries to create false messages, intercept and modify mes-
sages, get access to databases, widen his or her authorization, make a false public
key, forge a signature, and so forth. When using a wired telephone communication,
conditions are ripe for an active adversary, whereas, when using radio communi-
cation, the adversary’s actions can be easily detected. You will also need to foresee
cases in which an active adversary is a valid user of the system.
According to their relationships with the organization using the cryptosystems
(or other protection tools), adversaries can be divided into two types: internal and
external.
An internal adversary is a person with certain valid authorization inside the
organization he attacks, or a participant in a cryptographic protocol who tries to do
harm to other participants of the protocol. Both internal and external adversaries
can be active or passive. An attack by an internal adversary is called an internal
attack.
An attack in which only external adversaries are involved is called an external
attack. It is possible for external and internal adversaries to unite, thus creating the
most serious threat to the secure operation of the cryptosystem. If there is an ad-
versary among the developers, attacks that use trapdoors built into the algorithms
that compute the key parameters or hard-to-detect harmful software viruses will
also be possible.

1.4.3 Digital Signatures

Based on the aforementioned idea of using a trapdoor one-way function, Diffie and
Hellman suggested a public-key cryptosystem structure for a multisubscriber net-
work. Each subscriber—say, the ith—chooses a random value of the zi parameter
and keeps it secret. Next, he designs the Ezi algorithm and publishes it in a com-
monly available directory. He also designs the Dzi algorithm and keeps it secret.
Any other subscriber—say, the jth—uses the public encrypting algorithm Ezi and
42 Innovative Cryptography, Second Edition

computes the C = fzi(M) cryptogram, which he then sends to the ith subscriber.
Using the Dzi private algorithm, the ith subscriber computes the original plaintext:
fzi–1(C) = M.
The authors of this generalized scheme of public-key encryption proved that it
can be used to obtain digital signatures. In general, a digital signature is a number
with a specific structure that makes it possible to use a public key to verify that this
number was created for some message with the help of a private key. To implement
a digital signature, you have to choose a trapdoor one-way function fz so that for
every value of the z parameter, the area of the definition of the fz function coincides
with its area of values. With this requirement, for every message that can be repre-
sented as a number from the area of definition of the fz(x) function, the subscriber
i can use the private algorithm to compute the S = fzi–1(M) number. (If the message
is too long, it can be divided into parts of the necessary sizes, and each can be
signed independently.)
Each user of the cryptosystem can restore the M message from the S value. If M is
an understandable message, or if it can be correlated with such a message according to
a pre-specified rule, the S value can be considered the i subscriber’s digital signature of
the M message. Indeed, only the owner of the Dzi private algorithm can generate a
“plaintext” text S that is encrypted to the understandable cryptogram M with the help
of the Ezi algorithm, since only the i subscriber knows how to compute fzi–1.
The i subscriber can also send the j subscriber a signed secret message. To do
this, he encrypts S using the private algorithm Ezj, thus obtaining the C = Ezi(S)
cryptogram. Having received the encrypted message, the jth subscriber decrypts it
with his secret algorithm Dzj(C) = S and then decrypts the S number with the ith
subscriber’s public algorithm Ezi(S) = M. Therefore, the jth subscriber restores i’s
signature and the original message with the received cryptogram C.
Using protocols based on symmetric cryptographic methods assumes that the
two parties trust each other. Public-key cryptosystems (asymmetric cryptosystems)
make it possible to implement interaction protocols for parties that don’t trust each
other. Digital signature systems are one of the most important examples of these. To
effectively use a digital signature in actual business relationships, it is necessary to
legalize it. For this, it is necessary to adopt corresponding national (or interna-
tional) laws, and support public key exchanging with a regular legal procedure that
will provide protection against public key repudiation.

1.4.4 The RSA Cryptosystem

The RSA cryptosystem is the most widely known digital signature system, and is the
simplest one to understand. It was invented by R. Rivest, A. Shamir, and L. Adle-
man. Let’s examine this cryptosystem. According to Euler’s theorem that comes
 Cryptography in the Information Age 43

from number theory, for each relatively prime number M and n, where M < n, the
M ϕ(n) = 1 (mod n) equation is true.
For M, we’re going to take the original message that needs to be signed or en-
crypted. The requirement of relative primeness of the M and n numbers will be satisfied
by choosing an n equal to the product of two large prime factors. In this case, the prob-
ability that a random message won’t be relatively prime with the modulus is negligibly
small. For a one-way transformation, we’re going to take the modular exponentiation.
With an e value of the power, we have the E encryption function, which transforms the
original message M into the cryptogram C = E(M) = M e (mod n).
The e parameter is considered public. It is computationally difficult to find M
from a known value S with a known n and e. As the trapdoor of the corresponding
one-way enciphering function M e (mod n), we’re also going to use exponentiation,
but with another value for the power. The new power value d must be chosen so
that the deciphering function D(C) = C d (mod n) is the inverse of E(M) = M e(mod
n); in other words, the condition M = D[E(M)] = (M e)d = M ed (mod n) must be
true.
From this equation, it follows that ed = 1 (mod ϕ(n)). Thus, two exponentia-
tions of modulo n will be mutually inverse if the product of the powers equal one
modulo of the Euler function of the n number. The d parameter is the key to the
trapdoor, and therefore it is private. Now the problem is choosing the necessary
values for the e and d powers. Obviously, it is first necessary to find the value of the
Euler function of the n number. You can see that, for every prime number p, we
have ϕ(p) = p – 1. Since we choose n = pq where both factors are prime numbers,
then, using the multiplicative property of Euler’s function, we obtain: ϕ(n) = ϕ(pq)
= ϕ(p)ϕ(q) = (p–1)(q–1).
Even as far back as Euclid’s time, it was known that if integer numbers e and m
fit the conditions 0 < e < m and gcd(m, e) = 1, then there is only one d that meets
the conditions 0 < d < m and de = 1 (mod m). Besides which, d can be computed
using an extended Euclidean algorithm.
Let’s turn to the following operating scheme of the RSA cryptosystem.
(1) Each user chooses two large, unequal numbers p and q, finds their product
n = pq, and computes ϕ(n) = (p–1)(q–1).
One of the requirements for choosing p and q is that at least one of the num-
bers (p–1) or (q–1) must have one large prime factor. The size of the n value mod-
ulus must be no less than 512 bits. For important applications of an RSA system,
the recommended size of a modulus is 1,024 bits.
(2) Then, an integer e is chosen such that e < ϕ(n) and gcd(e, ϕ(n)) = 1, and a
d is calculated that complies to the ed = 1 (mod ϕ(n)) condition.
(3) A private key is a triplet of numbers—p, q, and d—that is kept secret.
(Actually, it will suffice to keep d secret, since the prime numbers p and q are only
44 Innovative Cryptography, Second Edition

necessary at the stage when the n modulo is chosen and the d number is computed.
After that, the p and q numbers can be destroyed.)
(4) The n and e pair of numbers is a public key that is available to all subscribers
of the RSA cryptosystem.
(5) The signing procedure for the M message is raising the M number to the d
power modulo n: S = M d (mod n).
(6) The verification procedure for the S signature corresponding to the M mes-
sage is raising the S number to the e integer power modulo n: M′ = S e (mod n).
If M′ = M, then the M message is recognized as signed by the user who previ-
ously provided the e public key. Obviously,
S e = (M d)e = M de = M Qϕ(n)+1 = M Qϕ(n)M = (M ϕ(n))QM = 1QM (mod n), that is,
it is possible to generate a cryptogram corresponding to a given public key and a
given message with only a known private key d.
The security of an RSA cryptosystem is based on the complexity of factoring
a modulus into two large prime factors. If the problem of such factoring were
solved, it would be easy to compute Euler’s function of the modulus and then com-
pute the private key from the public key, using Euclid’s algorithm.
Up to the present, no practical feasible general ways to solve this problem for
a modulus 512 bits long or greater have been found. However, for special cases of
prime numbers p and q, the complexity of this problem decreases drastically, and
so when generating a private key in an RSA cryptosystem, it is necessary to perform
a number of special tests. Another peculiarity of the RSA cryptosystem is its multi-
plicativity—E(M1, M2) = E(M1)E(M2) (mod n)—which makes it possible for an ad-
versary to use two signed messages to generate the signature of a third message M3
= M1M2 (mod n). Since M3 in the great majority of cases won’t be a comprehensi-
ble text, this peculiarity isn’t a disadvantage. In the RSA system, it is also necessary
to take into account the following possibility. Having chosen an arbitrary value S,
it is possible to compute the M′ = S e value; in other words, an arbitrary value can
be presented as the signature of a message. Of course, such forged messages are ran-
dom. However, in some applications, it is sometimes required that you sign ran-
dom messages. In such cases, the following scheme is used:

1. A prearranged binary vector V with a length of v = 64 bits is appended to

the T message, which you must sign and transmit over a public channel:

M → T || V.

2. The signature for the M message is generated:

S = M d (mod n).
 Cryptography in the Information Age 45

3. The S value is sent to the receiving party.

4. The receiver computes the values from the S value:

M′ = S e (mod n), V′ = M′ (mod 2v) and T′ = M′ div 2v.

5. If V′ is equal to the prearranged value V (i.e., if the V′ = V condition is

true), the receiving party decides that the T′ message is signed by the owner
of the public key used to verify the signature. (The probability that a ran-
dom message can be mistaken for a signed one is 2–v.)

One useful feature of the public-key encryption system being discussed is that,
when encrypting a message with two or more users, the encryption procedures can
have any order. For example, let C = E1[E2(M)]; then D1[D2(C)] = D2[D1(C)] = M.
This feature can be used in blind signature protocols or in computerized ballot
systems.
Thus, the private key is used to sign messages, and the public key is used to ver-
ify the signature. To send subscriber A a secret message, any user can use A’s pub-
lic key to generate the C = EA(M) cryptogram. Only subscriber A can restore the M
message with the C value, because only he knows the private key corresponding to
the public key used to create the cryptogram. In the RSA cryptosystem, signature
generation is the same as the decryption procedure, and signature verification is the
same as the encryption procedure.
The speed of encryption provided by two-key (asymmetric) ciphers is much
lower than the speed of one-key (symmetric) cryptosystems. This is why hybrid
cryptosystems, in which information is encrypted using one-key ciphers and dis-
tribution of session keys is performed via a public channel with the help of two-key
ciphers are most effective. For example, using the RSA cryptosystem, it is easy to ex-
change a session key with any subscriber, having encrypted the session key with his
public key. The encrypted session key can be easily transmitted over a nonsecure
communication channel, since the private key necessary for decryption belongs
only to the subscriber whose public key was used for encryption. To directly en-
crypt information, two-key ciphers are of limited usefulness.

1.4.5 The El Gamal Digital Signature

Let’s now look at a digital signature system named after its inventor, Tahir El
Gamal, and based on the public and private key generating scheme used in the
Diffie-Hellman method. Let’s say that there is a large prime number p such that
factoring the number p–1 includes at least one large prime factor and the primitive
element α modulo p.
46 Innovative Cryptography, Second Edition

The procedure of signing is as follows. A subscriber A chooses a private key xA,

with which he generates the public key yA = α xA. A’s signature under the M
document (the signed message must have a length less than the p prime modulus;
M < p) is the (r, s) pair of numbers (where 0 ≤ r < p – 1 and 0 ≤ s < p – 1) that fits
the (α M) = yArr s (mod p) equation.
This equation is used to verify the fact that the document was signed by sub-
scriber A. (The yA = α xA value is A’s public key, and it is available to all users, which
makes it possible for anyone to verify that a given message was indeed signed by
subscriber A.)
This digital signature system is based on the fact that only the true owner of the
xA private key can generate the (r, s) pair of numbers that fits the signature verifi-
cation equation. Using the xA value, subscriber A generates a digital signature ac-
cording to the following algorithm:

Generate a random number k that fits the conditions: 0 < k < p–1 and
GCD(k, p–1) = 1.
Compute r = α k (mod p).
Compute s from the M = xAr + ks (mod (p–1)) equation.

From number theory, it is known that the last equation has a solution for s if
GCD(k, p–1) = 1. This equation is easily obtained by substituting the r = α k (mod
p) value into the signature verification equation: α M = α xArα ks = yArr s (mod p).
From the two last formulas, it is obvious that the owner of the private key can
sign the document, and his signature can be verified using the public key. Finding
the (r, s) pair of numbers without knowing the private key is computationally com-
plex. There can be many extremely different signatures corresponding to a given
document (note that k can have different values), but only the owner of the private
key can generate the correct signature. Possible signatures differ in their
r value, but it is practically impossible to find the corresponding s value for a given
r without knowing the private key. To compute the private key from the public one,
you need to solve a computationally complex discrete logarithm problem.
One peculiarity of the El Gamal digital signature is generating a random num-
ber k. In this cryptosystem, you aren’t allowed to use the same k value to generate
signatures for two different messages. This is connected with the fact that it is pos-
sible to compute the private key from two different signatures generated using the
same k values. In addition, the k values used during generation are to be destroyed.
If an adversary gets the k value, he will be able to compute the private key. Systems
that are actually used generate a random k number with a large size, and implement
a mechanism for destroying the number after generating the signature. In a pro-
gram implementation, a scheme of digital signing is provided in which the number
k only appears in the processor registers and the random-access memory, and the
 Cryptography in the Information Age 47

destroying mechanism involves writing a random value at the memory location

that just held the k value.
Earlier in this chapter, we looked at two-key cryptography schemes that make
it possible to sign messages that have a limited length (about 103 bits). If a message
has a large size, the straightforward use of such schemes requires that you split the
original message into a large number of smaller blocks and generate as many sig-
natures as there are message blocks. This significantly complicates the task of stor-
ing the signatures and the signed messages in a database containing many signed
documents. To simplify this problem, it is not the document itself that is signed,
but its small digital image obtained according to special cryptographic procedures
called hashing.
The hashing algorithm must be one that provides for the computational im-
possibility of finding two messages with the same value for the digital image (the
hash function value of the message). Currently, there are algorithms that comply
with this requirement and make it possible to compute the hash function value of
a given document. Rather than create many separate parts of a document, actual
digital signature systems compute the hash function of a document and sign the
hash function value. If the hash function is signed, the document is considered
signed.

1.4.6 The Chaum Blind Signature

The notion of the blind signature was first introduced by David Chaum, who also
suggested the first variants of its implementation. By a blind signature, we mean a
two-key cryptosystem that makes it possible to sign electronic messages so that the
signing party has no access to the information contained in the message being
signed. This requirement, far-fetched and absurd at first glance, is very important
for a number of cryptographic protocols. For example, blind signatures are used in
computerized voting systems and for digital cash; in other words, in cryptographic
protocols where it is necessary to provide untraceability. The blind signature pro-
cedure itself requires that one of the participants agree that he may be subject to a
certain penalty consisting of obligations that he or she would likely prefer not to
undertake.
In actual protocols where blind signatures are used, there are also procedures
that assure the signing party that he won’t be cheated. This assurance is based on
certain additional procedures and conventions that put limitations and responsi-
bility on the party that is submitting a document for a blind signature. Naturally,
either party must agree to a certain risk and have a certain assurance; otherwise, it
would be impossible to solve the problem both parties want to solve. For example,
when using a DS system, users take the risk that someone may compute their
private keys. The assurance of their interests lies in the high complexity of private
48 Innovative Cryptography, Second Edition

key computation. Another type of assurance used in cryptographic protocols is the

low probability of replicating random numbers if they are long enough. With the
blind signature protocol, it is possible to solve some important practical problems
(such as building a computerized voting system, using digital cash, etc.).
Let’s examine the Chaum digital signature protocol based on the RSA cryp-
tosystem with which you are already familiar. Suppose subject A wants subject B to
sign message M. To do this, it is necessary to perform the following steps.

1. User A (the subjects are users of this cryptosystem) generates a random

prime number k, such that GCD(k, N) = 1, where N is a part of B’s public
key; in other words, the modulus used for computations. Then, he com-
putes the M′ = k eM (mod N) value, and submits it for signing. The signer
cannot read the M message because it is encrypted with a one-time key, k e,
and by performing the modular multiplication operation.
2. The B user signs the M′ message according to the procedure of signing a
message in the RSA system:

S′ = (k eM) d = kM d (mod N).

3. Having generated the S′ signature, the signer cannot read the M d value,
since it was encrypted by applying the k one-time key to it. If the signer
could find out the M d value, he could easily compute M: (M d) e = M (mod
N). This means that, having obtained the M d (mod N) value (which is the
goal of the blind signature protocol), user A must keep it secret from the
signer.
4. Now, using the extended Euclidean algorithm, user A takes k and com-
putes its multiplicative inverse element (k–1) in the residue field modulo N,
and restores the signature for the M message:

S′ = k–1S′ = k–1kM d = M d (mod N).

Thus the goal is achieved—user A has generated B’s correct signature corre-
sponding to the M message, and he is sure the signer doesn’t know the contents of
the M message.

1.4.7 Types of Attacks on a Digital Signature

In the digital signature system, three cryptographic algorithms are used: the
algorithm of generating a signature with the private key, the algorithm of verifying
 Cryptography in the Information Age 49

a signature with the public key, and the algorithm of computing the hash function
of the message being signed. The algorithms of generating the private and public
keys can also be said to have a mathematical foundation. Operating actual systems
also requires a legal, organizational, software, and hardware basis. The legal basis
includes adopting laws that legalize digital signatures. The organizational basis in-
cludes user registration in a trust center and the signing of documents between the
user and the trust center (or between two users) that states their responsibility for
the public keys exchanged. The software and hardware basis includes a set of soft-
ware and hardware tools that make it possible to perform complex computations
and provide for the security of a database containing signed documents and signa-
ture samples for them.
The possible types of attacks against a digital signature can be divided into sev-
eral groups:

Attacks on cryptographic algorithms

Attacks related to protocol violations
Attacks related to violations of the integrity of a digital signature system

An attacker can be an external subject, or the signing party (signature repudi-

ation), or the signature verifying party (creating a false signature).
Attacks on cryptographic algorithms involve solving complex mathematical
problems, such as finding a discrete logarithm modulo of some large prime num-
ber. An attacker has very little hope of success. Such an attack can be launched
against a two-key cryptographic algorithm or a hash function. In the case of the
former, the signature is forged, while in the latter case the document is forged. At-
tacks related to protocol violations include, for example, the replication of signed
messages, or delaying messages. To prevent such actions, the document includes
special fields in which the data and the number of the document are specified. It is
also necessary to use mechanisms that protect against the repudiation of message
reception.
Attacks related to violations of the digital signature system’s integrity are the
most diversified ones. They include deleting a signed message from the database,
private key interception using software or hardware tools, using a false public key,
and replacing a public key in the database. These examples illustrate that many at-
tacks are related to unauthorized access to the data in the digital signature system.
The safe operation of a digital signature system requires a secure environment.
Attacks on a cryptosystem can also be based on assigning the system user a false
digital signature or by taking advantage of hidden vulnerabilities of facilities meant
to protect against unauthorized access, or on forced use of some system software or
an application that has built-in undocumented viruses. To prevent this, cryptographic
50 Innovative Cryptography, Second Edition

tools and facilities that protect against unauthorized access must be certified by spe-
cial organizations.

1.5 PROBABILISTIC CIPHERS

One promising method of increasing the security of known ciphers is making the
enciphering process nondeterministic. This idea can be implemented by introduc-
ing random data into the message being transformed. If data-dependent operations
or procedures are used in an enciphering mechanism (as in the RC5 cipher), the
operations themselves will change randomly. The idea of introducing probabilistic
elements in the enciphering process pursues the goal of hampering the use of the
general principle of block cipher cryptanalysis that is based on attempts to reveal
the statistical properties of the encryption algorithm; for example, by choosing spe-
cial original texts or cryptograms.

1.5.1 Homophonic Ciphers

Cryptograms obtained by using monoalphabetic or polyalphabetic substitution are
easily disclosed by a frequency cryptanalysis. To hide the frequency properties of
the message source, and thus hamper the cryptanalysis, a homophonic (or mono-
phonic) encryption method can be used, which involves equalizing the frequencies
of the cryptogram characters; in other words, using cryptographic transformations
that will produce cryptograms using each character used to write down the cipher-
text an equal number of times. The simplest homophonic encryption method is the
following. Let’s say there is a message source with known statistical properties. We
denote the frequency of the occurrence of every letter of the original alphabet by an
integer number fi, where i is the number of the letter in the alphabet—f1, f2, ..., fL,
where L is the number of letters in the original alphabet. We’ll match each letter Ti
of the original alphabet, where i = 1, 2, ..., L, with the Ψi subset of the output al-
phabet (i.e., the alphabet used to write down the cryptogram). We specify these
subsets with two requirements: no pair of subsets can include the same elements,
and the number of different characters in a Ψi subset is equal to fi.
We’re going to perform encryption by substituting each letter Ti of the original
text with a randomly chosen character from the Ψi subset. Then, when a given let-
ter Ti of the original text is repeatedly substituted with characters of the Ψi subset,
the characters of the output alphabet will be used, on average, an equal number of
times. This number is inversely proportional to the number of elements in the Ψi
subset; in other words, it is directly proportional to 1/fi. The frequency of accessing
the Ψi subset is equal to the frequency of the occurrence of the letter Ti in the orig-
inal text; in other words, it is directly proportional to fi. From these ratios, we con-
 Cryptography in the Information Age 51

clude that the average frequencies of all the characters of the output alphabet in a
cryptogram are equal. Decryption isn’t difficult: using a character of the cryp-
togram, we determine its corresponding subset, and from the subset, we determine
the letter of the original alphabet. The described encryption method requires using
f1 + f2 + ... + fL characters in the output alphabet. The most important feature of this
method is that the transformation includes a probabilistic process—
choosing a random element from the given subset.
The described method isn’t of great interest for practice now, but the basic
idea of introducing randomness into the encryption process can be used when
designing modern probabilistic block ciphers.

1.5.2 Ciphers with a Simple Probabilistic Mechanism

In the previous sections, we examined a number of ciphers in which data-dependent
transformation operations are used. Such operations aren’t predefined, and vary
from one input block to another. If such encryption mechanisms are used to trans-
form random data, the operations will vary randomly. “Mixing up” random data
with the message being encrypted makes it possible to impart random features to
the transformation operations, thus enhancing the computational security of the
system. Let E be a b-bit encryption function, P be a p-bit block of plaintext, and R
an r-bit random block where b = r + p. Give the B = R||P block at the input of the
encryption function, where the “||” character denotes the concatenation of two bi-
nary vectors, R and P: P → B = R||P → C = E(B, K), where K is the encryption key.
Since the size of the input block increases during encryption, this encryption maps
the given block of the P plaintext on a large set of ciphertext blocks
{C1, C2, ... , Cn}, where n = 2r. The general scheme of a probabilistic cipher with a
simple mechanism of appending random data is shown in Figure 1.11. The random
number generator (RNG), and the encryption algorithm implementing the E en-
cryption function, are internal components of the enciphering device. It is assumed
that the RNG is located in a protected part of the enciphering device, and that an
adversary cannot replace it (i.e., the adversary has no access to the R value). This as-
sumption is acceptable, since enciphering devices are designed to provide protec-
tion against encryption algorithm substitution, as well as against reading and
copying the key. When decrypting a block of ciphertext, the valid user who owns
the private key restores the B = R||P block, after which the R value is discarded and
the original message P is separated.
When choosing various values of the b/p ratio, it is possible to control the en-
cryption strength. The greater this ratio, the greater the strength. The difference
between probabilistic encryption and a cryptoscheme with frequently changing ses-
sion keys is that it doesn’t significantly decrease the encryption speed when using
ciphers with a precalculation stage, during which the encryption key is generated
52 Innovative Cryptography, Second Edition

using the session key. The probabilistic encryption scheme makes it possible to
control decreasing the transformation speed. If the E function has the s0 initial
value of the transformation speed, the speed of the probabilistic encryption is
s = s0(b – r)/b.
There were a number of successful attacks on the DES, RC5, and Blowfish
cryptosystems when a small number of enciphering rounds was used. Obviously,
one can choose a size of a random block R that will make reduced versions of these
ciphers secure against known attacks. For this purpose, the r = b – 1 value will do.
Ciphers with a simple probabilistic mechanism have the following advantages:

The security of the known block ciphers can be significantly increased.

In a sense, it is possible to control the cipher’s security by choosing various val-
ues for the r/b ratio.
The probabilistic cryptoscheme makes it possible to use new mechanisms of
specifying the dependence between ciphering procedures and the private key.
The cost of these advantages is in the following drawbacks:
The speed decreases by a factor of r/b.
Ciphertext blocks are longer than plaintext blocks.

The latter disadvantage puts significant limitations on using probabilistic

ciphers in computer systems. To compensate for the expansion effect, it is possible
to compress the original message beforehand. In some cases, this method makes it
possible to design probabilistic ciphers in which the ciphertext length is equal to the
length of the original message. (It is interesting to note that the compression of data
before their encryption significantly increases the encryption’s security against
ciphertext attacks. However, pre-compressing information doesn’t increase the
encryption’s security against known plaintext or chosen-text attacks, since, accord-
ing to Kerkhoff’s principle, we must assume that the cryptanalyst knows the com-
pression algorithm used.)

1.5.3 Probabilistic Combination of Data Bits and Random Bits

The aforementioned simple probabilistic encryption mechanism, based on gener-
ating a ciphered data block by combining random and data bits, can be used to in-
crease encryption security when using many of the known block cryptoalgorithms.
In regard to many types of attacks, this problem is solved with a relatively small
ratio of random bits to data bits. However, for some known ciphers vulnerable to
differential (DCA) and linear (LCA) cryptanalysis, strengthening on the basis of
this probabilistic encryption method (including the patented variant of random
and data bit combination depending on the private key) requires that you signifi-
cantly increase the portion of random bits—up to 80 percent or more. This results
 Cryptography in the Information Age 53

in noticeably decreasing the effective encryption speed, and significantly increasing

the ciphertext size.
In this section, we’ll look at variants of making this probabilistic encryption
method more effective for a small portion of random bits when using encryption
procedures with good diffusion properties, but possibly, with unexpected vulnera-
bilities to DCA and LCA. These variants can be also used to protect against possi-
ble attacks using trapdoors in cryptoalgorithms.
The probabilistic enciphering scheme, is shown in Figure 1.11, where the ran-
dom number generator (RNG) is assumed to be an internal component of a
ciphering device unavailable to an attacker. Let E be a b-bit encryption function, T
a t-bit block of a plaintext, and R an r-bit random block where t < b and r = b – t.
Supply the B = R||T data block at the input of the E encryption function. The orig-
inal text T can be written as

T → B = R||T → C = E(B, K),

RNG
R

B
K
E

FIGURE 1.11 The basic scheme of

probabilistic encryption.

where K is the encryption key. Since the size of the input block increases during
encryption, such encryption maps a given text T to a large set of ciphertext blocks
r
{C1, C2, ... ,Cn}, where n = 2 . When decrypting the block of the ciphertext, the valid
user who owns the private key restores the B = R||T block, after which the R value
is discarded, and the original message T is separated. When choosing various val-
ues of the b/t ratio, it is possible to control the encryption strength. The greater this
ratio, the greater the strength.
54 Innovative Cryptography, Second Edition

Obviously, the encryption speed decreases by a factor of b/t = 1 + r/t, and the
size of the C ciphertext increases by the same factor.
In the first variant of enhancing the probabilistic encryption, the decrease in
the r/t ratio, with a significant growth in security, can be achieved by using a non-
deterministic mix of random and data bits. To implement this idea, a random bi-
nary vector is divided into two parts with a pre-specified length: R = R1||R2. Then,
prior to carrying out encryption transformations over the R2||T binary vector, a bit
permutation is done, which depends on the R1 random value that specifies
randomly mixing the bits of the T message and those of the R2 random value. For
bit mixing, it is possible to use controlled operational permutation boxes P, used
earlier as a basic cryptographic primitive to design secure fast ciphers. The permu-
tation performed by a P box depends on the value of the control vector V that is
generated depending on R1. The sequence of transformations in a variant with a
random combination of data and random bits (Figure 1.12) is:

T → R2||T → PV(R2||T) → R1||PV(R2||T) → EK(R1||PV(R2||T)).

FIGURE 1.12 A scheme with a

probabilistic mix of random and
data bits.

In typical P boxes, the length v of the V control vector is at least twice the
length of the R2||T (r2 + t) vector being transformed. In this case, it is assumed that
the r1 < r2 + t < v condition is true, so the control vector can be created, for
example, by repeatedly replicating the R1 vector (V = R1||...||R1||R1), or by alternat-
ing R1 and the K1 fragment of the private key (V = R1||K1||R1||K1). In the latter case,
mixing the bits of R2 and T is done probabilistically, depending on the private key.
 Cryptography in the Information Age 55

Increasing the security against DCA and LCA is connected with the probabilistic
distribution of the data bits over the bit positions of the data block
being encrypted. For example, when performing a chosen-plaintext DCA, the
probability of getting two data blocks with a given difference is significantly small
for r1, r2 = 8. When b = 64 and 128, this corresponds to a rather small portion of
random bits (25% and 12%, respectively).
The second way to make a simple probabilistic encryption scheme more secure
is related to the idea of pre-encrypting an original text T using a randomly generated
value R as a one-time pre-encryption key (Figure 1.13). The transformation se-
quence is:

T → E ′R(T) → E ′′K(R||E ′R(T)).

FIGURE 1.13 A pre-encryption FIGURE 1.14 Two-stage

scheme with a random vector. probabilistic encryption.

Strengthening is done using additional transformations with a one-time key

whose duplication probability is about 2–r during attacks based on the chosen T and
C values (due to good diffusion properties of E ′′ encryption procedures). When
doing the pre-encryption, the basic scheme of probabilistic encryption can be used,
which will lead to the following transformation sequence (Figure 1.14):

T → R2||T → E ′R1(R2||T) → E ′′K(R1||E ′R1(R2||T)).

This case relates to the third variant of increasing security, and it is a general-
ization of the first variant, in which mixing up random and data bits can be con-
sidered a special case of encrypting transformation.
56 Innovative Cryptography, Second Edition

For a hardware implementation, the first variant is the most cost-effective,

while the second and third variants are the most cost-effective for a software im-
plementation. From the standpoint of increasing security, the third variant is best.
In general, the increase in security in the variants discussed is related to the fact that
the ratios that connect the T and C pairs of values also include a random (pseudo-
random) value R during chosen-plaintext T attacks (chosen-plaintext C attacks).
These probabilistic encryption methods seem to be quite effective for insuring
against unexpected weaknesses of the encryption algorithm used, and against built-
in trapdoors. Expanding the ciphertext block puts significant limitations on using
probabilistic ciphers in computer systems. To compensate for the expansion effect,
it is possible to compress the original message beforehand. In some cases, this
method makes it possible to design probabilistic ciphers in which the ciphertext
length is equal to the length of the original message. Besides which, compressing
data before they are encrypted significantly increases the security of the encryption.
For many applications in telecommunication systems, this variant of probabilistic
encryption can be used without significant limitations.

1.5.4 Probabilistic Mechanisms in Two-Key Ciphers

In two-key cryptosystems, enciphering is done according to a widely known enci-
phering algorithm Ez (a public key), and so the following attack is possible in prin-
ciple. Having an Ez ciphertext, in order to find the original text T, a cryptanalyst can
randomly choose different variants of possible plaintexts Ti′ and compute his
corresponding cryptograms C1′ = Ez(T1′), C2 = Ez(T2), ... , Cm′ = Ez(Tm′). If he
guesses the true original text, it will be clear from the C′ = C equation. In such a
cryptanalytic scheme, each unsuccessful attempt gives the cryptanalyst certain in-
formation, since it decreases the number of remaining variants of possible original
texts.
Naturally, the probability of choosing the correct original text is extremely low
for typical original message sizes, so this attack will not likely be successful in actual
practice, if this probability is relatively large. Right now, we are only concerned with
the fact that some information about the original message might be leaked. How-
ever, one might imagine the following situation, in which such an attack could be
highly effective. Suppose an administrative center sends its subordinates instruc-
tions (plaintexts) as documents that have a certain format and style. In this case,
various plaintexts differ only in certain fields of a spreadsheet. Besides which, a
standard style of instructions will lead in some cases to a situation in which only a
small part of an original message is unknown to the cryptanalyst (for example, the
date, the amount of money paid, the name of a contractor, etc).
Probabilistic mechanisms make it possible to prevent an information leakage in
the foregoing cryptanalytic method. As with one-key cryptosystems, when proba-
 Cryptography in the Information Age 57

bilistic encryption mechanisms are used in two-key ciphers, a given original text is
mapped to a set of possible cryptograms {C1, C2, ..., CN}, each of which is decrypted
with a secret decryption algorithm Dz (a private key) to the same original text T:
T = Dz(C1) = Dz(C2) = ... = Dz(CN). This is only possible if the length of the cipher-
text is greater than that of the original text. If the length of the ciphertext is r bits
greater than the length of the original text, it is possible to design a probabilistic
mechanism, such that the number of ciphertexts corresponding to a given plaintext
r
is N = 2 . During probabilistic encryption, for the given text T, we generate one
of the possible cryptogram—for example, Ci, chosen from the {C1, C2, ..., CN} set
according to the probabilistic law.
A cryptanalyst can correctly choose the original text, but he cannot verify this
fact, since, when encrypting, he will generally obtain another cryptogram from the
set of possible variants. Having encrypted T, the cryptanalyst will get Cj = Ez(T).
The probability that Cj = Ci is 1/N. The cryptanalyst has to guess the original text,
and the value of a randomly selected parameter that controls the probabilistic
encryption process.

1.5.5 The El Gamal Public Cipher

Let’s now look at the El Gamal enciphering algorithm. This method is based on dis-
crete exponentiation procedures, and is outlined here. As in the Diffie-Hellman
public key distribution method, a large prime number p and its corresponding
primitive element α are chosen. Each user of the secure network chooses a private
key, computes his public key y = α x(mod p), and puts y into a certified directory.
To send the ith user a secret message T, the sender must perform the following
steps:

1. Choose a random number R that is reciprocally prime with the p–1 num-
ber.
2. Compute the C′ = α R (mod p) value.
3. Compute C′′ = y RT (mod p) from the ith user’s public key.
4. Send the ith user the (C′, C′′) cryptogram.

In this method, the length of the ciphertext is approximately twice the length of
the original text, and a given plaintext is matched by no less than 2 k different cryp-
tograms (k is the length of the p modulus in bits). Having received the (C′, C′′)
cryptogram, the user i can easily compute the T = C′′/(C′)x (mod p) original text.
Indeed,

(C′ )x = (α R)x = α Rx (mod p)

C′′/(C′ ) = y T/α Rx = (α x)RT/α Rx = α xRT/α Rx = T (mod p).
x R
58 Innovative Cryptography, Second Edition

With two-key ciphers, for a general method of introducing randomness into

the enciphering process, one can use a simple mechanism of adding random data
to the message being enciphered. In this case, a size t for the original text block is
stipulated, and a random binary vector is appended to the most significant bit side,
for example. The structure of the B block being encrypted can be the following:
B = R||T, where R is a random number and T is a block of the original text. Obvi-
ously, the numeric value of the B block mustn’t exceed the maximum valid value
for the cryptosystem used. This is why the b size of the B block must be such that
its maximum value doesn’t go beyond the range of valid values. For example, in the
RSA cipher, the B value must be less than the n = pq modulus. Therefore, we obtain
the 2b < n or b < log2n condition.
If these requirements are met, the steps of enciphering an original text are de-
scribed in such way:

T → B = R||T → C = Ez(R||T),

and deciphering the cryptogram is done as follows:

C → B = Dz(C) → R||T → T.

Any message can be divided into texts of the required size, and each can be en-
crypted using probabilistic encryption.

1.6 USING ENCRYPTION IN PRACTICE

Modern microelectronic technologies support the continuous growth of computer

quality, and are the basis of maintaining the main trends in computer develop-
ment—minimizing their sizes, decreasing power consumption, increasing the ca-
pacity of random-access memory and built-in and removable disks, enhancing the
performance and reliability of computers, and expanding the area and increasing
the intensity of use.

1.6.1 Encryption Algorithms in Protection Tools

These trends led to a situation in which, in the present circumstances, the protec-
tion of computer systems against unauthorized access (UA) is leaning more and
more toward software protection tools than hardware tools. We should mention
that the role of physical and hardware protection tools aimed, for example, at pro-
tecting against side-effect electromagnetic radiation, induced current, acoustic
eavesdropping, and so forth, is considered traditional, and using computers and
 Cryptography in the Information Age 59

specialized software in these areas is auxiliary. The increasing importance of soft-

ware protection tools should be understood in the sense that newly emerging prob-
lems in the area of protecting computer systems (CSs) against UA requires using
mechanisms and protocols with a comparatively high computational complexity
and can be effectively solved by using computer resources.
Using “pure” software mechanisms in data protection tools (DPTs) makes it
possible to effectively solve important practical problems. Among these problems,
one might mention reducing the cost of DPTs, minimizing the time it takes to de-
velop secure information processing technologies, speeding up the spread of DPTs,
and providing a high degree of portability to other platforms and compatibility
with system and application software.
When designing data protection tools, it makes sense to use encryption tech-
niques on various levels of computer data processing. This will make it possible to
effectively solve the following problems by using only software tools:

Protecting CSs against intentional bugs

Protecting information in case of the theft of a hard drive or a whole computer
Detecting unauthorized modifications in the data or software
Protecting against viruses
Establishing demarcation between the users’ authorizations
Retaining high performance and routine operation procedures for the users
Providing data protection when maintenance or other services are performed

CSs are subject to a many potential threats to information, which makes it nec-
essary to provide a comprehensive range of possible protection tools and func-
tions. It makes the most sense to first protect the most informative channels of data
leakage, such as the possibility of quickly and easily copying data onto removable
high-capacity media, unsecure communication channels, and the theft of a hard
drive or a whole computer. The problem of barring these leakage channels is com-
plicated by the requirement that data protection procedures shouldn’t lead to a no-
ticeable decrease in the performance of the CS.
This places high requirements on ciphers oriented toward use in systems that
protect against UA and that operate in real time:

High security against known-text or chosen-text cryptanalysis, based on a large

amount of text encrypted with the same key.
A high encryption speed of a software implementation.
Retaining the possibility of random access to the data. This issue makes it nec-
essary to use block ciphers in DPT against UA.
60 Innovative Cryptography, Second Edition

A modern computer security system oriented toward extensive use must be se-
cure, technologically effective, and ergonomic. Here are a number of basic proper-
ties that make such a system attractive to a wide circle of users:

Universality: The possibility of installing various modes of secure data pro-

cessing, depending on the needs of different users.
Compatibility: The system must be compatible with all applications written
for the particular operating system, and must provide for the secure network
operation of the computer.
Portability: The possibility of installing the system on various types of com-
puters, including laptops.
Operating convenience: The system must be easy to operate, and shouldn’t
change the working procedures users are accustomed to.
Real-time operating mode: Data processing (including encryption) must be fast.
Data protection: The system should have a high level of data protection.
Cost: The cost of the system should be minimal.

As an ideological basis of designing DPTs intended for wide use, we suggest

that you extensively use fast software enciphering methods using new types of block
ciphers. When designing effective real-time DPTs, the following principles should
be observed:

Pertaining to global encryption, all information on the hard disk, including the
boot sector, the system and application software, and so forth, must be trans-
formed with a fast software cipher.
The platform operating system must be kept unchanged to provide high porta-
bility and compatibility.
A special cryptographic module should be used for the startup initialization to
provide complete control over the startup procedure.

The mechanisms listed are just the main ones. They should be supplemented
with a number of additional modules in order to perform standard tasks of securely
operating the CS, such as program and data integrity control, guaranteed destruc-
tion of the remaining information, locking the keyboard and display, protecting in-
formation transmitted through network communication lines, and so forth.
In modern software systems of computer security, a technology called trans-
parent protection is used. According to it, the user’s everyday working environment
doesn’t change, and he or she doesn’t feel uncomfortable as a consequence of the
protection tools being enabled. In other words, the security system, when working,
is invisible to the user. The basic technology of transparent protection is the
 Cryptography in the Information Age 61

method of dynamic encryption of the private information with which the user is
working. Private information written on external media is automatically encrypted
using a key that depends on the user’s password. When being read by an authorized
user, this information is automatically decrypted. Since this dynamic encryption
isn’t noticed by the user, it is called transparent encryption, or transparent crypto-
graphic transformation.
In integrated computer security systems (such as the COBRA system that protects
against UA), one can note the subsystems shown in Figure 1.15. Among these are:

An erasing subsystem, to destroy the remaining data in the external memory

User authentication Transparent Protection against Program and data

and demarcation of encryption of files viruses integrity control
their authorization and directories
Protection against Restoring the working
Setting the trans- Expanding the range unauthorized state of the computer
parent encryption of events registered in bootng from a after failures
mode for the logical the system log system floppy disk
disk and floppy disk

The subsystem
The access The file access The total
maintaining the
authorization demarcation encryption
reference state of the
subsystem subsystem subsystem
operating encirnoment

Maximum computer resources

The auxiliary The computer
required: RAM 10 KB; disk
subsystem security system
space 400 KB

The file
The user’s The logging
encryption
special shell subsystem
subsystem

Enciphering files, Mapping and Logging and

directories, and providing users accounting for
disks with only those generalized data
features that
Automatically correspond Logging and
processing secret to their accounting for
information authorization detailed operatons

FIGURE 1.15 The structure of the COBRA system and the purpose of its main
components.
62 Innovative Cryptography, Second Edition

A keyboard and display locking subsystem, providing time-out locking of these

access devices when left unattended
A shutdown subsystem, to correctly finish the user session by checking whether
the state of the operational environment matches the reference state and writ-
ing the appropriate record into the work log
A system creating an additional logical disk on the hard disk, which makes it
possible to save information without repeatedly partitioning it

The information protection level provided depends both on the design quality
and completeness of the computer security system and the setup of its operating
modes, taking into account the opponent model. The security administrator must
set up the necessary protection scheme. By a protection scheme, we mean a set of ac-
tivated components of the security system, and their setup parameters and enabled
operating modes. To configure a particular scheme, the security administrator
must perform the following steps:

1. Determine and understand security requirements by finding and analyzing

threats to information in the computer system.
2. Determine the required security levels by analyzing the potentialities of the
information protecting system.
3. Generalize the acquired information and perform the final configuration
of the protection scheme.

When performing the preceding steps, you need to take into account the fact
that effective protection should satisfy two mutually contradictory requirements:

Provide secure information protection in the computer system.

Provide comfortable working conditions for computer users (the protection
system shouldn’t be troublesome; it also should not have any other demerits
that interfere with users’ normal work).

Taking these requirements into account results in a more effective use of com-
puter security systems. After having determined the protection scheme, the security
administrator can proceed with the installation and setup of all the necessary com-
ponents of the protection scheme.
Typical features demarcating the users’ access to the computer resources that
are provided by security systems are:

Demarcation at the logical disk and I/O port level implemented by the autho-
rized access subsystem
Demarcation at the file and directory level implemented by the file access de-
marcation subsystem
 Cryptography in the Information Age 63

Many computer security systems support multilevel encryption—disk encryp-

tion, file encryption, and boot sector encryption.

1.6.2 Some Features of Applications

Although some important characteristics might not be quantifiable, it seems logi-
cal to identify some cryptographic algorithm characteristics that can be expressed
either in objective, numeric values or subjective, adjectival values. Metrics might be
used for evaluating and comparing cryptographic algorithms and the confidential-
ity protection value of products containing cryptographic algorithms.

The Key Length and Security

The length of the key determines the upper boundary of the cryptosystem’s secu-
rity. An attacker can always launch a brute-force attack, which consists of trying
every possible key from the keyspace. However, the size of the keyspace increases
exponentially with the increase of the key length. If the length of a key in bits is
equal to l = 64, the number of possible keys is more than 1019. When l = 128, there
are >1038. Currently, computational technologies are approaching a solution to the
problem of trying 1020 variants in a reasonable time interval. Trying 1038 variants is
considered unfeasible for up-to-date technologies, and in the foreseeable future. At
present, there is a general shift from 56-bit keys in the DES cryptosystem to 80-bit
or 128-bit keys in modern symmetric ciphers.
Among the provably secure block cryptosystems are ciphers, for which it was
theoretically proven that even the best method of cryptanalyzing them requires a
work effort that is no less than a value that guarantees this method will remain
computationally unfeasible in the near future. At present, various cryptographic
methods have been proposed for many ciphers, and an estimation of the work ef-
fort needed to solve the cryptanalytic problem has been given for each. However,
there is the fundamental theoretical complexity of finding the best cryptanalytic al-
gorithm, and this determines the complexity of the general proof of security.
For a new cipher to be adopted, it must conform to the following conditions:

It must be designed in accordance with the requirements of a specific applica-

tion, and it must include mechanisms that implement modern principles of
providing cryptographic security.
It must have been tested by experienced experts for a long time, and its security
against all known methods of cryptanalysis must be proven.

Cipher testing is the most complex and expensive stage of cryptosystem devel-
opment. To increase confidence in the security of new ciphers, they are tested in
conditions favorable for solving the cryptanalytic problem. For example, versions
64 Innovative Cryptography, Second Edition

with a decreased number of enciphering rounds are investigated; the possibility of

generating hardware failures in the enciphering device is considered; an assump-
tion is made that a portion of the encryption key is known to an opponent, and so
forth. When testing nondeterministic ciphers, testers consider attacks based on a
known version of the encryption algorithm, or on its weakest version. Other types
of attacks can be used, such as attacks on cipher versions with decreased sizes of the
encryption key and input data block. The stricter the testing procedure, the greater
the assurance that no new specific types of attacks will be found. Theoretical guar-
antees of security can only be provided by ciphers that have infinite random keys.
However, these are extremely inconvenient for computer information protection.
Besides which, in such applications, there is the problem of protecting a key whose
length is equal to the length of the message.
The notion of a password is close to the notion of a secret key. A password is
also a secret component. By the term key, we mean a component that controls the
encryption process, while a password is a component used to authenticate a subject
(such as a user or a workstation). In many cases, a password is used to control en-
ciphering, and a secret key is used to authenticate subjects. A random key or pass-
word is difficult to remember, so it is often stored in removable media that, in
turn, are kept protected against unauthorized access. Choosing a password that is
easy to remember significantly diminishes the number of possible variants, so in
this case, longer passwords or even pass-phrases are required.
In two-key ciphers, private keys whose length is significantly greater than the
lengths of keys used in one-key cryptosystems are used. This is due to certain pe-
culiarities of the cryptanalytic problem for asymmetric ciphers. In some two-key
cryptosystems, private keys are chosen at random, and then the corresponding
public keys are generated (for example, in the Diffie-Hellman method and the El
Gamal digital signature). In other cryptosystems, private keys that satisfy special
requirements are generated (such as p and q factors in the RSA digital signature
system). In the latter case, private keys are also chosen at random, but, after the ran-
dom choice of a private key, the key is checked to see whether it satisfies certain
requirements (for example, prime numbers are required, or numbers that are rel-
atively prime to some previously chosen parameter).
It is convenient to store random private keys in removable electronic devices
(such as electronic keys or smart cards). You can also use combinations of pass-
words stored in the memory and keys stored in removable media.

Enciphering and Archiving

When creating secret archives, it is assumed that the data is stored in encrypted
form. As a rule, archives contain a great amount of information; this is why it is
good to compress data when archiving to eliminate excessive information. This
 Cryptography in the Information Age 65

procedure decreases the archive’s size and simplifies creating work and backup
copies. It also makes sense to previously compress data when transmitting large
amounts of data over low-speed communication channels. Encryption transforms
an original text into a pseudo-random sequence that won’t compress, and so the
data compressing procedure must be performed prior to encryption. (One of the
tests used to qualitatively estimate cipher security is a test for cryptogram com-
pression. If a cryptogram compresses poorly, the cipher passes the test.)
Thus, when archiving secret data (or transmitting them over a telecommuni-
cation channel), the following sequence of transformations takes place:

1. Data compression
2. Enciphering
3. Writing on a medium (or sending over a communication channel)

To extract data from an archive or receive them from a communication chan-

nel, the reverse sequence is done:

1. Reading the ciphertext from a medium (or receiving encrypted data over a
communication channel)
2. Deciphering
3. Restoring (decompressing) the data

Eliminating the redundancy of an initial message significantly increases the en-

cryption’s security against ciphertext attacks. However, the encryption security
against known-text attacks doesn’t change if a known compression algorithm is
used. Since we assume that the opponent knows the encryption algorithm, we must
assume that he also knows the data compression algorithm.
Of special interest is using the data compression procedure in combination
with probabilistic encryption with a simple mechanism of inserting random data
into the cryptogram. Each of these two additional transformations increases the en-
cryption security. When used, one of them decreases the initial size of the message,
while the other increases it. Probabilistic ciphers based on the concatenation of blocks
of encrypted data with random binary vectors make it possible to easily control in-
creasing the size of the cryptogram, and therefore parameters of the probabilistic en-
cryption can be chosen so that the generated ciphertext will have a size approximately
equal to the size of the message before the redundancy was eliminated.

Encrypting and Coding

When transmitting private information over telecommunication channels with
noise, you need to perform enciphering, and interference-tolerant coding of the
66 Innovative Cryptography, Second Edition

data being transmitted. For block cryptosystems, the enciphering and deciphering
procedures exhibit a pronounced diffusion of the influence of input characters over
many output characters, this influence being pseudo-random. In connection with
this, when using block cryptosystems, the interference-tolerant coding procedure
must be performed after enciphering on the sending side. As for the receiving side,
you must first decode and then decipher the message.
Error propagation during deciphering doesn’t take place when you use stream
enciphering, which involves the generation of a keystream by a secret key and syn-
chronous bitwise XORing of the keystream and transmitted message. In this case,
regardless of the order of the ciphering and coding procedures, deciphering and de-
coding on the receiving side can be successfully carried out. For example, when
sending and receiving, you can use the following sequence of data transmission:
coding-enciphering-deciphering-decoding.

1.6.3 Standardization of Encryption Algorithms

The significant role of enciphering algorithms when solving the data protection
problem on a broad scale is the reason for the adoption of enciphering standards.
Of these, among which the most known and widely used was the American Federal
Standard DES, adopted in the mid-1970s; it was a predecessor of the Russian Stan-
dard GOST. Today, both standards seem obsolete, and neither conforms to mod-
ern requirements of data transformation speed. Besides which, DES uses a 56-bit
private key that nowadays cannot provide sufficient security against an attack of
trying every possible key value, and the Russian Standard is difficult for hardware
implementation. A significant disadvantage of GOST is that it uses persistent secret
components, such as substitution tables, that are supplied in a set order. According
to widely adopted cryptographic requirements, the security of an algorithm must
be based only on the secrecy of an easily changeable element—a key. Neither of the
ciphers is secure against attacks based on a differential fault analysis. Such an attack
is relevant for ciphers used in smart cards. (In this type of attack, it is assumed that
the opponent can physically influence the enciphering device from outside and
cause occasional random failures in the registers containing data when the enci-
phering procedure is being carried out.)
The fact that the world’s first public official standard was adopted in the United
States played an important role in strengthening the leadership of American ven-
dors of data protection systems. The influence of the American DES standard on
public cryptography trends all over the world appeared to be so significant that, for
many years, developers of block enciphering algorithms were “hypnotized” by the
approaches used in DES development. The general design scheme of the DES cryp-
tosystem became a common pattern. This fact became the reason for a certain re-
straint in trying new approaches to the design of block cryptosystems, which vividly
 Cryptography in the Information Age 67

showed itself in the early 1990s, when there was a boom in the need for using fast
software-oriented encryption methods.
The leading industrial countries pay much attention to developing new en-
cryption algorithms that satisfy modern technological requirements. In 1998–2000,
the United States, while retaining their leadership in this area, held a worldwide
contest (visit http://www.nist.gov/aes) for the adoption of their new standard—Ad-
vanced Encryption Standard (AES). A number of conferences were devoted to this
contest, in which the proposed ciphers were discussed. The leading world cryptog-
raphers were involved in this competition, and 15 AES candidates were presented.
The contest is now over. A Belgian cipher, Rijndael, was the winner. The RC6 and
TwoFish ciphers were also among the better competitors. Soon after, a similar Eu-
ropean contest was announced, which is currently in full swing. When distributing
encryption algorithms and data protection tools, the leading countries strengthen
their positions in the information security market by offering their products and
services; they increase their influence and, to some extent, acquire the possibility of
controlling the information resource security of other countries.
In Russia, the problem of developing fast ciphers satisfying modern require-
ments and trends has also been officially declared. One of these trends is the
increasing technological requirements for encryption algorithms. While the re-
quirements of providing guaranteed security remains urgent, there is also the prob-
lem of providing a high encryption speed, both with a software implementation
(more than 100 Mbit/sec) and a hardware one (more than 1000 Mbit/sec). At the
same time, the cost of enciphering devices should be affordable enough for the
average buyer. There is also the need to provide algorithm security against a num-
ber of nontraditional attacks, such as differential fault analysis.
The needs of software technology formed the public cryptographic school of
thought outside Russia in the mid-1970s. In Russia, public cryptography began to
actively develop in the mid-1990s. Currently, applied cryptography topics are com-
mon in many Russian scientific magazines. Russian cryptographers took out more
than 30 patents for enciphering. Enciphering issues are usually discussed at confer-
ences devoted to information security. At the end of 1999, a nonprofit organization
was founded in Russia—the “RusCrypto” association—which intends to propagate
cryptographic knowledge, increase the quality of the data protection tools devel-
oped in Russia, and expand Russian public research in the field of cryptography.
Russian approaches to the design of fast ciphers and certain particular ciphers
include important new elements. For example, some suggested encryption methods
based on data-dependent permutations (Russian patents Nos. 2140710, 2140714,
2140716, 2141729) are advantageous for hardware implementation. This approach
has sufficient theoretical and experimental justification, and it has led to the rise of
a new direction in applied cryptography related to the use of specially designed
cryptographic operations—controlled cryptographic primitives.
68 Innovative Cryptography, Second Edition

The prime requirement for encryption algorithms is high security; when this
isn’t satisfied, the other features are of no concern. A specialist familiar with the ba-
sics of cryptography and having sufficient skills in this area can design a secure al-
gorithm relatively quickly. However, there are other requirements on algorithms
intended for wide use. Here are some of them:

It is necessary to convince experts and consumers that a suggested algorithm is

secure. To do this, design criteria are specified, and theoretical investigations of
the operations and transformation mechanisms used are carried out. Statistical
properties of the cipher are also explored.
It is necessary to convince users that the proposed algorithm doesn’t include
trapdoors that make it possible to compute the key or read ciphertexts without
knowing the private key.
The algorithm must possess necessary properties that make hardware imple-
mentation inexpensive (and/or software implementation convenient).
The algorithm must provide a high encryption speed.
The algorithm must provide high security against traditional cryptanalytic
attacks (such as known-plaintext attacks and chosen-plaintext or chosen-
ciphertext attacks), and attacks related to special applications. These are, for
example, differential fault analysis, power consumption measurements, com-
puting time measurements, and others.

AES candidates had to meet the requirement of a high-speed hardware and

software implementation (provided the hardware implementation is inexpensive).
This seems reasonable because a widely used algorithm whose aim is first to provide
information privacy should be able to be implemented in various ways. The maxi-
mum speed of encryption is difficult to achieve. Obviously, an algorithm oriented
toward only a software or only a hardware implementation can provide a higher
performance in the corresponding area. This is very important when designing ci-
phers with high technological requirements. Now, when information technologies
are advanced, even minor losses in performance result in significant economic
damage when they are multiplied. In crucial application areas, even a small delay
can lead to a disaster. These considerations show that even the adoption of a com-
mon encryption standard can’t cope with all the problems of applied cryptography.
The cryptanalysis of already designed algorithms is continuously developing, and
the design of new ciphers is as well.

1.6.4 Built-in Trapdoor Issues

By a trapdoor, we mean the presence of a secret that, if known, it is possible to dis-
close the cipher; in other words, to read a ciphertext without knowing the key, or
 Cryptography in the Information Age 69

to compute the encryption key. One of the major issues of the wide usage of en-
cryption methods is gaining users’ confidence. In the DES algorithm, no trapdoors
have been found in more than 20 years, but many users still have doubts about this
point. Using secret substitutions in GOST complicates comprehensive trapdoor
investigations, which increases the distrust of independent users. How important
for users is the threat that trapdoor ciphers can be imposed on them? The discus-
sion of trapdoor issues in public cryptographic papers has been one-sided for a long
time. In particular, it was directed toward looking for trapdoors in ciphers that had
already been designed. Belgian scientists V. Rijmen and B. Preneel formulated the
trapdoor topic in another way: is it possible in principle to design ciphers for which
it would be computationally impossible to detect the presence of trapdoors? (Even
if the encryption algorithm is published and thoroughly explored by users and
cryptographers.) The Belgians’ research gave a positive answer. They revealed ways
of designing block DES-like ciphers containing trapdoors that nowadays would be
computationally impossible to detect. This result is rather disappointing for users.
If the risk of trapdoor presence in ciphers must be taken into account, is it possible
to avoid attacks based on trapdoors? It is difficult to guarantee protection against
such an attack. However, the following approaches that significantly diminish the
risks can be suggested:

The users or their proxies should take part in designing substitution boxes or
the whole cipher (this approach requires professional training; it also has an-
other disadvantage related to the confidence of other users in a cryptoscheme
designed in such a way).
The user can reject using a cryptosystem with predefined substitutions, and
choose ciphers in which substitutions (for example, substitution tables) are
generated from the user’s private key (such as Blowfish or TwoFish).
The user can reject using substitutions as a basic cryptographic primitive (for
example, the RC6 and SPECTR-H64 ciphers); this variant is also connected
with the trapdoor issue: will it be possible some day to build trapdoors in ci-
phers without substitutions as well?
It is possible to use cryptosystems in which controlled operations are used; in
other words, cryptographic primitives that specify transformations depending
on variable parameters of the encryption process—on the user’s private key
and/or on the message being encrypted. Using data-dependent operations as
cryptographic primitives gives a relatively secure guarantee that there aren’t
trapdoors in the ciphers used. Examples of such ciphers are RC5, RC6, MARS,
and SPECTR-H64 with data-dependent operations.
To neutralize trapdoors, it is possible to use simple probabilistic encryption
schemes, which are comprehensively described in Section 1.5 and Chapter 5.
To retain the original data size, you can compress the data beforehand (note
70 Innovative Cryptography, Second Edition

that this method significantly increases the encryption security at the same
time).
It is possible to use double encryption using two different algorithms, whose
developers are unlikely to be in collusion with each other. For example, you can
encrypt data first using DES and then using GOST (one cipher will neutralize
the trapdoor of the other cipher, and vice versa).

1.6.5 Cryptography and Steganography

Steganography is a technique used for secret transmission or secret storage of in-
formation, the goal of which is to conceal the very fact of the message’s transmis-
sion. To do this, one can use invisible ink, acrostics, microphotography, hiding
places, and so forth. Electronic data processing devices make it possible to use new
steganographic methods. These methods use the pseudorandom distribution of in-
formation over time or space (or both), adding noise, and masking information in
a container message or in auxiliary information. In multimedia, they can be based,
for example, on hiding a message inside video frames.
The basic distinction between cryptography and steganography is that the for-
mer doesn’t conceal the fact of sending messages, but only conceals their content.
Using steganography to transmit important messages is very risky. Cryptography is
a much more secure tool for data protection. Steganographic methods can provide
a high level of information protection only if they are supplemented with a prelim-
inary cryptographic transformation of messages. The transformation will actually
determine the security of such a combined secret scheme.
Currently, developers of steganographic methods use secret keys, and this ac-
tually means developing steganographic methods that include cryptographic sub-
systems. The fact that steganography needs to use secret keys means accepting the
fact that the development of secure methods of concealing message transmission
involves cryptography. The ideas of one-key and two-key cryptography can signif-
icantly enrich steganography.
Steganography doesn’t include the versatile internal possibilities that are in-
herent to cryptography, and which have defined the very important role of cryp-
tography in this society with its advanced information infrastructure.
 2 Flexible Software Ciphers

2.1 THE SECRECY AND CRYPTOGRAPHIC STRENGTH

OF THE ALGORITHM

In the most general sense, any block cryptosystem is a method of specifying a kind
of substitution. The essence of encryption is the replacement of the block of the
plaintext by the block of ciphertext. Obviously, for ensuring strong encryption, it is
necessary to use sophisticated transformation procedures that, according to the
Kerckhoff’s principle, are assumed known to the attacker. In practice, ciphers with
64-bit and 128-bit input blocks are used most often. Although rarely, it is also pos-
sible to encounter 32-bit block ciphers and 512-byte block ciphers. Every block
cipher can formally be represented in the form of the set of substitution tables. Each
of these tables corresponds to one of the possible secret keys and specifies (for the
given key) the mapping of all possible input messages and their corresponding

71
72 Innovative Cryptography, Second Edition

cryptograms. However, the size of each of these tables is excessive (n2n bits), which
makes this method of specifying ciphers practically unusable.
Table description of ciphers is the most general. Ciphers specified in the form
of an algorithm are only a small part of possible substitutions; however, these sub-
stitutions are exactly the ones that can be used in practice because they are de-
scribed using a compact method. Thus, the block cipher represented in the form of
a certain transformation algorithm implements the method of choosing a specific
table for substituting the input block by the output block depending on the secret
key. Replacement of the secret key means replacement of the substitution table,
which must not be rebuilt completely. Working with the substitution table is com-
puting the output block by the specified input block if the encryption key is known.
The encryption algorithm characterized by high cryptographic strength speci-
fies a “pseudorandom” transformation; that is, a transformation that is practically
undistinguishable from a random one. For a good block algorithm, without know-
ing the secret key it is computationally difficult to choose such input texts for which
observing the corresponding ciphertexts would allow you to predict any relation-
ship between the result of transformation of the next specially chosen text with the
known output texts. In reality, such dependence has already been specified by the
encryption algorithm as such. However, for cryptographically strong transforma-
tion, this relation is pseudorandom. The first stage of cryptanalysis consists of de-
termining certain conditions under which the encrypting transformation can be
distinguished from a random transformation. If such conditions have been discov-
ered, this means that prerequisites for the cipher disclosure have been created.
However, it is necessary to bear in mind that the task of computing the secret key
might happen to be much more labor-intensive than the task of detecting the en-
cryption transformation and distinguishing it from a random transformation.
Knowing the transformation algorithm is a considerable help for the attacker,
because it allows the cryptanalyst to investigate statistical properties of the cipher.
If you discover specific statistical relationships between input and output texts,
you’ll create the prerequisites for disclosing (computing) the secret key. A natural
theoretical question arises: Is it possible to build cryptosystems with secret algo-
rithms that ensure unconditional security if the key of finite size is used? In this
chapter, it will be shown that ensuring unconditional security of ciphers with secret
algorithm is possible only under conditions of infinite complexity of encrypting
procedures. In this case, the encryption time of any text is infinite, which makes the
practical use of such ciphers meaningless.
Consider the issue of unconditional security of the cryptosystem with the secret
algorithm and finite encryption time. It is assumed that a potential intruder is
human, has access to many contemporary computers, and knows the language in
which the original message was written. Assume that the attacker wants to read a
cryptogram corresponding to the original text of the size that exceeds the key size
 Flexible Software Ciphers 73

multiple times. Because unconditional security is considered in this case, it must be

assumed that the attacker’s computational resources are infinite.
The size of the text describing any algorithm with finite encryption time is
finite; therefore, the attacker can try all possible algorithms. Actually, for the given
level of computing technology, each finite text can be interpreted as an algorithm
written using machine language commands. With all this being so, the number of
variants of interpreting an arbitrary finite sequence of bytes is finite. Consequently,
if the attacker has infinite computing resources, by means of brute-force attack it is
possible to determine both the finite secret key and the encryption algorithms.
Thus, from the unconditional security point of view, the uncertainty of the dy-
namically formed algorithm is not a serious issue. Only a random key valid for one
occasion only, the length of which is equal to the length of the message being en-
crypted, allows for achieving unconditional security. The latter concept has more
theoretical than practical value. Actually, the practice is not closed. All possible
occurrences of the attacker’s actions under real-world conditions of the cryptosys-
tem’s operations cannot be predicted beforehand by the closed theoretical model.
The use of long keys generates the problem of further complication of the
procedures of the secure key management, which can make unconditionally strong
ciphers less reliable than conditionally strong cryptosystems with 512-, 256-, or
even 128-bit keys. For conditionally strong cryptosystems (that is, computationally
strong ones), the secrecy of the algorithm is the issue of principal importance. In
reality, the labor intensity required to compromise the cryptosystem is evaluated
in relation to specific cryptanalysis algorithms. The cryptographic strength of the
cipher is adopted to be equal to the labor intensity required to disclose it using the
best-known method of cryptanalysis.
The best method of cryptanalysis depends on the encryption algorithm. In
addition, the most efficient methods of cryptanalysis are based on the knowledge
of the encryption algorithm and preliminary investigation of its mathematical
and probabilistic properties. This gives grounds to the assumption that keeping
the encryption algorithm secret will considerably complicate the cryptanalysis. This
method of improving the encryption strength is not widely used in practice mainly
because it is very hard to practically ensure the secrecy of the cryptosystem elements
that are used for a long time, thus becoming known to wide user community
(which initially was limited). In addition, the secrecy of the algorithm must also be
ensured at the stage of designing and testing of the algorithm.
Thus, in case of computationally complex cryptosystems, the secrecy of the en-
cryption algorithm can be principally used as one of the mechanisms of consider-
able increase of the strength. However, to use this circumstance in practice, it is
necessary to build such a cryptosystem where the encryption algorithm would be
easily changeable. This can be achieved using precomputations, with which it
would be possible to generate the encryption algorithms depending on the user’s
74 Innovative Cryptography, Second Edition

secret key. Such cryptosystems can be called nondeterministic or flexible. The first
term emphasizes the fact that the encryption algorithm is not known to the crypt-
analyst, while the second term stresses the fact that the encryption algorithm is
modified depending on the secret key.
In nondeterministic cryptosystems, the precomputations algorithm is a form of
specifying a large number of possible encryption algorithms. Because it is assumed
that the precomputation algorithm is known (this is a long-term cipher element),
then the description of possible modifications of encrypting functions is known to
the cryptanalyst. It is assumed that the cryptanalyst knows everything, except for
the choice of specific modification. In this chapter, we cover the practical schemes
of building nondeterministic ciphers, allowing for specifying a large number of dif-
ferent modifications of the encryption algorithm.
The encryption algorithm can be considered secret (in the sense of the uncer-
tainty of the choice of the encrypting procedures modification), despite that such
cryptosystems are investigated and discussed in detail in the open publications.
The secrecy of the algorithm is a specific form of improving the strength of the
cryptosystem, and can be successfully used for building new strong ciphers. The
presence of the precomputations stage is a factor that introduces several limitations
to the use in specific areas; for example, in cases when it is necessary to change the
key often (for example, once per second or fraction of second). In most applica-
tions, the use of the precomputations stage is allowable, therefore nondeterminis-
tic software ciphers are potentially promising for the wide areas of application.

2.2 THE PRINCIPLES OF DESIGNING SOFTWARE CIPHERS

In using the term software ciphers, we mean those that use operations with com-
puter words and take into account the features of data processing in computer
systems, making it possible to obtain high encryption speeds when using common
microprocessors. Considering the huge problem of protecting electronic informa-
tion, software ciphers have quite good possibilities when it comes to practical use.
Let’s look at the peculiarities of designing software ciphers. Ensuring the most
reliable secure data processing mode in computer systems is connected with the
enciphering of all data stored in the nonvolatile memory. In general, data process-
ing involves random requests for data reading and writing, so it is necessary to
encrypt individual data blocks independently.
Modern computers typically have a large volume of persistent memory, and
provide high speeds of reading and writing. These two features make serious de-
mands on ciphers oriented toward use in real-time systems that protect data from
unauthorized access:
 Flexible Software Ciphers 75

A high security against cryptanalysis based on a large volume of known or cho-

sen texts encrypted using the same key
A high enciphering speed in a software implementation

To design fast software ciphers, it is suggested that you use pseudorandom sub-
key selection. For cryptoschemes with such a nondeterministic selection of subkeys,
elements of the cryptographic key used to transform input data blocks are typically
selected in accordance with the structure of the data block being transformed and
the structure of the encryption key. For ciphers based on such a cryptoscheme, sub-
key scheduling isn’t predetermined, which significantly increases the security of the
encryption. Due to this, the number of enciphering rounds can be decreased, thus
increasing the encryption speed. Ciphers with a data-dependent subkey selection
can be called pseudorandom thanks to this type of key selection.
Data-dependent subkey selection is generally just a formal mapping operation
(substitution) performed according to the table specified by the encryption key.
The encryption key consists of a set of numbered subkeys. An input block specifies
the number of the selected subkey, and the subkey specifies the value obtained as a
result of the mapping operation. The array of elements that implements the map-
ping operation is called an S-box (or a substitution box). We’re going to use the
term data-dependent subkey selection, since the transformed data subblock that
determines the currently selected subkey isn’t replaced by the selected subkey, but
rather both of them are used in subsequent transformations. In such cases, the
encryption process is easier to understand when it is described in terms close to the
procedures actually performed. The term substitution operation is best used in cases
in which the transformation procedure is limited to replacing an input block with
a value from the substitution table.
For software ciphers, the basic principle of diffusion and confusion is supple-
mented with the following mechanisms:

The dependence of S-boxes on the secret key

An increase in the size of S-boxes
An increase in the size of the transformed data block, up to 512 bytes
The dependence of the encryption algorithm on the secret key (for example,
adjusting the transformation operations by the secret key)
Data-dependence of the transformation operations (i.e., controlling the selec-
tion of a modification of the current operation depending on the input message)
Data-dependence of the subkey selection
Various combinations of the mechanisms listed in the first five items (for ex-
ample, specifying the dependence of the subsets of possible modifications of
the controlled operation on the secret key; in other words, a combination of the
third and fourth items)
76 Innovative Cryptography, Second Edition

Despite the large number of various encryption mechanisms and their actual
implementations, in general, a block cipher can be considered a subset of substitu-
tions assigned to the set of possible input data blocks. The number of substitutions
does not exceed the number of different possible secret keys in the cipher. The
choice of a secret key corresponds to the choice of a particular substitution. Thus,
a block cipher is a way of specifying a simple substitution in a very large alphabet.
Due to the large size of the input alphabet (for n-bit input blocks, the number of
possible input blocks is 2n, and the number of possible permutations is 2n!), substi-
tutions cannot be specified in tabular form, and the only practical, convenient way
to specify them is algorithmically—in other words, by specifying a rule for com-
puting output blocks using input blocks.
The method of specifying substitutions in the form of procedures controlled by
the secret key determines that substitutions are randomly selected not from the (2n)
subset of all possible substitutions, but from the subset of 2k substitutions, where k
is the maximum length of the secret key in bits. Since it is assumed that the crypt-
analyst knows the encryption algorithm, this means that he also knows the subset
of substitutions implemented by this algorithm. The complexity of cryptanalysis re-
sults from the fact that the number of possible substitutions is extremely large, and
each can be only considered an algorithm describing it when the secret key has a
certain value.
The specific kind of the algorithm determines the rule for building the subset
of possible substitutions, and therefore, the block cipher has certain algebraic and
statistical properties that can be used when performing a cryptanalysis. The ques-
tion is only how complex a certain cryptanalytic method is for a particular encryp-
tion algorithm. While the encryption algorithm plays a secondary role in ensuring
the security of ciphers with infinite keys, for block ciphers with fixed secret keys, the
characteristics of the encryption mechanism are the most important. The principles
of cipher design and the specific kinds of the mechanisms used are oriented toward
specifying a pseudorandom substitution that is hard to distinguish from a random
one, provided the cryptanalyst has a large (but reasonable) amount of initial data to
launch an attack.
The complexity of the cryptanalysis is related to two different factors. When
encryption algorithms with good diffusion and confusion properties are used,
the work effort needed for a successful cryptanalysis depends on the complexity of
analyzing the enciphering procedures themselves. When the encryption algorithm
depends on the secret key, the complexity of the cryptanalytic problem significantly
increases due to the ambiguity of the interpretation of the statistical connections
between the original texts and their corresponding cryptograms. Ciphers in which the
encryption algorithm is built depending on the secret key are called flexible or non-
deterministic. In flexible ciphers, a given key corresponds to only one implemented
modification of the encryption algorithm. A limited set of keys means that a flexi-
 Flexible Software Ciphers 77

ble cipher is a set of encryption algorithms described using an algorithm that spec-
ifies a rule for building an encryption algorithm depending on the secret key. Build-
ing secret substitution tables or an encryption algorithm assumes that software
ciphers use a precomputation stage, which is executed only once after entering the
secret key. This is the stage in which is initialized a cryptosystem that will later re-
peatedly perform the data encryption and decryption procedures.

2.3 INITIALIZING SOFTWARE CIPHERS

As a rule, iterated ciphers use keys with a length of 56 to 256 bits. Currently, if you
have a key of 80 bits or more, an attack based on trying every possible key cannot
be launched by any organization, even one with many computational resources. To
ensure security against all the other known cryptanalytic methods, a large number
of transformation rounds are used, with transformation procedures that have good
diffusion and confusion properties being executed in each.
Obviously, when longer encryption keys are used, there are more possibilities
for designing fast encryption procedures. However, when using longer keys, it is
more difficult to control (generate, transfer, and store) them. In cryptosystems
intended for a software implementation, the possibility of using and storing long
encryption keys can be provided by special procedures of one-way transformation
of a relatively small initial secret key into an extended cryptographic key, whose size
can be anywhere from 1 to 64 KB. In this case, it would suffice to control the secret
keys because the encryption key can be generated from the secret key when needed
according to the known procedures. The stage of generating the encryption key is
a precomputation stage, executed only once when the enciphering device or com-
puter is switched on. When such a scheme of cipher design is used, the cryptanalyst
must choose between the two main variants of an attack:

He may assume that the extended key is chosen at random, and analyze
relatively simple encryption procedures with the aim of revealing their
vulnerabilities.
He may investigate significantly more complicated procedures of generating the
encryption key and try to solve the encryption equations for the secret keys.

Obviously, the procedures of generating the encryption key must be complex

enough so it would be impossible to compute any portion of the secret key from
individual fragments of the extended encryption key. The basic algorithm require-
ments for generating the encryption key are:
78 Innovative Cryptography, Second Edition

An approximately equal influence of each bit of the secret key on all the bits of
the extended key being generated
A high computational complexity of finding the secret key using the known ex-
tended key

A high cipher security based on the key extension mechanism is achievable in

principle, since in the precomputation stage you can use algorithms belonging to a
wider class of transformations than encryption algorithms. We know that a basic
limitation of the latter is the necessity of performing an inverse transformation
controlled by key parameters and restoring the original message from the ciphers.
Such a limitation isn’t put on an algorithm generating the encryption key, and a
wider class of algorithms suggests that there are even more secure ones from the
cryptographic point of view.
Because the setup procedure is supposed to be performed only during the ini-
tialization (switching on) of the cryptosystem, there are no substantial restrictions
on how long it takes to execute the setup algorithm or on the computational
resources used (the precomputation subprogram isn’t a resident program). This
means that it is acceptable to use multistage one-way procedures, including non-
deterministic algorithms: in the first precomputation stage, a one-way transforma-
tion algorithm is generated, and executed in the second stage, in which the final
transformation of the secret key into the extended encryption key is carried out.
When performing setup procedures, you can also make the generation of the
encrypting algorithm modification unique for each user. In fact, the algorithm for
generating the encryption procedures is just a form of specifying the choice of a cer-
tain modification of the encryption algorithm from a very large number of possi-
ble modifications according to the user’s secret key. The practical implementation
of cryptosystems with nondeterministic encryption algorithms is a special feature
of software tools, which follows from the idea of using precomputations.
Thus, a software cipher can be implemented as one of two subroutines—an ini-
tialization module intended for a single run, and a resident enciphering module
servicing requests from other programs to encrypt and decrypt data.
One of the requirements put on the algorithm generating the encryption key is
that the number of output sequences mustn’t be significantly less than the number
of the possible secret keys. The length of the extended output key is greater than
that of the secret key, but for certain precomputation procedures, it may appear
that different secret keys correspond to the same encryption key. When one-way
transformations are used in the encryption key generating stage, narrowing the
encryption keyspace seems unlikely. However, it is best to ensure that the capacity
of a set of encryption keys is equal to that of the set of secret keys of the specified
length. This can be easily achieved by using encryption procedures for the extended
key algorithm generation. Indeed, by repeating the secret key the necessary number
 Flexible Software Ciphers 79

of times, we can easily obtain a unique extended text for every secret key. After en-
crypting this extended text, we obtain a ciphertext that can be used as an extended
key. When a nondeterministic cipher is required, build an input extended text
whose size is greater than the necessary length of the extended key. A portion of the
transformed text will be used as an extended encryption key, and the other portion
will be used to build the encryption algorithm.

2.4 NON-DETERMINISTIC SOFTWARE CIPHERS

In the traditional approach, a cryptosystem is built based on a fixed set of transfor-

mation operations. A key is used to control the encryption process by specifying the
parameters used in the encryption transformations. These parameters can be either
key elements selected according to a certain rule, or characters of a pseudorandom
sequence generated based on the key. The most favorable conditions to launch
cryptanalytic attacks are the availability of:

Complete information about the data encryption procedures used

A sufficient amount of a known plaintext, including a specially chosen one, and
the corresponding ciphertext

Testing the cryptosystem under such conditions is a general rule.

Using cryptalgorithms in software tools for computer protection requires that
all the encryption procedures be stored on the computer’s magnetic carrier if we
don’t want to burden users with having to repeatedly perform additional actions.
Thus, in a user-friendly computer security system, the algorithm of the crypto-
module is basically available to a malefactor. Obviously, the absence of information
or partial information about the cryptographic procedures used makes it much
more difficult for a potential adversary to solve the task of breaking the protection
system. This goal is achieved by implementing so-called flexible (non-deterministic)
ciphers, in which the encryption algorithm is automatically changed when the secret
key changes.

2.4.1 The Principles of Designing Flexible Ciphers

Using software tools to carry out cryptographic transformations and the precom-
putation stage, in which the encryption mechanism is initialized, makes it possible
to design cryptosystems in which the encryption algorithm for a particular user
isn’t known to an attacker beforehand. This is achieved thanks to the fact that, in
the precomputation stage, the procedures generating the encryption algorithm are
executed depending on the secret key. Thus, when using a computer to complicate
80 Innovative Cryptography, Second Edition

cryptanalytic attacks, the encryption algorithm can be built according to a generat-

ing algorithm, which must be assumed to be known to an attacker. The set of
possible encryption algorithms is finite, and the rule that determines the generating
algorithm is considered known to the cryptanalyst. However, the cryptanalyst
doesn’t know which particular modification of the encryption algorithm will be
implemented, since its choice is determined by the secret key.
If the number of implementable modifications is 109 or more, the nondeter-
minism of the transformation procedures can be an effective tool for counteracting
cryptanalytic attacks. Moreover, reducing the cryptanalytic problem to trying every
possible variant doesn’t seem realizable, since it requires that you first consider the
majority of the algorithms of this class, and then find an individual approach to
each. This is unlikely. It is possible to execute a cryptanalytic attack that looks for
any general regularities over the entire set of possible modifications of the cryptal-
gorithm, or over a sufficiently large subsets. Building such a generalized cryptana-
lytic algorithm is a much more complicated task than designing a method to
analyze a cipher with a fixed encryption algorithm.
A universal method of cryptanalysis is keyless reading, based on known input
texts and corresponding blocks of ciphertext. However, it is easy to design a flexi-
ble algorithm, each modification of which will be secure against such a generalized
type of cryptanalysis. In the following sections, we describe flexible algorithms that
meet this requirement. In addition, these flexible ciphers are secure against attacks
based on a known modification of the cryptoalgorithm and attacks based on a cho-
sen modification (in the latter case, the attacker can choose the weakest cryptoal-
gorithm from the set of potentially implementable modifications).
The following theoretical question is directly related to the problem of creating
cryptosystems with nondeterministic transformation algorithms: can the system
generate a weak second-stage algorithm during the initialization stage? It is difficult
to formally describe such an object as a cryptoscheme with a nondeterministic
transformation algorithm, and it is even more difficult to provide a strict theoreti-
cal proof of the security of all its modifications. However, the following points in
favor of using these new systems can be listed:

The probability of generating a weak algorithm is very small, and drastically

decreases when using diversified methods of specifying nondeterministic
procedures.
The generating algorithm can be made responsible for controlling the quality
of the encryption algorithm generated (for example, you can have a control
encryption in this stage and then analyze the cipher as to whether it passes a
special spectral test).
 Flexible Software Ciphers 81

In systems with a multipass encryption mode, you can use cryptoschemes with
fixed encryption procedures as one or more of the component algorithms. The se-
curity of these cryptoschemes can be estimated according to approved methods.
It is possible to design cryptoschemes that will allow for arbitrary modification
of a certain set of operations or transformation procedures; in other words,
cryptoschemes whose security is not sensitive to the modification of the set of
operations and procedures used.

The latter approach seems the most promising in designing practical, non-
deterministic ciphers.
Non-deterministic ciphers pose a basically new logical problem for the cryp-
tanalyst—algorithmic uncertainty, which can be quantitatively described with a
number of different potentially implementable modifications of the encryption
algorithm. In ciphers with a fixed algorithm, the uncertainty of the encryption
process for a cryptanalyst is related to the fact that he doesn’t know the secret
key, whose components (subkeys) are used as parameters in the transformation
procedures.
From the standpoint of the uncertainty of the encrypting transformations, flex-
ible ciphers can be presented as a form of specifying key components as adjustable
operations and encrypting transformation procedures. Obviously, it is possible to
design nondeterministic ciphers that use only such “functional” key components.
However, it is more reasonable to design flexible ciphers in which all modifications
of the encryption algorithm also use a regular encryption key that contains “para-
metric” key components. One feature of using “functional” key components is
specifying the uncertainty of the encryption procedures, which strongly hampers
giving a general analytic description of even elementary transformation steps.
With a high level of algorithmic uncertainty, the transformation of a given
block (or a number of blocks) can be described by the subset of all the possible
modifications of the encryption algorithm. From the point of view of quantitative
uncertainty characteristics, parametric and functional components are equivalent,
since the number of variants that can direct the encryption process depends only on
the number of key bits. However, algorithmic uncertainty introduces an important
qualitative feature—the difficulty of using analytic expressions when carrying out
a cryptanalysis. The uncertainty specified by parametric key elements is often re-
moved when mathematical formulas are used, whereas the uncertainty specified by
functional key elements is very difficult to generalize, and it is by no means obvious
as to how to write down the transformation equations. This significantly compli-
cates building a cryptanalytic algorithm that would make it possible to eliminate a
trial-and-error method of finding key elements.
It is especially advantageous to use combinations of functional and parametric
key components. The former give us logical complexity, while the latter give us
82 Innovative Cryptography, Second Edition

quantitative complexity. The major reason for such a combination is overcoming

the difficulties of providing a high level of algorithmic uncertainty.
We should mention that a strict discussion of the security of non-deterministic
cryptosystems is related to a number of formalized issues that are difficult to con-
sider, such as how to take into account the differences in the security properties of
individual modifications. Minimum estimations can be considered acceptable, but
excessive assumption in favor of the cryptanalyst can result in the rejection of
promising cryptoschemes. Other important problems that require solutions when
designing non-deterministic software ciphers are:

Ensuring high security for all possible modifications of the encrypting algo-
rithm against the keyless reading method
Specifying a large number of nonequivalent modifications
Providing an approximately equal probability of choosing a modification from
each subset of equivalent modifications
Providing for security against attacks based on a known and chosen modifica-
tion of the cryptalgorithm

Let’s consider a number of ideas that can be used as the basis for creating non-
deterministic ciphers.

2.4.2 A Cryptoscheme with Permutations of Fixed Procedures

Let’s assume that the encryption of each input message consists of sequentially
performing a number of elementary operations on it—F1, F2, ..., Fn. In this case, a
specific encryption algorithm can be created by specifying the dependence of the
sequence of elementary transformations on the secret key. In practice, this can be eas-
ily implemented as the creation of an encrypting program basing on subroutines. The
number of various possible algorithms is S = n!, and for n = 16 we have S > 1013.

2.4.3 Multipass Cryptoschemes with Flexible Algorithms

When using fast ciphers, it is possible to repeatedly encrypt the original text. Let’s
say we have a library of encrypting programs E1, E2, ..., En, and their correspond-
ing deciphering programs D1, D2, ..., Dn. To specify nondeterminism for the
encryption algorithm, we can provide an implementation of variants of the en-
cryption procedure that consist of m sequential procedures selected from the
{E1, E2, ..., En, D1, D2, ..., Dn} set; in other words, the resulting encryption will
take the form of the superposition of m procedures: E = Fim ...  Fi2 Fi1, where
F∈{E1, E2, ..., En, D1, D2, ..., Dn} and i∈{1, 2, ..., n}.
Since sequential execution of the E and D procedures with the same indices
doesn’t change the message being encrypted, we’ll prohibit modifications of the
 Flexible Software Ciphers 83

resulting function that corresponds to such cases. For Fi1, any of 2n elements of the
{E1, E2, ..., En, D1, D2, ..., Dn} set can be chosen, while for Fi2, Fi3, ..., Fi2m, you can
choose one of the 2n–1 elements. Taking this into account, it is easy to calculate
the number of all possible modifications S of the resulting encryption function:
S = 2n(2n – 1)m–1.
If the encryption function has the form E = Fim ...  Fi2 Fi1, its corresponding
decryption function will be

D = F–1i1  F–1i2  ...  F–1im,

where F–1i = Ej if Fi = Dj, and F–1i = Dj if Fi = Ej, (j = 1, 2, ..., n).

Of special interest are ciphers based on procedures and transformation opera-
tions that depend on the data being transformed. In these ciphers, the particular
form of the operation (or procedure) performed at a given step depends on the
value of the text being transformed. When describing an encryption algorithm
based on standard operations, the set of these operations changes from one input
text to another. Unlike the nondeterministic ciphers discussed earlier, the trans-
formation algorithm in ciphers with data-dependent operations is fixed, since the
rule for choosing a particular type of operation depending on the current value
of the data being transformed is known. The use of encryption procedures with
operations that depend on the input message is rather promising when building fast
ciphers that have a high security.

2.4.4 A Cryptosystem Adjusting of Transformation Operations

The idea of using transformation operations as key elements consists of the follow-
ing. A template for the procedure of transformation of a current data subblock is
set. The template contains a set of numbered transformation operations. The par-
ticular values of the operations are adjusted in the precomputation stage depend-
ing on the secret key. This can be done according to the following scheme. A
pseudorandom number sequence is generated under the control of the secret key.
Depending on the value of the number that corresponds to the number of the
operation, a specific variant of that operation is adjusted. For example, a procedure
for transforming the current 32-bit data subblock T can include computations
according to the following formulas:

G := {[(T *n1 K1)>>>x1 *n2 K2)]>>>x2 *n3 K3}>>>x3 *n4 G

C := [(G>>>x4 *n5 K4)>>>x5 *n6 K5]>>>x6 *n7 K6,

84 Innovative Cryptography, Second Edition

where C is the transformed value of the data subblock; K1, K2, …, K6 are 32-bit sub-
keys that are constants in the encryption program or variables selected
depending on the data being transformed; G is a binary vector that determines the
influence of the previous data subblocks on the transformation of the current sub-
block; the >>>x operator denotes a reserved unary operation (i.e., an operation
performed on one number—for example, W>>>x denotes a right circular shift by
x bits), the *n symbol denotes a binary operation such as modulo 232 addition (+),
modulo 232 subtraction (–), or bitwise addition modulo 2 (⊕), and n1, n2, ..., n7 are
the numbers of the reserved binary operations. It is suggested that you establish a
specific set of reserved operations in the precomputation stage depending on the
secret key.

2.4.5 A Pseudo-Probabilistic Non-deterministic Cipher

There is a definite interest in creating ciphers in which a non-deterministic trans-
formation mechanism is directly combined with data-dependent subkey selection.
With such a combination, the creation of weak algorithm modifications is pre-
vented because the security of encryption procedures with pseudorandom subkey
selection is not terribly important when it comes to choosing the particular set of
binary and unary transformation operations used. (Moreover, if the subkey selec-
tion is dependent on every bit of the input message for any modification, it is im-
possible to create a weak modification, even if you specially choose the operation
sets.)
An example of implementing such an approach is the following algorithm, in
which an encryption key including 2051 8-bit words is used: {qj}, where j = 0, 1, 2, ...,
2050. The 32-bit subkeys are specified by the relationship Q(x) = qx+3 || qx+2 || qx+1 || qx,
where x = 0, 1, 2, ..., 211 – 1. The encryption key should be created at the precalculation
stage. The right circular shift of the W word to x(f) bits serves as a reserved unary
W>>>x operation, where f = 1,2,3..., is the ordinal number of the reserved operation.
The input message is a 512-byte data block that is represented as a sequence of 32-bit
words {Tw}, w = 0, 1, ..., 127.
INPUT: The 512-byte data block {Tw}, w = 0, 1, ..., 127.

1. Set r = 1, R = 2k (k is a natural number) and define Lw = Tw, w = 0,

1, ..., 127.
2. Set the counter i := 1 and the initial values of the variables U, V, Y, G and
n: U := Q(1), V := Q(2), Y := Q(3), G := Q(4), n := Q(5) mod 211.
3. Compute:
n := {[n ⊕ (G mod 211)] – U} mod 211
V := {[V *n7r–6 Q(n)]>>>x(5r–4) + G}>>>11
 Flexible Software Ciphers 85

n := (n *n7r–5 V) mod 211

U := [U *n7r–4 Q(n)]>>>x(5r–3) – (G>>>22)
n := (n + U) mod 211
Y := [Y *n7r–3 Q(n)]>>>x(5r–2)
4. Compute the index of the subblock currently being transformed:
w = 120 – i if r = 2, 4, ..., 2k or w = i – 1 if r = 1, 3, …, 2k – 1.
5. Perform the current encryption step:
G := (Lw *n7r–2 V)>>>x(5r–1) *n7r–1 Y
Cw = G>>>x(5r) *n7r U
6. Save the Cw value.
7. If i < 128, increase i and go to step 3.
8. If i < R, increase r, define Lw = Cw, w = 0, 1, ..., 127, and go to step 2. If not,
STOP.

OUTPUT: The 512-byte ciphertext block {Cw}, w = 0, 1, ..., 127.

This algorithm describes the encryption procedures. Their corresponding
decryption procedures are easy to create, since they differ only in steps 3 and 4. The
number of possible modifications (different variants of setting the reserved opera-
tions) of this nondeterministic algorithm is S ≈ 1010R. The size of the resident part of
the encryption program for these algorithms does not exceed 5 KB. The number of
encryption cycles of the given input block is determined by the R parameter, whose
valid values are R ≥ 3. The encryption speed is about 300/R Mbits/sec (for Pentium
processors), and the number of implementable nonequivalent modifications of the
cryptalgorithm is greater than 1010R. This algorithm is secure, assuming that an
attacker knows all the transformation operations and 90 percent of the subkeys. A
variant of an attack based on a known part of the extended key will be discussed later.
In general, the security of specific modifications of pseudorandom ciphers isn’t
critically sensitive to the operation sets used or their specific types, so using a sub-
key selection mechanism depending on the data being transformed presents many
opportunities of varying and combining various types of binary and unary
transformation operations. The main advantage of this feature of pseudorandom
ciphers is not so much in the ease of creating a wide range of fast cryptalgorithms
for software implementation as in the possibility of developing a great number of
fast, nondeterministic cryptosystems, in which the transformation algorithm and
the encryption key are unknown to the cryptanalyst. To build ciphers with a mod-
ifiable cryptalgorithm, you must additionally provide an initialization function for
the encryption algorithm, this function being executed under the control of the
user’s secret key (or password). If the number of possibly implementable modifi-
cations of a cryptalgorithm is very large (for example, 1020), this method of pro-
viding for the transformation’s security will be quite effective.
86 Innovative Cryptography, Second Edition

Even though the modification being implemented is assumed unknown in

nondeterministic ciphers, this doesn’t contradict Kerkhoff’s principle, according to
which the data encryption algorithm must be considered known to an attacker.
This principle is one of the most important ones when creating new single-key
cryptosystems. It can be stated more generally: all constant elements of data pro-
tection mechanisms must be considered known to an attacker. For example, in the
Russian encryption standard GOST 28147-89, “filling in the tables of the substitu-
tion box,” which is a “constant key element common for the computer network,”
must be considered known to an attacker, even though, according to the docu-
mentation, it is “a secret element supplied in compliance with the established pro-
cedure.” Using such permanent (although changeable) secret parts of encryption
schemes provokes some other comments. In nondeterministic ciphers, the setup
procedures for the encryption algorithm are constant elements, and its particular
modification and the encryption key are changeable elements of the cryptosystem,
which are automatically changed simultaneously when changing the passwords,
and are unique for every user (or every pair of subscribers to the protected com-
munication network).
Ciphers with pseudorandom key selection are secure against known cryptana-
lytic methods. However, new methods may be invented in the future based on the
analysis of the statistical properties of the transformation procedures and opera-
tions or some other features of the encryption algorithm. The development of non-
deterministic ciphers is aimed at minimizing the risk of compromising the
cryptosystem for a long time to come.

2.4.6 Flexible Ciphers with a Provable Non-equivalence of

Cryptalgorithm Modifications
A key selection mechanism depending on the transformed data seems to be the
basis that can provide high transformation security over the entire set of imple-
mentable modifications of the cryptalgorithm. This is ensured by the fact that every
possible modification determines the uniqueness of the subkey selection for every
input message. For non-deterministic ciphers, one important issue is the following:
could it be possible to select such modifications of a multiround encryption func-
tion so that several subsequent rounds are equivalent to a decryption function that
specifies inverse transformations relative to several previous enciphering rounds?
This question is urgent for ciphers that generate a transformation algorithm using
a randomly selected secret key. One can assume that for the class of encryption
functions based on the subkey selection depending on the transformed data, such
situations are impossible.
 Flexible Software Ciphers 87

The proof of this statement generally seems to be quite complex. However, it

can be true for specific types of flexible ciphers. An example is the flexible cipher
discussed in Section 5.6.7. No modifications of direct encrypting transformations
can lead to inverse modifications for this flexible 64-bit block cipher. It is possible
to demonstrate that, for a number of rounds from among all possible modifications
of the algorithm, it is impossible to find such a modification to which one could
specify round groups that determine mutually inverse transformation functions. In
other words, no modification of the algorithm includes two mutually inverse trans-
formation stages.
This proof makes sense as one of the properties supporting the conclusion that
security increases as you increase the number of encryption rounds. It was proved
earlier for the aforementioned 64-bit cipher that, in a certain sense, all possible
modifications of the cryptalgorithm are unique. This assertion is very useful when
estimating the effectiveness of the dependence of the encryption algorithm on the
secret key, in the sense that the set of modifications will not break up into subsets
of equivalent cryptalgorithms, which in principle could significantly simplify the
cryptanalysis. Another example of flexible cryptosystems for which the properties
of uniqueness and irreducibility can be proved is the 128-bit cipher discussed in
“Cipher and Hash Function Design,” Ph. D. thesis by J. Daemen.
We should mention that the aforementioned issues, specific to flexible ciphers,
only indirectly indicate the security of this type of cryptosystem. If the cryptosystem
didn’t satisfy the requirements of the irreducibility of the direct and inverse trans-
formations and the uniqueness of all enciphering transformations, it would be pos-
sible to speak about the insufficient effectiveness of the mechanism for specifying the
dependence of the encryption algorithm on the secret key. However, just because
these requirements are satisfied, the issue of estimating the security of a flexible
cipher doesn’t become less urgent. This means that the security estimation must be
performed with the assumption that the cryptalgorithm modification is known.
The possibility of using the subkey selection mechanism depending on the
transformed data as a basis for designing flexible cryptosystems that possess
uniqueness and irreducibility is an important general feature. For practical use,
fast ciphers are more interesting, but it is more difficult to prove these properties
for them, due to their more complex subkey selection controlling mechanism.
Building flexible ciphers in which both common operations and data-dependent
ones are adjusted according to the key also seems promising. It is also difficult to
present a formal proof that these flexible ciphers possess the properties of unique-
ness and irreducibility, but the presence of these properties in simpler construc-
tions based on key selection depending on the transformed data is one of the
elements for justifying the practical use of more complex constructions.
88 Innovative Cryptography, Second Edition

2.5 THE COMBINATIONAL-PROBABILISTIC MODEL

The security of the cipher described in the preceding section is mainly based on the
following points:

The subkey selection is unique for every input block.

The number of possibly implementable modifications of the cryptalgorithm is
extremely large.
The subkeys aren’t directly used when transforming the words of an input
message.

The nature of the transformations is such that the numbers of the subkeys
selected during encryption make up a pseudorandom sequence—in other words,
the subkey selection depending on data seems random. For a general estimation of
the security of this type of cipher, we can use a combinational-probabilistic model
(CPM), which is expressed in the following assumptions:

A cryptosystem is considered cracked if an attacker finds a pair of words that

were transformed using the same set of values of the U, V, and Y variables.
The effort it takes to find such a pair of words in the set of known or chosen
texts determines the value of the security of the cryptosystem.
In the case of a known-plaintext attack (CPM-1) or a chosen-plaintext attack
(CPM-2), in the rounds with the numbers r ≥ 2 (CPM-1) or r ≥ 3 (CPM-2), the
U, V, and Y variables take random values.

The probability that the values of the used variables coincide for two transformed
words is P = M–3(R – 1) (CPM-1) and P = M–3(R – 2) (CPM-2), where M ≈ 232 is the num-
ber of different possible values taken by the U, V, and Y variables. Taking into account
the “birthday paradox,” the N ≈ P–1/2 value specifies the number of input words for
which, with a probability approximately equal to 0.5, there are two input words trans-
formed using the same values of the U, V, and Y variables in the rounds with the
numbers r ≥ 2 (CPM-1) or r ≥ 3 (CPM-2). The N value determines the volume of
texts necessary to launch a cryptanalytic attack. The minimum effort the attack takes,
Smin, is determined by trying half of the possible combinations of 2 out of N elements.
It is easy to obtain Smin ≈ sr M 3(R–1)/4 (for CPM-1), Smin ≈ sr M 3(R−2)/4 (for CPM-2),
where sr is equal to the complexity of some criterion of repetition detection (sr ≥ 1
operations). Here we assume the algorithm modification is known to the attacker.
The secrecy of the algorithm is considered an additional guarantee of security. To test
 Flexible Software Ciphers 89

the factor related to the secrecy of the set of transformation operations, it is possible
to suggest an attack based on a specially chosen modification of the cryptalgorithm
that would allow a cryptanalyst to select the most convenient of the implementable
modifications.
Pseudorandom ciphers similar to those described earlier are secure against at-
tacks based on a known part of the extended key, even if the modification is known.
Let’s consider the issue of estimating security when an attacker knows a portion
of the extended key equal to Δ.
When the value of Δ is large enough, in a chosen-text attack (we are referring
to CMP-2) an attacker can choose an input text for which the subkeys will be se-
lected only from the known part of the extended key in the first round. This is why
the input text for the second round can be computed, but in the second and sub-
sequent rounds, the subkeys will be selected according to a pseudorandom law.
Therefore, in each selecting step, addressing an unknown part of the key will take
place with a probability of 1 – Δ. If this happens before completing the transfor-
mation of several words in the next to last round, the problem of computing the
subkey values will seem complicated, since, in this situation, the numbers of the se-
lected subkeys are unknown. The probability that, when transforming the current
word in the second and subsequent rounds, only subkeys from the known part of
the extended key will be selected is P1 = Δ3. The probability of selecting known sub-
keys in all the steps in rounds r = 2, 4, ..., R – 1 is P2 = Δ3e(R–2), where e is the num-
ber of words being transformed. If P2 is a small value Pa, say, Pa = 10–30, we can
consider the cipher secure against this attack variant. From the Pa value, it is possible
to compute a secure known portion of the extended key Δa. For e = 120, we can eas-
ily obtain from the previous formula that

ln Pa
Δ a = exp .
360( R − 2)

For CPM-1, the following estimation can be obtained in a similar fashion:

ln Pa
Δ a = exp .
360( R − 1)

For the algorithm described in Section 2.3.5, CPM-2 gives the following esti-
mate: Δa is about 0.82 (for R = 3) and 0.91 (for R = 4). Obviously, for the same R
value, the secure portion of the known key for CPM-1 is greater than Δa for CPM-2.
90 Innovative Cryptography, Second Edition

2.6 FAST SOFTWARE CIPHERS—DESIGNATIONS

AND TERMINOLOGY

When considering fast software algorithms of cryptographic transformations, the

following designations and terms will be used.

The term word should be interpreted as a 32-bit number designated by upper-

case Latin characters; bytes will be designated by lowercase Latin letters.
“||” stands for the concatenation operation. Concatenation of two bytes, a1 and
a2, is designated as a2||a1, where a2 corresponds to most significant
bits. Concatenation of four sequential bytes {a1, a2, a3, a4} is represented as
A = a4||a3||a2||a1.
The sequence of bytes ⎯L = {l0, l1, …, ln} will also be interpreted as sequences of
32-bit words⎯L = {L0, L1, … , Ls}, where Lj = {l4j+3, l4j+2, l4j+1, l4j+2} and j = 0, 1,
… , s. When interpreting several sequential bytes as a binary number, the right-
most byte relates to most significant bits of the number. For example, the
sequence ⎯L is interpreted as the number ln||…||l1||l0; in some cases, the Li
designation will be interpreted as equivalent designation L[i]: ⎯L = {l0, l1, … ,
ln} = {l[0], l[1], … , l[n]}.
“:=” stands for the assignment operation.
“+f” stands for the modulo 2f addition (i.e., the j := Z mod 211 expression is
equivalent to j := Z +11 0).
“−f” designates modulo 2f subtraction.
“⊕” designates the modulo 2 bitwise summation.
“⊗” designates bitwise logical multiplication.
“>>>” (“<<<”) stands for cyclic right (left) shift. For example, cyclic right shift of the
word X by Y bits is designated in the following form: “X>>>Y” (note that only log232
= 5 least significant bits of Y are used for specifying the shift value). The “>>>“
operation has higher priority (“>>>” > “∗”, where “∗” ∈ {“⊗”, ”⊕”, ”+f”, “−f”}).
“W ↔ V” designates the operation of exchanging values between words W and
V.
Hexadecimal constants used: F = FFFF07FF, a = 0D, P = B25D28A7
1A62D775, R = 98915E7E C8265EDF CDA31E88 F24809DD B064BDC7
285DD50D 7289F0AC 6F49DD2D.
 Flexible Software Ciphers 91

2.7 CIPHERS BASED ON SUBKEY SELECTION DEPENDING

ON THE DATA

One of the promising areas of applied cryptography is development of fast soft-

ware-oriented ciphers. Several approaches have been suggested for building such
ciphers. One of the promising approaches consists of using a sample of subkeys de-
pending on the data being transformed as the basic cryptographic primitives. A
range of 512-byte block encryption algorithms based on such mechanisms was sug-
gested. It is interesting that until now, no one has suggested practically imple-
mentable approaches to compromising these ciphers. To obtain a generalized
evaluation of the lower level of cryptographic strength of ciphers of this type, a
combinatorial-probabilistic cryptanalysis model was suggested. Evaluations ob-
tained using this model have not been lowered until now, despite the model’s
heuristic nature. These facts serve as evidence in favor of the efficiency of the mech-
anism based on subkey sampling on the basis of transformed data for development
of fast software-oriented ciphers.
In a first approximation, the mechanism of subkeys sampling depending on the
transformed data is the classical large substitution operation (ranging from 8 × 16
in first algorithms to 11 × 32 in newer ones), carried out according to the secret
table, the role of which is played by the encryption key. For example, the 64-bit
BLOWFISH cipher, built based on the Feistel cipher, implements round function
as a 32 × 32 substitution using four 8 × 32 S-boxes and three binary operations.
The fact that this cipher has been acknowledged strong after many years of its
public discussion also provides a general confirmation of the mechanism of data-
dependent subkeys sampling.
When considering the subkeys sampling mechanism depending on the data, it
is possible to discover that its main implementation makes provision for subkey
sampling depending on the current data subblock, and on the other data subgroups
transformed in the previous steps. Although this difference from the table substi-
tution at first glance seems insignificant, it is principally important. Thanks to the
prolonged influence of the data being transformed, the subkey sampling mecha-
nism under consideration cannot be described not only by simple table substitution
of a reasonable size (such as 32 × 32, for example), but it also cannot be described
as a data-dependent table substitution (for example, a 32 × 32 substitution carried
out from the current value of one of 32-bit data subblocks). Because data-dependent
key sampling cannot be described as a table substitution of a reasonable size, this
cryptographic primitive has enormous internal potential.
One of the most interesting implementations of ciphers based on data-dependent
subkeys selection is the “SPECTR-Z” software-oriented block algorithm. In con-
trast to earlier 512-byte block software algorithms, this algorithm is faster thanks to
the use of special transformation of the initial and final 32-bit subblocks of the
92 Innovative Cryptography, Second Edition

input 512-byte data block. A specific feature of the block ciphers characterized by
the large size of the input text is that they allow you to build such an encryption al-
gorithm, in which powerful avalanche effect evolves within a single encryption
round, when sequentially encrypting data subblocks, the number of which can be
large enough. For example, in the case of 512-byte ciphers, the input data block is
split into 256 16-bit subblocks or into 128 32-bit subblocks. The bottleneck of the
software-oriented ciphers of this type is that encryption of the first data subblock in
each round is carried out using fixed values of variables participating in the en-
cryption procedure. This circumstance makes it necessary to carry out additional
transformation of the initial and final data subblocks. In earlier versions of this
method, one or two additional rounds of transformations were carried out. In the
SPECTR-Z cipher, additional transformation is carried out only over eight 32-bit
data subblocks (four initial and four final) in the form of a reduced round made up
of 40 steps (five loops with eight iterations each) converting individual data sub-
blocks. The reduced round is intended for efficient and fast amplification of the
avalanche effect initiated by inversions of bits in extreme data subblocks. Actually,
a reduced round is executed three times faster than a complete round. Thanks to
the use of a reduced round of such a structure, the encryption procedure can be
limited only by two complete rounds. This allowed the SPECTR-Z algorithm
to reach the encryption speed exceeding 140 Mbps for the Pentium-II 266
microprocessor.

2.8 ENCRYPTION ALGORITHMS IN CONTEMPORARY

COMPUTER SECURITY SYSTEMS

Contemporary information security products for protection against unauthorized

access are based on the global encryption technology. The requirement of ensuring
security of the information circulating within computer systems in relation to mul-
tiple potential threats makes it necessary to employ multiple cryptographic mech-
anisms in complex information security products for protecting computer systems
against unauthorized access. Cryptographic mechanisms are classified into three
basic groups: cryptographic mechanisms for supporting the global encryption in
real-time mode, cryptographic mechanisms for file encryption in real-time mode,
and cryptographic mechanisms for encryption of the operating system loader.
The example of contemporary computer security systems is the software-
oriented information protection complex based on the SPECTR-Z algorithm,
generally recognized and widely used in Russia. The SPECTR-Z system (Russian
Federation State Technical Committee certificate #251) is intended for protecting
PCs running Windows 95/98 and is a new version of the COBRA information
 Flexible Software Ciphers 93

security product for protecting information against unauthorized access (Certifi-

cate #20), which is widely used for protecting PCs running MS DOS.

2.8.1 Fast Encryption of Disk Data

In computer security systems operating in real-time mode, it is necessary to use fast
encryption algorithms for encrypting information processed by computer systems;
namely, for supporting automatic encryption of all data stored on the fixed storage
devices in the real-time mode. In real-world implementations, the algorithm must
ensure the possibility of dynamic encryption (encryption in the course of writing
the data and decryption when reading the data from the fixed storage devices). The
encryption speed must be considerably higher than the data reading speed. Con-
temporary built-in magnetic storage media ensure the read/write speed of about
several tens Mbps, which makes it necessary to ensure the encryption speed higher
than 100 Mbps when using commercial Pentium-compatible processors.

Criteria of Definition
An example of the fast encryption algorithm is SPECTR-Z used in the information
security product for protection against unauthorized access of the same name for
transforming the data stored on hard disks. When the SPECTR-Z algorithm was
initially designed, it was assumed that its main field of application would be ensur-
ing internal encryption in computer systems and used as part of security products
intended for protection against unauthorized access retaining high performance of
computer systems.

Information protection in communications links often requires ciphers to be im-

plemented as cryptochips. Development of universal algorithms that are oriented
both toward software and hardware implementations doesn’t allow for reaching
the fastest encryption speed for narrower application areas.

The technological nature of application of this cipher makes it urgent to

achieve the maximum possible performance and high strength against attacks
based on known and specially chosen texts. The need to maintain the initially high
performance of the computer systems being protected also results in the need to
preserve the possibility of arbitrary access to the data stored on fixed storage media.
The value of 512 bytes was chosen as the value of the input data block for the
SPECTR-Z algorithm. This corresponds to the minimal discrete data block in the
course of information exchange between RAM and fixed storage memory. In addi-
tion, this size is large enough to ensure high cryptographic strength along with rel-
ative simplicity of the block encryption procedures. To achieve this strategic goal,
developers used the following criteria:
94 Innovative Cryptography, Second Edition

The procedure of encrypting the input 512-byte data block must be carried out
as a sequential transformation of 128 4-byte (in other words, 32-bit) words
using operations that require a minimum number of clocks (“+32,” “−32,” “⊕“,”
“>>>,” “<<<,” swapping data between registers, sampling data from RAM).
Every bit of all words transformed at previous stages of the encryption process
must have a significant influence on the process of conversion of all further
words. In other words, sequential transformation of words must be executed in
the concatenation mode. This will ensure a strong avalanche effect when pass-
ing from initial to the final words of the input block. Because it is assumed to
carry out 128 elementary steps for conversion of 32-bit words within one
round, this mechanism will play a considerable role in ensuring high crypto-
graphic strength with low number of encryption rounds.
To ensure efficient concatenation mode, the encryption algorithm must make
provision for at least two variables, the current values of which will be formed
depending on their previous values and on the value of the currently trans-
formed word.
As a basic mechanism of transformation, it is expedient to use the approved
sample of subkeys depending on the data being converted. This mechanism is
a variant of the table substitution using secret tables.
To strengthen the influence of the bits of the words being transformed on the en-
cryption process, it is expedient to execute some cyclic-shift operations depending
on the data being transformed. Contemporary commercial processors execute
these operations fast; furthermore, such operations were found highly efficient as
the basic cryptographic primitive in such ciphers as RC5, RC6, and MARS.
To obtain the possibility of building an efficient subkey sampling mechanism
depending on the data being converted, the size of the encryption key was cho-
sen to be equal to 2051 bytes. This allows for specifying the influence of 11 bits
of the word currently being transformed per one key access operation.
To form an extended encryption key, it is necessary to provide the procedures
of transforming the user’s secret key implemented as precomputations. In this
case, precomputations must ensure strong influence of each bit of the secret
key on the value of the extended key. Modification of any bit of the secret key
must result in the inversion of each bit of the extended key with the probabil-
ity of 50 percent.

General Scheme of Transformations

In the SPECTR-Z cryptographic system, and in other extended-key ciphers, it is as-
sumed that the extended key is built depending on the secret key of comparatively
small length using special procedures carried out as precomputations. In ciphers
 Flexible Software Ciphers 95

oriented toward the use in computer systems in the form of software modules, the
precomputations procedure might be complicated enough, because it is assumed
this procedure will be executed only when the cryptographic system is initialized
(powered on). It is expedient that such a procedure be executed at the phase of the
bootstrap loading of the PC. Thus, in the variant under consideration, the crypto-
graphic algorithm doesn’t imply any considerable limitations on the duration of the
precomputations procedure. Consequently, no considerable limitations are im-
plied on the computer resources, because the precomputations subroutine is non-
resident. This means that it is possible to use multistep procedures that cause a
strong avalanche effect. In particular, this means that multiple use of the direct
encryption algorithms of the SPECTR-Z cryptographic system described in the
next section is also possible.
The use of precomputations forces the intruder to choose between two main
variants of the attack implementation:

The intruder can assume that the secret key is chosen arbitrarily and can consider
relatively simple encryption procedures to detect some kind of vulnerabilities.
The intruder can consider more sophisticated procedures of forming the en-
cryption key to discover the secret key by solving the encryption equation.

Obviously, procedures of forming the encryption key must be sophisticated

enough to ensure that computation of any part of the secret key is impossible based
on individual fragments of the encryption key. The main requirements to the algo-
rithm of building the encryption key are:

Approximately equiprobable influence of each bit of the secret key on all bits of
the extended key being formed
High computational complexity of discovering the secret key on the basis of
partially (for example, by 50 percent) disclosed extended key.

These conditions are satisfied for the precomputations algorithm implemented

in the SPECTR-Z system. Thus, the SPECTR-Z software cipher can be imple-
mented in the form of two subroutines: initialization module intended to run once,
and resident encryption module that serves requests of other programs for data en-
cryption and decryption. The structure of the software encryption module with
precomputations is shown in Figure 2.1.
In computer applications, the presence of precomputations plays an additional
role. The use of sophisticated computational procedures considerably complicates
implementation of password attacks. In this case, the check of each password vari-
ant will require the attacker to carry out precomputations.
96 Innovative Cryptography, Second Edition

FIGURE 2.1 Scheme of a software cipher with precomputations.

2.8.2 Precomputations
The SPECTR-Z algorithm uses the 2051-byte encryption key Q, which is formed at
the precomputations stage based on the user’s secret key. The extended key is an or-
dered byte sequence q[i]: Q = {q[i]}, where i = 0, 1, … , 2050. When forming the
encryption key, the Encrypt_Z procedure and specified table Z are interpreted as
the sequence ⎯Z = {z[i]}, where i = 0, 1, … , 2050 are used. Both the Encrypt_Z
procedure and the Z table are described here. The algorithm for generation of the
extended key consists in execution of the Form_Q procedure, which accepts the
user’s secret key as the input parameter. The length of the user’s secret key ranges
from 64 to 512 bits.
The ⎯Z table is a 2051-byte sequence:

{Z', z[1024], z[1025], z[1026], z[1027], Z"},

where z[1024] = 9A, z[1025] = 05, z[1026] = 3C, z[1027] = 29, and the ⎯Z′ and⎯Z′′
sequences (⎯Z′′ differs from ⎯Z′ only in that the last five bytes are missing from
⎯Z′′) are represented by the ⎯G = {G0, G1, … , G512} sequence made up of 32-bit
words written in the form of hexadecimal numbers Gk = g4k+3||g4k+2||g4k+1||g4k, where
k = 0, 1, … , 256:

59CD4F6D, 90873546, F408639D, B3B33D0D,

A226970F, DD6C55E9, 4EE9E996, E0BBD6B2,
ED569ED7, 422895FD, F5A08568, F260AA2E,
97CEFB13, 06D4837F, B51D92BF, 1F1C2D64,
 Flexible Software Ciphers 97

97F7A7CB, 7ED14440, 93DC3AE2, 3CC5A6C1,

E8CF40AB, A75CEBD4, F741D801, 852E14E2,
FC386A79, 136DD74A, 22E25EA8, 0E4F18E4,
2D96801C, 3C80C89C, 2587EBA7, D5DA001D,
7C897B55, 76E1023E, 7329EC2A, D8DF68AB,
04C87FF6, B6249125, B63EF3D8, 3DAE29FB,
BE73CD22, DE96E603, FA4A8E95, 8D5F76CA,
A69F48A7, 3AFBB8CE, 2CE563DA, D9994EC9,
6B7DFA9F, 5A6B2CEB, 0A0B7E78, 0A4E2064,
EF964255, D0C8F360, 55266FBB, 3A166B3E,
1FEFDEE8, 76CEB1B8, 35480947, 25704556,
70026E20, 67B492E3, B91D054D, 1D850806,
125163DC, D4177C68, 2BA29D5E, E857ABCD,
69BF02D5, 7EDC842D, 6114C2C7, 2DB5A9F1,
983E70A3, 71B68CDD, 2DB7B8D9, CF4E94B2,
0E4B408B, E79E14A4, FCD8328C, 0CB4816E,
A1277953, C05BD4FE, E28C3697, 0552C004,
D692E406, D1ADBB1A, 5E66E661, DF4C1388,
11905A1C, 7625AB81, E46165AD, F0D8FAD0,
804A9589, A7A71158, 523A80A7, 1DD95546,
A7588D94, 960BDFD4, 152F1BE7, 1C3123BB,
EA88761F, 62ABD13A, 04A8986B, 73EC0AE6,
F78A987B, 8B34DB2F, 0C5152A3, AC2B2612,
360320D2, 562DC9BC, 349C5922, 1D021BF7,
6155500B, AB28C8B7, 1889F88C, 2A35806C,
D7DA49E7, F218B83B, 39FCEE19, FFD5F4AF,
3C81278E, 6FB41F54, 67EBC971, 6019F1F0,
D315E4C6, 91E47276, F73D93E4, C240B75A,
33F14370, D2457429, A32A5CCF, 40DDF94E,
80E47D16, B2C7BD8E, 90BA4275, 6C7922AB,
B2A51B55, E6250E32, D9971E0F, D70EF0DB,
685779AA, 05674EC3, 393D6C1B, 5A3CCDEA,
2374D804, F3659EDD, 5BF178CD, 04AE819B,
F984DD85, 81FCA05D, 8548F8D7, FCF546F9,
F7CC93BE, EFC9298C, 8F8C98D0, 756C4F45,
F14223E1, 86FEF671, 2B112DA4, 331C975E,
1BBCA16D, 8D695847, CC6097F7, E914DF4F,
1B97C93D, DB12475D, 57BBFFFC, 4D7A5833,
AECFB8B9, 8C8CB213, F7A9E9D9, C4AADB49,
950D7683, C68375EA, 9E4A232C, 2EF4700E,
27B2A314, A01D80B1, 5161633B, 2954D4C4,
B494D1AF, 1420879E, EEAE1361, 0F183EB0,
4973279C, E7A80D21, E5671416, 86D8CE7A,
D247FA63, D7AF44C2, 87443304, BBBE9F57,
98 Innovative Cryptography, Second Edition

202C07FD, 875FF05A, 43CC216C, 06350407,

9FA206BB, 95319458, AC8F2486, E822D6DB,
0DC11C62, B5479520, 45C446D7, 85938591,
948F0F43, 839F1C97, D407CB1A, A3537935,
E7DB9374, 3925653F, D15A2D07, 97530098,
7FD905D0, 7CCCDFBC, 77AAF70E, 833676F2,
BEDF2436, F6C26720, D866E30C, DFB940E9,
785E5336, 1C42407B, 0FCE38E6, 28E21B1A,
5D7DEB36, FB3C8B16, 24B5C173, 28BC5727,
6ED16186, BDDC35F7, 3B715F42, C1A60EEA,
1B6D0DC3, A43393D5, 59D046BA, 2799B4B6,
206DAD0A, A37D7588, 17F4653D, E98EDD7F,
DC941394, 6F81AD8E, 7611F662, CA191B6C,
BDD491CF, C6910F8F, C94137C2, 40D5E6D5,
D0C4D719, 5760AA69, 6F819234, F8E83558,
A5A482C9, 520DCAB6, 92E24E59, 8D1B7005, 9A053C29

The elements of the sequence ⎯Z are expressed through elements of the

sequence ⎯Z′ as follows: z[j] = z[1028+j] = z′[j] having 0 ≤ j ≤ 1023. Elements of
the sequence ⎯Z′, in turn, are expressed through elements of the sequence ⎯G as
follows: z′[j] = gj.

The Form_Q Procedure

The Form_Q procedure includes the following steps:

1. Repeat the user’s secret key the required number of times until the {p[i]}
2051-byte sequence is obtained, where i = 0, 1, … , 2050. Repeated records
must be separated by the bytes with the value 0.
2. Form a new sequence ⎯H = {h0, h1, … , h2050}, where hi = zi ⊕ pi for i = 0,
1, … , 2050, and zi are elements of the previously described ⎯Z sequence.
3. Form the ⎯R = {r0, r1, … , r511} sequence, where ri = pi for i = 0, 1, … , 511.
4. Using the byte sequence ⎯H as a key, call the Encrypt_Z procedure to carry
out the following transformations: R(0) := Encrypt_Z (⎯R); ⎯R(1) := En-
crypt_Z (⎯R(0)); R(2) := Encrypt_Z (⎯R(1));⎯R(3) := Encrypt_Z (⎯R(2)).
5. Form the following 2051-byte sequence: L = {⎯R(0),⎯R (1),⎯R (2),⎯R(3), r[0],
r[1], r[2]}.
6. Using the byte sequence⎯L as a key, call the Encrypt_Z procedure to carry
out the following transformations: C(0) := Encrypt_Z (⎯R); ⎯C(1) := En-
crypt_Z (⎯C ); C := Encrypt_Z (⎯C ); ⎯C := Encrypt_Z (⎯C(2)).
(0) (2) (1) (3)
 Flexible Software Ciphers 99

7. Form a 2051-byte extended key ⎯Q: Q = {⎯C(0),⎯C(1),⎯C(2),⎯C(3), c[0], c[1],

c[2]}, where c[0] , c[1], c[2] are the first three bytes of the sequence⎯C(0).
8. STOP

Execution of the transformations procedure produces the key⎯Q, which fur-

ther will be used for encryption of 512-byte blocks of data (for example, these
might be hard disk sectors of a PC). The encryption key⎯Q is considered an ordered
byte sequence q[i]: ⎯Q = {q[i]}, where i = 0, 1, … , 2050. The encryption procedure
uses subkeys Q[ j], where j = 0, 1, … , 2047 and Q[j] = q[j+3]||q[j+2]||q[j+1]||q[j].

2.8.3 Disk Encryption Algorithms

The SPECTR-Z encryption algorithm includes three rounds. The first and the third
rounds are complete and correspond to sequential transformation of all 128 words
of the initial block, starting from the first word. The second round is reduced. It
corresponds to the transformation of the reduced data block formed by joining up
four initial and four final 32-bit words of a 512-byte data block (Figure 2.2).

FIGURE 2.2 The sequence of word transformation.

The reduced round is executed in the form of five encryption loops for en-
crypting the 256-bit reduced data block. Each of the loops includes eight iterations
for transforming 32-bit words. These iterations are executed similarly to the trans-
formation iterations in the complete round. The second round consists in sequen-
tial transformation of the following words: T124, T125, T126, T127, T0, T1, T2, T3. Each
100 Innovative Cryptography, Second Edition

loop of encryption of the Each loop of the preceding eight words, except for the
last, is followed by exchanging values of the following pairs of words: T0 ↔ T127,
T1 ↔ T126, T2 ↔ T125, T3 ↔ T124. The complete encryption round consists of
the following. The block of plaintext ⎯T is split into 128 32-bit words Ti: T = {Ti},
i = 0, 1, … , 127. The words of the data block being transformed are converted ac-
cording to the following sequence: T0, T1, … , T127. The procedure for encrypting
the data block Encrypt_Z is provided next.

The Encrypt_Z Procedure (Encryption of a 512-Byte Data Block)

The Encrypt_Z procedure includes the following steps:

1. Carry out the complete round of encryption.

2. Carry out the reduced round of encryption.
3. Carry out the complete round of encryption.

Complete Round of Encryption

To carry out the complete round of encryption, it is necessary to execute the
following steps:

1. Set the counter value i := 0 and compute the initial value of internal
variables R := Q[9], V := Q[7], Y := Q[3], U := Q[9], N := Q[5], n := N +11 0.
2. Carry out the following transformations:
N := n ⊕ R; V := V +32 N;
n := N +11 0; V := (V +32 Q[n])>11>;
N := n ⊕ V; Y := Y +32 N;
n := N +11 0; Y := (Y +32 Q[n])>11>;
N := n +32 Y; n := N +11 0;
U := ((U ⊕ Q[n]) +32 R)>>>V; R := 0Ti.
3. Carry out the transformation of the next word of the text: Ti := ((Ti –32 V)
⊕ U)<<<V –32 Y.
4. Increment the counter i := i + 1. If i ≠ 128, then go to step 2, else STOP.

Reduced Round of Encryption

To carry out the reduced round of encryption, it is necessary to execute the follow-
ing steps:

1. Set the value of the external counter j := 5.

 Flexible Software Ciphers 101

2. Set the value of the internal counter i:=124 and compute the initial values
of internal variables R := Q[9], V := Q[7], Y := Q[3], U := Q[9], N := Q[5],
n := N +11 0.
3. Carry out the following transformations:
N := n ⊕ R; V := V +32 N;
n := N +11 0; V := (V +32 Q[n])>>>11;
N := n ⊕ V; Y := Y +32 N;
n := N +11 0; Y := (Y +32 Q[n])>>>11;
N := n +32 Y; n := N +11 0;
U := ((U ⊕ Q[n]) +32 R)>>>V; R := Ti.
4. Carry out the transformation of the next word of the text:
Ti := ((Ti -32 Y)>>>V ⊕ U) -32 V.
5. Increment the counter i := i + 1 mod 128. If i ≠ 4, then go to step 3.
6. Decrement the external counter j := j - 1. If j = 0, then STOP.
7. Exchange the values of initial and final words of the text: T0 ↔ T127,
T1 ↔ T126, T2 ↔ T125, T3 ↔ T124.
8. Return to step 2.

Decryption of the encrypted text is carried out using the Decrypt_Z procedure.

The Decrypt_Z Procedure

The Decrypt_Z procedure includes the following steps:

1. Carry out the complete round of decryption.

2. Carry out the reduced round of decryption.
3. Carry out the complete round of decryption.

The Complete Round of Decryption

To carry out the complete round of decryption, it is necessary to accomplish the
following steps:

1. Set the counter value i := 0 and compute the initial values of internal vari-
ables R := Q[9], V := Q[7], Y := Q[3], U := Q[9], N := Q[5], n := N +11 0.
2. Carry out the following transformations:
N := n ⊕ R; V := V + N;
n := N +11 0; V := (V +32 Q[n])>11>;
N := n ⊕ V; Y := Y +32 N;
n := N +11 0; Y := (Y +32 Q[n])>11>;
N := n +32 Y; n := N +11 0;
U := ((U ⊕ Q[n]) +32 R)>>>V.
102 Innovative Cryptography, Second Edition

3. Transform the next word of the text: Ti := ((Ti +32 Y)>>>V ⊕ U) +32 V.
4. Assign the value R := Ti and increment the counter i := i + 1. If i ≠ 128, then
go to step 2, else STOP.

Reduced Encryption Round

To carry out the reduced encryption round, it is necessary to accomplish the fol-
lowing steps:

1. Set the value of external counter j := 5.

2. Set the value of internal counter i := 124 and compute the initial values of
internal variables R := Q[9], V := Q[7], Y := Q[3], U := Q[9], N := Q[5],
n := N +11 0.
3. Carry out the following transformations:
N := n ⊕ R; V := V +32 N;
n := N +11 0; V := (V +32 Q[n])>>>11;
N := n ⊕ V; Y := Y +32 N;
n := N +11 0; Y := (Y +32 Q[n])>>>11;
N := n +32 Y; n := N +11 0;
U := ((U ⊕ Q[n]) +32 R)>>>V.
4. Transform the next word of the text: Ti := ((Ti +32 V ) ⊕ U)<<<V +32 Y.
5. Assign the value R := Ti and increment the counter i := i + 1 mod 128. If
i ≠ 4, then go to step 3.
6. Decrement the counter j := j - 1. If j = 0, then STOP.
7. Exchange the values of initial and final words of the text. T0 ↔ T127,
T1 ↔ T126, T2 ↔ T125, T3 ↔ T124.
8. Go to step 2.

Note that the structures of the encryption and decryption procedures are iden-
tical. In both cases, transformation of words in complete rounds starts with the
word T0, and proceeds in the order T0, T1, T2, … , T127. By analogy to the subkeys
of the extended key, which are related to the elements of the secret key by a sophis-
ticated functional dependency, the values of accumulating variables are functions
of the extended key and subblocks transformed at the previous steps. Such a mech-
anism is due to the fact that subkeys Q[j] are not used in the equation of the direct
transformation of the input block (step 3 of the complete round algorithm and step
3 of the reduced round algorithm). In addition, three accumulating variables that
take pseudorandom values participate in the direct transformation of the words of
the input block in each round. These factors influence the efficiency of transfor-
 Flexible Software Ciphers 103

mations of the SPECTR-Z cipher, which combines high cryptographic strength

and high performance.
If you consider encryption of two texts differing only by the word Ti, where
i < 127, you’d easily note that when transforming the word Ti+1 as early as in the
first round, the value of at least one of the variables U, V, or Y is changed, which re-
sults in an avalanche-like change of parameters U, V, Y at further n elementary steps
of the transformation.
If two input blocks differ in the last word T127 of the input block, the avalanche-
like increase of the influence of this difference starts from the step corresponding to
the encryption of the word T0 in the first loop of the second round.
Thus, a specific feature of the SPECTR-Z cipher is that the strong avalanche ef-
fect takes place when passing from one word being transformed to another word
within the same encryption round. The encryption round as such represents a se-
quential repetition of some iterative encryption function over all words in the input
message. The reduced encryption round is used to ensure strong dissipating influ-
ence of the bits of the last 32-bit word on the ciphertext.
The scheme of the software-oriented cipher shown in Figure 2.1 in relation to
the SPECTR-Z algorithm can be represented in more detail as shown in Figure 2.3.

FIGURE 2.3 Generalized structure of transformations of the

SPECTR-Z cipher.
104 Innovative Cryptography, Second Edition

In this illustration, the mechanism of forming the accumulating variables is shown.

This mechanism can be interpreted as an automat having at least 2107 different
states defined by sets of four values of the U, V, Y, and n variables.
The first three variables directly participate in the transformation of the words
of the input text, and the last variable is the internal parameter that indirectly in-
fluences the process of encryption. Thanks to the large number of internal states of
this automat, the use of several rounds of encryption and dependence of the tran-
sition from state to state on the words being transformed, the unique sequence of
transitions for each input message is ensured. Note that the complete round of en-
cryption is a certain mechanism of bit-stream encryption using the influence of the
previous words on the procedure of encryption of the further words.
An important feature of the used concatenation mechanism is that it is imple-
mented using four parallel mechanisms; namely, through the U, V, Y, and n vari-
ables. The n variable determines the influence of the concatenation mode and
practical impossibility of disclosing the sequences of words being transformed (with-
out knowing the key), which would switch the automat from the specified initial
conditions to the specified final condition within several steps of transformation.

2.8.4 Evaluating the Cryptographic Strength

The SPECTR-Z cryptographic algorithm is strong against known analytical attacks,
including linear and differential cryptanalysis. The strength of the algorithm is
ensured not by the number of founds, but by the structure of the transformation
procedures as such and by the large number of words transformed within the two
main encryption rounds. When developing the SPECTR-Z cipher for comparative
analysis of the strength of different variants of cryptographic schemes with pseudo-
random subkey sampling, the attack based on hardware errors was used. The random
errors variant was considered; in other words, it was assumed that the intruder can-
not reproduce the error that has the required value (which means the attacker cannot
invert bits in the predefined positions). In addition, it was assumed that the protec-
tion against introduction of an error into the value of the encryption procedure
completion parameter must be ensured by additional mechanisms complementing
specific implementation of the algorithm. This assumption is common for all
known algorithms of block encryption.
The SPECTR-Z algorithm is also strong against attacks based on generation of
random hardware errors that are intentionally introduced by the attacker into reg-
isters containing the values of the data subblocks being transformed by means of
external physical influence on the encrypting device. According to our evaluations,
30
its strength against such an attack is no less than 10 operations. At the same time,
most other widely used ciphers, including RC5, DES, GOST 28147-89 (Russian
ΓOCT, GOsudarstvennyi STandard, Russian for “Government Standard”), ensure
 Flexible Software Ciphers 105

the computational strength against this attack that doesn’t exceed 109 operations.
High strength against this kind of cryptanalysis is achieved thanks to the following
factors:

The values of numbers of the chosen subkeys are never present in the cipher-
text. The numbers are formed as values of the internal variable of the encryp-
tion mechanism.
The error introduced at the last round into some word propagates using the
mechanism of forming the U, V, Y, and n variables. This error is introduced
into all these variables, and, at the same time, modifications of n result in the
change of the subkey sample. These changes are difficult to differentiate ac-
cording to their integral effect on the next word.
Variable U formed using the last subkey sample doesn’t participate in the trans-
formation of the words of the input text as an operand of the last operation,
which considerably distorts the statistics of subkey differences, because of the
superposition of variables Y (during encryption) and V (during decryption),
which are not known beforehand.
Disclosing nonuniformities in the subkey differences statistics is further com-
plicated. Because after superposition of a subkey on the initial value of variable
U, the value R is superimposed on it, after which the cyclic shift operation takes
place. This shift is carried out by the number of bits, which is not known to the
attacker beforehand.

To obtain a generalized evaluation of the minimal level of cryptographic

strength of the SPECTR-Z cipher, the combinational-probabilistic model used
earlier for block ciphers with the similar structure of transformations will be used.
In the SPECTR-Z algorithm, variables U, V, Y, and n change in the course of tran-
sition from word to word, taking sequential values that form a pseudorandom
sequence. The values of variables U, V, and Y at the step of conversion of the i-th
word are formed depending on the combinations of i subkeys (i = 1, 2, ... , 128). At
the same time, the number of different possible values Mi of these variables depends
on i (for a given i, the values of U, V, and Y depend on the input block). It can be
easily shown that M0 = 1 = 20, M1 ≈ 211, M2 ≈ 222 and Mi ≈ 232 for i = 3, 4, ... , 128.
Thus, at steps with number i = 3, 4, ... , 128, approximately 296 different sets of
{Y, U, V} are possible. Implementation of a specific set depends on the input block
and the encryption key. The algorithm under consideration is composed in accor-
dance to the following criterion: transformation procedures must be designed so that
the change of any bit of the input message would result in the change of the subkeys
sample. This criterion guarantees that for all different input messages, unique se-
quences of {Y(i), U(i), V(i)} parameters will be generated, where the variables’ values
106 Innovative Cryptography, Second Edition

at the steps corresponding to the transformation of the i-th word are marked with
index (i).
Procedures of a single encryption round can schematically be represented as
follows: depending on the values of the current input words being transformed, the
subkeys that will be used for forming the U, V, and Y variables are sampled. These
variables are used for transforming further words. The algorithm is designed so that
the change of any bit in an arbitrary input data block results in the modification of
the subkeys sample and the change of the key variables. This means that each input
message is transformed using unique sequences of the U, V, and Y variable values.
At the same time, during the first, and, partially, the second rounds (during the first
loop of the second round) at certain steps of the transformation, the values of U, V,
and Y might be predetermined to match for specially selected input messages. To
achieve this, it is necessary to choose two input messages differing only in the T127
word. As relates to the four last loops of the second round and all steps of the third
round, the values of internal variables for each pair of input messages might match
only occasionally.
Although conversion of 32-bit words is carried out in accordance with rela-
tively simple equations, the set of variable values is pseudorandom.
Determination of the values of subkeys Q[j] is related to finding the values
of U, V, and Y at certain steps of the transformation (for example, at the two near-
est sequential steps of the word transformation). Therefore, fixing the values of
U, V, and Y at specific steps is the prior condition for computation of subkeys
Q[j]. Fixing in this case must be interpreted as finding such words within the same
input message or in different input messages that were transformed using the val-
ues of U, V, and Y, related by a certain condition. For example, for two different
words, T and T′, the corresponding pairs of values of each of the accumulating
variables might be equal (U = U′, V = V′ , and Y = Y′), differ by a specified value
(U ⊕ U′ = const1, V ⊕ V′ = const2 and Y ⊕ Y′ = const3), or be related by a linear
relationship. Note that the concept of fixing includes any predefined dependencies
between the values of accumulating variables corresponding to the chosen pair of
words, which means that employment of differential and linear cryptanalysis is
covered by the combinatorial-probabilistic model as a particular case.
The equation describing the encryption of an individual word T (belonging to
the middle of the input data block; that is, excluding four starting and four final
words) in the general case is formulated by the expression C = f(T, U1, V1, Y1, U3,
V3, Y3), where index corresponds to the encryption round. Analysis of the experi-
mental statistics of the sequence of values taken by the U, V, and Y variables con-
firms that these variables take pseudo-random values.
To obtain generalized minimum evaluations, it is necessary to adopt a set of
assumptions, which the attacker cannot suggest under real-world conditions. As-
sume that the solution of the system of equations corresponding to transformation
 Flexible Software Ciphers 107

of two different words is a problem with a low level of complexity, provided that
these words were transformed using fixed sets of accumulating variables U1, V1, Y1,
U3, V3, Y3. Assume that the complexity of cryptanalysis depends only on the detec-
tion of the pair of words that correspond to the fixing condition.
This corresponds to the general principles of attacking ciphers—recognition
(in case of known-plaintext attack) or specification (in case of chosen-plaintext
attack) of certain expectable relations between unknown parameters. In this case,
the search for pairs of words satisfying the fixing condition can be characterized
according to several generalized criteria:

The attacker must develop a certain criterion for recognizing words that satisfy
the fixing condition. Such a criterion can be related to the use of statistics of
certain computations carried out using a certain assumption. Assume that the
attacker has a simple and efficient criterion that for two specified words allows
the attacker to discover whether these words satisfy the fixing condition with
minimal labor expenses (within a single conventional operation).
The attacker cannot know beforehand the numbers of words that with a high
level of probability correspond to the adopted fixing condition; however, the
attacker can choose for testing words with specific numbers, for which the fix-
ing condition can be satisfied with higher probability.
To find the pair of words corresponding to the fixing condition, the attacker
tries pairs of words corresponding to increased probability of the fixing condi-
tion occurrence.

In case of known-plaintext attack for the tested pairs of words T and T′, the val-
ues of U1, V1, Y1, U3, V3, Y3 are different in general case. In the case of a chosen
plaintext attack, it is possible to choose such pairs of the input blocks, for which at
each specified step of the first round the same values of the U1, V1, Y1 variables are
formed (these variables will change from word to word; however, in the first round
for such pairs of input blocks this change will take place synchronously). Such pairs
of input messages can be easily obtained by means of modifying the Ti word in
the⎯T input block, where 0 < i < 127. In the pair of texts⎯T and⎯T′ obtained in this
way, the Tj words, where 0 ≤ j ≤ i, in the first round will be transformed using the
same values U1, V1, Y1. However, after execution of the reduced round, any change
in⎯T′ will result in the modification of all bits of words T0, T1, T2, T3, T124, T125,
T126, T127 with the probability equal to 0.5. The process of encryption in
the third round will be related to the pseudorandom values of the differences
U3(i) − U3(i)′, V3(i) – V3(i)′, and Y3(i) – Y3(i)′. In the pair of texts⎯T and⎯T′, the attacker
can exploit the fact of repetition in the first round the values U1, V1, Y1 for words Tj
and T′j, where 5 ≤ j ≤ 123. (Analysis of the four starting and four final words is less
108 Innovative Cryptography, Second Edition

efficient because the starting and ending words are additionally transformed in the
second round.)
With the account of these facts, two variants of the generalized combinational-
probabilistic model (CPM) were suggested:

Combinational-probabilistic model for known-plaintext attack (CPM-1)

Combinational-probabilistic model for chosen text attack (plaintext or cipher-
text) (CPM-2).

Note that in the second case, the complexity of the cryptanalysis in case of
chosen ciphertext has approximately the same value as in case of chosen plaintext,
because encryption and decryption algorithms are practically identical. CPM-1 and
CPM-2 differ by the probability of the event in which two arbitrarily taken words
were transformed using the same values of accumulating variables. Such a pair of
words is called the target pair. The required probability for CPM-1 is p1 = M–6, and
for CPM-2 it is p2 = M–3, where M = 2–32 is the number of different values that vari-
ables U, V, and Y can take.
If there is a certain amount of known or chosen texts, in which there are L
words (related to words with indexes i = 4, 5, … , 123), it is possible to distinguish
2
C L different pairs, which in a first approximation can be considered independent.
With the account of the latter fact it is possible to evaluate the probability that
L –L
among given L words, there will be the target pair of words as P = 1 – AM M .
2
For the case P<0.6, it is possible to use the approximate formulae P1 ≈ p1 C L for
2
CPM-1 and P2 ≈ p2 C L for CPM-2. For P1 = P2 = 0.5, it is easy to obtain the values
L1 and L2, which can be considered minimal numbers of known or chosen words,
among which the target pair of words can be found with the probability of 0.5:
L1 ≈ p1–0.5 and L2 ≈ p2–0.5. These values correspond to the numbers of different
encrypted input data blocks: L1′ > 2-7L1 for CPM-1 and L2′ > 2-7L2 for CPM-2. If
such information is available for the cryptanalyst, the attacker can find the target
pair, using the criterion for recognizing repetitions.
The complexity of finding this pair W is taken for the complexity of crypt-
analysis; that is, for the cryptographic strength of the algorithm. In reality, con-
sidering individual pairs of words cannot ensure identification of a repetition;
however, with the model under consideration, this assumption is taken in favor
of the attacker because the goal of this evaluation is determining the lower limit of
the algorithm strength. Assume that the attacker has some additional condition
that needs to be checked for different pairs of arbitrarily chosen words. To find
the target pair with the probability of 0.5, it is necessary to check half of the total
2
number of possible combinations C L. Assuming that the attacker carries out one
check within a single operation, the cryptanalysis complexity can be evaluated as
W1 = 0.5p1-1 and W2 = 0.5p2-1.
 Flexible Software Ciphers 109

Numeric values of generalized evaluations are provided in Table 2.1. The

obtained results make it clear that in the best case, the cryptanalyst can disclose the
encryption key, provided that he has no less than 218 GB of chosen plaintexts and
corresponding ciphertexts. In this case, cryptanalysis will require no less than 295 op-
erations. These evaluations demonstrate that the SPECTR-Z algorithms can be used
for safe encryption of all data on contemporary storage media or greater size.

TABLE 2.1 Numeric Values of Generalized Evaluations of the Cryptanalysis Complexity

P L, L’, W,
Attack variant words blocks operations

CPM-1 2–192 296 >289 2191

CPM-2 2–96 248 >241 295

From the developer’s point of view, CPM provides a good generalized evaluation,
because it doesn’t overestimate the cryptographic strength. Comparison of the results
obtained using CPM-1 to the results of specialized cryptanalytical research carried out
for the COBRA system confirms these results. Actually, expert analysis using known
methods of cryptanalysis has produced the values L ≈ 6.1013 bytes and W ≈ 4⋅1015
operations, while CPM-1 produces considerably smaller values: L ≈ 107 bytes and
W ≈ 1014 operations. This, along with the fact that no cryptanalysis variants produc-
ing smaller value than the one determined according to CPM have been found for the
SPECTR-Z cipher, allows us to adopt the evaluation obtained according to CPM.

2.8.5 File Encryption Algorithm

File encryption in the SPECTR-Z cryptographic system is carried out using the
transformation mechanism that satisfies the following requirements:

Execution of encrypting procedures implemented at the software level in real-

time mode.
Forming of the temporary unique key for file encryption by the secret key and
arbitrarily formed file label.
Ensuring the possibility of arbitrary access to all bytes of the encrypted file (in-
dependent encryption of each byte).
Execution of file encryption at each file write operation.
Invariability of the file lengths and system attributes.

The file encryption key is some extended key formed based on the secret key.
With this being so, the procedure uses the precomputations algorithm that doesn’t
110 Innovative Cryptography, Second Edition

allow for computation of the secret key even if the extended key is known. The se-
cret key is common for encryption of all files of a given user. The user’s secret key
is formed at the PC bootstrap phase at the precomputation stage. The key is 1024-
bytes long, and represents a set of 256 32-bit subkeys Q[ j], j = 0, 1, … , 255.
The general scheme of file encryption consists of the generation of 8-bit elements
of the key range depending on the ordinal number of specific bytes in the file and on
the additional local key with subsequent superposition of the range elements over
corresponding bytes of the file. The local key is 64-bits long. It is formed when open-
ing the file depending on the secret file encryption key and a 64-bit label, presumably
known to the intruder. Local labels are generated arbitrarily and are assigned as at-
tributes to each file, for which encryption mode is specified. The probability of form-
ing the matching labels for different files is negligibly small (about 2–64).
Assume that M = U||V is a 64-bit label represented as a concatenation of two
32-bit words U = u4||u3||u2||u1 and V = v4||v3||v2||v1. In the further few sections, the
algorithm used for generation of the local key will be considered in more detail.

Forming the Local Key

The algorithm used for generation of the local key is made up of the following steps:

1. Set the counter i = 1.

2. Carry out the following transformations:
U := U + Q[v1]; V := V + Q[u1];
U := U ⊕ Q[v2]; V := V ⊕ Q[u2];
U := (U + V)<16<; V := V + Q[u1];
V := V<16<; U := U + Q[v1];
V := V ⊕ Q[u2]; U := (U ⊕ Q[v2])<13<;
V := (V + U)<13<.
3. If i < 5, then increment the counter i := i + 1 and go to step 2.
4. STOP.

The value R = U||V after executing five rounds of the transformation will
represent the local key. File encryption is carried out according to the algorithm
described in the next section, where the following designations are used:
N = n4||n3||n2||n1 is the number of the currently transformed byte represented in the
form of concatenation of an 8-bit number, R = r8||r7||r6||r5||r4||r3||r2||r1 is the local
key represented in the form of concatenation of eight-bit subkeys, F = f4|| f3|| f2|| f1 is
a 32-bit variable, and j is the 8-bit number of the chosen subkey.
 Flexible Software Ciphers 111

Encryption of the Current Byte

The algorithm for encryption of the current byte of the file being encrypted
includes the following steps:

1. Carry out the following transformations:

j := n1 + r5; F := Q[j] ⊕ (r4||r3||r2||r1);
j := (j ⊕ n2) + (f1 ⊕ r6); F :={(F + Q[ j]) ⊕ (r8||r7||r6||r5)}>5>;
j:= ( j+r7)⊕(f1+n3); F:=(F+Q[j])>6>;
j:= ( j + n4) ⊕ (f1 + r8); F := (F ⊕ Q[j])>7>;
j := j + r2; F := F + Q[ j];
j := j + r3; F := F ⊕ Q[ j];
(f2||f1) := ( f4||f3) ⊕ (f2|| f1).
2. Form the current 8-bit element of the key range: g := f1 + f2.
3. Transform the current byte tN: tN := tN ⊕ g.
4. STOP.

This algorithm is used for both encrypting and decrypting files. It ensures the
transformation rate of about 80 Mbps for the Pentium-II 266 microprocessor.
Obviously, this algorithm ensures independent encryption of each byte of the file
being encrypted. This ensures high flexibility when working with large files such as
database files, for example. The key range being generated g(N) is practically unique
for every file, because it is generated depending on the local key, which is formed on
the basis of an arbitrary label.
Note some specific features of the file encryption algorithm under considera-
tion. If some file is known to the cryptanalyst in the plaintext form and in the
encrypted form, he will easily compute the key range corresponding to this file.
However, disclosing the file encryption key by the key range is complicated, even if
the chosen plaintext is available. Because of this, disclosure of some files doesn’t
compromise the confidentiality of the others, and an attack based on the encryption
of the specially chosen files doesn’t provide the cryptanalyst with any additional
possibilities of computing the secret key. If storage media are stolen, the cryptana-
lyst can easily discover the label value; however, it will be impossible to compute the
local key, because this requires the attacker to know the file encryption key. The file
encryption algorithm is strong against known methods of cryptanalysis, including
attacks based on generating arbitrary hardware errors.

2.8.6 Transformation of the Boot Sector Data

To decrypt or encrypt the operating system loader in the SPECTR-Z cryptosystem,
a special mini-algorithm has been developed. This algorithm is implemented in the
112 Innovative Cryptography, Second Edition

form of the software cryptographic module smaller than 100 bytes, which allows for
placing it within the protection system loader (which is only 512 bytes in size).
The general cryptoscheme of the mini-algorithms includes two stages:

1. Precomputations carried out to form the 1024-byte extended key K[j].

2. Decryption procedure D using the extended key. The extended key is
represented in the form of the sequence of 32-bit subkeys {K[ j]}, where
j = 0, 1, 2, ... , 255.

To carry out precomputations, the 1024-byte auxiliary key L is formed by

means of repetition of the password required number of times and simultaneously
modifying the bytes of the password. The subkey is formed as follows: K:=L. After
that, the following transformations are carried out 35 times: L := DK(L), K := L,
where DK (L) is interpreted as the result of applying procedure D with key K to
block L. As the result, the extended key is obtained: K = {K[j]}, j = 0, 1, … , 255,
which is further used as a key in procedure D to decrypt the boot sector. Procedure
D is implemented by splitting the message being encrypted into 64-bit blocks and
sequentially transforming these blocks. Data blocks are presented as T = A||B,
where A=a4||a3||a2||a1, B = b4||b3||b2||b1, ai and bi are 8-bit subblocks, and the “||”
operator means concatenation. The procedure of decrypting 64-bit data blocks
uses the algorithm described in the next section.

Procedure D (Decryption Mini-Algorithm)

The decryption mini-algorithm comprises the following steps:

1. Set the counter r = 1.

2. Carry out the following transformations:
A := A + K[b1]; B := B ⊕ K[a1];
A := A ⊕ B; A := A>3>;
B := B>3>; B := B + A.
3. If r < 35, increment the counter r := r + 1 and return to step 2.
4. STOP.

After 35 rounds of encryption, the value A||B is the output value of the mini-
algorithm. The procedure of encrypting the operating system loader is carried out
when installing the protection system or changing the secret key. This procedure
can be easily built by the decryption algorithm.
Mini-algorithm ensures high strength against attacks based on known and cho-
sen text several KBs in size. This mechanism ensures an excellent balance between
the module size and cryptographic strength. It should be mentioned that a poten-
tial cryptanalyst does not have a sufficient amount of corresponding pairs of the
 Flexible Software Ciphers 113

plaintext and ciphertext blocks for implementing statistical cryptanalysis methods.

In addition, it will be very difficult for the attacker to input any chosen text for
encryption or decryption because of specific features of the way in which the
protection system uses the mini-algorithm. The use of the operating system loader
encryption allows for ensuring a high level of protection against built-in trapdoors.
Because the code size rather than the encryption speed is important for the minici-
pher algorithm, the strength of the minicipher can be increased if you use
multiplication as one of the basic operations and/or increase the number of trans-
formation rounds.
Thus, in the SPECTR-Z system, the disk encryption algorithm is optimally
complemented by the system of fast file encryption and by miniciphers allowing for
controlling the PC bootstrap phase. This combination ensures a strong system of
multilevel encryption of this fully functional information security product.

2.9 SOFTWARE CIPHER WITH FLEXIBLE INPUT

Building a software cipher with flexible input is an issue of practical interest. This
task can be accomplished based on the algorithm of the SPECTR-Z system, and, at
the same time, the variable block length must relate to that part of the block that is
transformed in two rounds. This will allow for obtaining high speeds for smaller
blocks. If the block size is small, the speed will be several times lower, because for
starting and terminating words of the input block the number of rounds cannot be
smaller than six because of security considerations.
The software block algorithm SPECTR-F considered in this section is a modi-
fied version of the SPECTR-Z algorithm, which differs from the original in that the
size of the input block is not fixed. Instead, the size of the input block in the mod-
ified algorithm can have the size from 128 bits or higher; however, this value must
be a multiple of 32 bits. Thanks to this, SPECTR-F provides the flexibility required
to optimize the selected block lengths for specific applications. This allows for
obtaining considerable improvement of the encryption speed when encrypting
large data blocks (up to 300 Mbps for contemporary commercial processors). For
encryption speeds about 100 Mbps, this algorithm ensures the possibility of en-
crypting data in 128-bit blocks, if necessary.
The SPECTR-F cryptosystem was developed based on the same criteria as the
ones used for the SPECTR-Z cryptosystem. Variable length of the input block en-
sures better flexibility of the SPECTR-F algorithm. The parameterized value 32m
(bits), where m is a natural number satisfying the inequality m ≥ 4, was chosen as
the input block size for the SPECTR-F algorithm.
Similar to other ciphers with extended key, in the SPECTR-F cryptosystem it is
assumed that the extended key is generated depending on the secret key of relatively
114 Innovative Cryptography, Second Edition

small length using special procedures executed as precomputations. The SPECTR-

F cipher is implemented in the form of two software modules: initialization mod-
ule intended to run once, and resident encryption module intended to serve
requests of other programs for data encryption and decryption.

Precomputations
To carry out precomputations, the secret key (input parameter) is repeated the re-
quired number of times to obtain a 2051-byte sequence designated as ⎯Q′ = {q0′,
q1′, … , q′2050}. After that, the auxiliary key ⎯H = ⎯Q′ ⊕ ⎯Z is formed, where⎯Z is a
sequence formed using the Table_Z procedure. The Q′ key is then transformed sev-
eral times using the Encrypt512 procedure and the H key. The extended key⎯Q is
formed according to the FormKey procedure described here. In this procedure,⎯Q′
is interpreted as a sequence of four 512-byte blocks⎯Q(1),⎯Q(2),⎯Q(3),⎯Q(4) and three
bytes; that is, ⎯Q′={⎯Q(1),⎯Q(2),⎯Q(3),⎯Q(4), q(0), q(1), q(2)}, where q(0)=q′2048,
q(1)=q′2049 and q(2)=q′2050. The encryption key⎯Q is a sequence of bytes qi: ⎯Q = {qi},
where i=0,1,…,2050. In the course of data encryption the subkeys Qj =
qj+3||qj+2||qj+1||qj, where j = 0, 1, … , 2047, are used.

The Table_Z Procedure

The Table_Z procedure algorithm includes the following steps:

1. Set the counter i = 0.

2. Compute the 32-byte number Zi′ = (a23+i mod P)17 mod R .
3. Increment the counter i := i + 1. If i ≠ 64, go to step 2.
4. Form a 2051-byte number S = z2′||z1′||z0′||Z63′||…||Z0′, where z2′||z1′||z0′ =
Z0′ +24 0.
5. Represent S in the form of the sequence of bytes: ⎯Z = {z0, z1, … , z2050}.

The FormKey Procedure

The FormKey procedure includes the following steps:

1. Set the parameter m = 128 and accept ⎯H as the encryption key.

2. Transform ⎯Q(1): Q(1) := Encrypt512H (⎯Q(1)).
3. Transform ⎯Q(2): Q(2) := Encrypt512H (⎯Q(2) ⊕⎯Q(1)).
4. Transform⎯ Q(3): Q(3) := Encrypt512H (⎯Q(3) ⊕⎯Q(2)).
5. Transform ⎯Q(4): Q(4) := Encrypt512H (⎯Q(4) ⊕⎯Q(3)) .

Generate the extended key: ⎯Q = {⎯Q(1),⎯Q(2),⎯Q(3),⎯Q(4), q(0), q(1), q(2)}.

 Flexible Software Ciphers 115

Transformation Algorithms
The SPECTR-F encryption algorithm includes two complete and four reduced
encryption rounds. The block of plaintext ⎯T is split into four 32-bit words
Ti: T = {Ti}, where i = 0, 1, … , m – 1 (m ≥ 4). The value of the natural number
m is set depending on the application area. In each encryption round, the input 32-
bit words T0, T1, T2, … , Tm-1 are transformed. Note that when m = 4, complete and
reduced rounds are identical. After each round, except for the last, the values are
exchanged in the pairs of words T0 ↔ T3 and T1 ↔ T2. Transformation algorithms
include the following two standard procedures: Initialize and Change_NVYU.

The Initialize Procedure

The Initialize procedure includes the following steps:

1. Set the value of the internal counter i := 0 and initial values of variables
R := Q[9], V := Q[7], Y := Q[3], U := Q[9], N := Q[5].
2. END.

The Change_NVYU Procedure

The algorithm of the Change_NVYU procedure includes the following steps:

1. N := N ⊕ R; V := V +32 N;
2. N :=N ⊗ F; n := N +11 0; V := (V +32 Q[n])>>>11;
3. N := N ⊕ V; Y := Y +32 N;
4. N :=N ⊗ F; n := N +11 0; Y := (Y +32 Q[n])>>>11;
5. N := N +32 Y; N := N ⊗ F; n := N +11 0;
6. U := ((U ⊕ Q[n]) +32 R)>>>V.
7. END.

The SPECTR-F cipher is described by the following algorithms.

Procedure of Encryption in Four Reduced Rounds

The algorithm of the encryption procedure in four reduced rounds includes the
following steps:

1. Increment the external counter value j := 0.

2. Execute the Initialize procedure.
3. Execute the Change_NVYU procedure.
4. Transform the next word of the text: Ti := (Ti –32 V) ⊕ U.
5. Transform the variable R: R := R +32 Ti.
116 Innovative Cryptography, Second Edition

6. Complete the transformation of the word Ti: Ti := Ti<<<V–32 Y.

7. Increment i := i + 1. If i ≠ 4, go to step 3.
8. Exchange values of the following pairs of words: T0 ↔ T3 and T1 ↔ T2.
9. Increment j := j + 1. If j ≠ 4, go to step 2.
10. STOP.

Decryption Procedure in Reduced Rounds

The algorithm of the decryption procedure in reduced rounds includes the follow-
ing steps:

1. Set the value of the external counter j := 0.

2. Execute the Initialize procedure.
3. Execute the Change_NVYU procedure.
4. Transform the next word of the text: Ti := (Ti +32 Y)>>>V.
5. Transform the variable R: R := R +32Ti.
6. Complete the transformation of the word Ti: Ti := (Ti ⊕ U) +32 V.
7. Increment i := i + 1. If i ≠ 4, go to step 3.
8. Exchange the values of the following pairs of words: T0 ↔ T3 and T1 ↔ T2.
9. Increment j := j + 1. If j ≠ 4, go to step 2.
10. STOP.

The Encrypt_512 Procedure: The First (Complete) Encryption Round

The algorithm of the Encrypt_512 procedure includes the following steps:

1. Execute the Initialize procedure.

2. Execute the Change_NVYU procedure.
3. Transform the next word of the text: Ti := (Ti –32 V) ⊕ U.
4. Transform the variable R: R := R +32 Ti.
5. Complete the transformation of the word Ti: Ti := Ti<<<V –32 Y.
6. Increment i := i + 1. If i ≠ m, go to step 2.
7. If m > 4, transform words T2 and T3 in the following order: T2 := T2 ⊕ Tm-2
and T3 := T3 ⊕ Tm–1.
8. Exchange the values of the following word pairs: T0 ↔ T3 and T1 ↔ T2.
9. STOP.

The Procedure of the Sixths (Complete) Round (Encryption)

The algorithm of the procedure of the sixths (complete) round (encryption) in-
cludes the following steps:

1. Execute the Initialize procedure.

 Flexible Software Ciphers 117

2. If m > 4, transform words T3 and T2 in the following order:

T3 := T3 ⊕ Tm-1 and T2 := T2 ⊕ Tm-2.
3. Execute the Change_NVYU procedure.
4. Transform the next word of the text: Ti := (Ti –32 V) ⊕ U.
5. Transform the variable R: R := R +32 Ti.
6. Complete transformation of the word Ti: Ti := Ti<<<V –32 Y.
7. Increment i := i + 1. If i ≠ m, go to step 2.
8. STOP.

The Procedure of the First (Complete) Round (Decryption)

The procedure of the first (complete) round (decryption) comprises the following
steps:

1. Execute the Initialize procedure.

2. Execute the Change_NVYU procedure.
3. Transform the next word of the text: Ti := (Ti +32 Y)>>>V.
4. Transform the variable R: R := R +32 Ti.
5. Complete transformation of the word Ti: Ti := (Ti ⊕ U) +32 V.
6. Increment i := i + 1. If i ≠ m, go to step 2.
7. If m > 4, transform words T2 and T3 in the following order: T2 := T2 ⊕ Tm-2
and T3 := T3 ⊕ Tm-1.
8. Exchange the values of words: T0 ↔ T3 and T1 ↔ T2.
9. STOP.

The Procedure of the Sixths (Complete) Round (Decryption)

The algorithm of the sixths (complete) round (decryption) is made up of the fol-
lowing steps:

1. Execute the Initialize procedure.

2. If m > 4, transform words T3 and T2 in the following order: T3 := T3 ⊕ Tm-1
and T2 := T2 ⊕ Tm-2.
3. Execute the Change_NVYU procedure.
4. Transform the next word of the text: Ti := (Ti +32 Y)>>>V.
5. Transform the variable R: R := R +32 Ti.
6. Complete transformation of the word Ti: Ti := (Ti ⊕ U) +32 V.
7. Increment i := i + 1. If i ≠ m, go to step 2.
8. STOP.

The scheme of transformation of the plaintext into ciphertext is shown in

Figure 2.4.
118 Innovative Cryptography, Second Edition

FIGURE 2.4 The scheme illustrating the order of transformation of 32-bit words into
ciphertext in the SPECTR-F cipher.

The SPECTR-F cryptoalgorithm is oriented toward software implementation.

The encryption speed depends on the size of the input block. When m = 4 the
encryption speed is at a minimum and makes about 50 Mbps (for Pentium 266).
With the increase in the block size, the encryption speed grows. For example, it
makes about 140 Mbps for m ≥ 32.
Thanks to the use of the value exchange operation, each of the words T0, T1, T2,
and T3 during four reduced rounds is converted using a set of 27 variable subkeys
chosen depending on the data being transformed. Output values of the extreme
words T0 and T3 depend on three additional subkeys that are introduced three
times into the procedures of the words transformation. However, this set of three
subkeys is fixed for all data blocks and its contribution to the overall cryptographic
strength. The main factor of the improvement of the cryptographic strength is
specifying a dynamic sample of 27 subkeys for each transformed word. The proce-
 Flexible Software Ciphers 119

dure of transforming words with indexes i = 4, 5, … , m – 1 includes 6i “variable”

subkeys (at the same time, more than 50 percent of these keys are included multi-
ple times).
By choosing a special subset of texts, the attacker can specify the process of
conversion to be identical for any text of such a subset. However, using this fact for
analyzing the transformed values of words T0, T1, T2 and T3 for disclosing subkeys
is considerably more problematic in comparison to the analysis of words T4, T5, …,
Tm-1, because the first are transformed when carrying out all six rounds, and the lat-
ter only in the first and the last rounds. This feature was introduced for achieving
high-encryption speed when encrypting large data blocks. Attacks related to the
analysis of T4, T5, … , Tm–1 can be used as a foundation of the combinational-prob-
abilistic model that accounts for specific features of the SPECTR-F cipher.
The SPECTR–F cryptoalgorithm is strong against all known methods of crypt-
analysis, including linear and differential cryptanalysis. Despite the small number
of complete rounds of transformation, this algorithm ensures high strength thanks
to specific features of transformation typical for cryptosystems with a large size of
the input text and based on data-dependent subkey sampling. When developing the
SPECTR-F cipher, comparative analysis of different variants of cryptoschemes
based on pseudorandom subkey sampling was carried out using attack, which ac-
counted for the possibility of external physical influence on the encrypting devices
on the part of the attacker. As a variant of attack, this analysis of the cryptographic
strength considered the forming of random errors in registers containing data being
encrypted. The SPECTR-F cryptoalgorithm is strong against such attacks, which is
ensured by the same mechanisms as the ones used in the SPECTR-Z cipher (this is
due to the similarity of the transformation mechanisms used in these two ciphers).
For the generalized evaluation of the minimal level of cryptographic strength of
the SPECTR-F cipher in the case when m ≥ 5 (that is, when the input block size
makes 20 bytes or more), it is possible to use the combinational-probabilistic model
(CPM), which earlier in this chapter was used for evaluating the strength of the
SPECTR-Z cryptographic algorithm. The values of variables U, V, and Y at the step
when the i-th word is transformed are generated depending on the combinations of
i replaceable subkeys (i = 0, 1, 2, ... , m – 1), and, with all that being so, the power of
the set of values Mi, which can be taken by these variables, depends on i (for the
given i the values of U, V, and Y depend on the input block). It can be easily shown
that M0 = 1 20, M1 ≈ 211, M2 ≈ 221, M3 ≈ 230, and Mi ≈ 232 for i ≥ 4. Thus, words with
numbers i≥4 are transformed using one of the possible ≈296 different sets {Y, U, V},
which depend on the input block and the encryption key. The algorithm is built so
that transformation procedures ensure the influence of any bit of the input message on
the subkeys sample. This criterion guarantees that for all different input messages,
unique sequences of sets {Y(i), U(i), V(i)} will be generated, where index (i) marks the
values of variables at the i-th step of the transformation.
120 Innovative Cryptography, Second Edition

The values of variables U, V, and Y might match by predefinition only in the

first, and, partially, at the second round (during the first loop) at certain steps of the
transformation for specially chosen input messages. The cryptanalyst can easily
specify this condition; however, specific variable values will not be known before-
hand. To achieve this goal, the cryptanalyst can choose two input messages that dif-
fer only in the word Tm–1. As relates to the last four rounds, the values of variables
for any pair of input messages might match only by chance.
Although transformation of 32-bit words is carried out according to relatively
simple equations, the set of variable values is pseudorandom. Determination of
values of subkeys Q[j] relates only to finding values of the U, V, and Y variables at
certain steps of the transformation (for example, at two nearest sequential steps of
the word transformation); therefore, fixing values U, V, and Y at certain steps is a
preliminary condition for computing subkeys Q[j]. Fixing must be interpreted as
finding such words within the same input message or within different input mes-
sages that were transformed using values U, V, and Y, related by a certain condition.
For example, for two different words T and T′, the pairs of values of each of the
accumulating variables corresponding to them, which were used for their transfor-
mation, are equal (that is, U = U′, V = V′, and Y = Y′), or differ by a predefined
value (that is, U ⊕ U′ = const1, V ⊕ V′ = const2, and Y ⊕ Y′ = const3) or are related
by a linear relationship. Note that the concept of fixing includes any specified
dependencies between the values of accumulating variables corresponding to the
chosen pair of words; that is, the use of differential and linear cryptanalysis is cov-
ered by the combinational-probabilistic model as a particular case.
The equation describing encryption of words T that have numbers i≥4 at the
input (these words are transformed only in the first and in the sixth rounds, while
all the other words are transformed during all six rounds) in the general form is
specified by the expression C = f(T, U1, V1, Y1, U6, V6, Y6), where the index corre-
sponds to the number of the encryption round. Analysis of the experimental statis-
tics of the sequence of values taken by the U, V, and Y variables confirms that these
variables take pseudorandom values.
For obtaining generalized minimal evaluations, consider the weakest link in the
chain of transformation; namely, the words with numbers i ≥ 4, which are subject
to the minimal transformation. Make a range of assumptions, which under real-
world conditions the attacker cannot make. Assume that the solution of the system
of equations corresponding to two individual words is a problem with low com-
plexity level, if these words are transformed using fixed sets of values of the accu-
mulating variables U1, V1, Y1, U6, V6, Y6. To obtain numeric evaluations of the
cryptographic strength, the combinational-probabilistic model will be used. The
complexity of solution of the equations corresponding to the fixing condition will
be neglected, assuming the complexity of cryptanalysis depends only on the detec-
tion of the pair of words that correspond to the fixing condition. This corresponds
 Flexible Software Ciphers 121

to a general principle of attacking ciphers—recognition (known-plaintext attack)

or specification (chosen-texts attack) of some expectable relations between un-
known parameters.
In case of known-text attack for the pairs of words T and T′ under considera-
tion, the values U1, V1, Y1, U6, V6, Y6 are in general case different. In case of the
chosen-text attack, it is possible to choose such pairs of input blocks for which at
each step of the first round the matching values of variables U1, V1, Y1 are formed
(these variables will be measured when changing from word to word; however, in
the first round of encryption such switching will take place synchronously for such
pairs of input blocks). Such pairs of input messages can be easily obtained by means
of modifying the word Ti, where 0 < i < m – 1 in the text ⎯T. Denote the modified
text as T′. In the pair of texts T and T′ obtained this way, words Tj, where 0 ≤ j ≤ i,
in the first round will be transformed using the matching values U1, V1, Y1.
However, after execution of the next four rounds, any change in ⎯T′ will result
in the change of all bits of words T0, T1, T2, T3 with the probability of 0. The process
of encryption in the third round will be related to the pseudorandom values of the
differences U6 – U6′, V6 – V6′, and Y6 – Y6′. In the pair of texts ⎯T and⎯T′, the most
promising for the attacker is exploiting the fact of repetition of the values U1, V1, Y1
for words Tj and T′j, where 5 ≤ j ≤ m − 1 in the first round of encryption. (Analysis
of the four starting words is more complex, because they are additionally trans-
formed in the second, third, fourth, and fifth rounds.) As can be easily seen, evalu-
ation of the cryptographic strength of the SPECTR-F algorithm is the same as for
SPECTR-Z (see Table 2.1).
The difference of two values of each of the U, V, Y variables used for transfor-
mation of two neighboring words in the sequence T4, T5, …, Tm-1 is, probably,
“least pseudorandom”; however, the use of this fact for cryptanalysis is consider-
ably complicated because the values of these words after the first encryption round
are unknown. For example, by fixing the text⎯T and choosing the set of corre-
sponding texts T′, it is possible to try to accumulate the statistics of the changes of
the pair of neighboring words in the sequence T4, T5, … , Ti. However, the values
of these words after the first round of encryption are unknown because the values
of the U1, V1, Y1 sets of variables used at the first round of encryption and subject
to change when changing from word to word are unknown. At the same time,
thanks to forming these variables using concatenation mechanisms, the value of the
current word influences the transformation of all further words.
Increments of the values of variables U, V, Y when executing the sixths round
of encryption (that is, incrementing U6, V6, Y6, which take place when changing
from word to word) depend on the three chosen subkeys, and on the earlier cho-
sen subkeys. With this being so, this dependence is specified through two 32-bit
variables N and R, which are part of the expression used for transforming these
variables. The values of N(4) and R(4) used when transforming the word T4, are
122 Innovative Cryptography, Second Edition

pseudorandom, because they are formed in the course of execution of the starting
five rounds.
On all the other steps of transformation of the words T5, …, Tm-1 the values of
variables N and R are mutually dependent on N(4) and R(4), which together specify
64 independent bits. Taking into account that when changing from word to word
three new subkeys are used (the power of the set of implemented values of each
being equal to 211), it is possible to assume that for such a system of analysis an
exceeding amount of statistical data will be required. This is because the process of
encryption is influenced by some pseudorandom “generalized” 97-bit parameter.
Thus, this variant of attack corresponds well enough to CPM-2 under considera-
tion, which can be characterized by a 96-bit pseudorandom parameter represented
by a set of three variables (U6, V6, Y6).
 3 Substitution—Permutation
Networks with Minimal
Controlled Element

3.1 CONTROLLED BIT PERMUTATIONS AS

CRYPTOGRAPHIC PRIMITIVE

The main cryptographic application of the controlled permutations (CP) operation

is related to the execution of the data-dependent bitwise permutations. This ap-
proach was first suggested in the publications “A cipher based on data-dependent
permutations” by A. A. Moldovyan and N. A. Moldovyan, and “Fast block ciphers
based on controlled permutations” by A. A. Moldovyan. Earlier research aimed at
building cryptographic mechanisms based on controlled permutations related to
the use of CP as operations dependent on the encryption key. Such a type of oper-
ation requires the use of controlled permutations networks (CP-networks, CPNs),
which are well known by the publications of different authors. Although the possi-
bility of building strong cryptosystems based on the use of key-dependent CPs, the

123
124 Innovative Cryptography, Second Edition

suggested ciphers could not compete with other symmetric cryptosystems by the
speed of operation and simplicity of the schematic implementation. This is mainly
because key-dependent bit permutation remains a purely linear operation, because
it is fixed after the key input. The situation becomes principally different when the
permutation is a variable operation; that is, in cases when the result of its execution
depends on the value of the data block being transformed, which is a variable value
by its nature.
To execute variable permutations, the most suitable are CPNs with the layered
structure shown in Figure 3.1, where the main building block is a permutation
element P2/1, which can be called the elementary block of controlled permutations
(controlled permutations block, CPB), because it implements two different per-
mutations of two input bits x1 and x2 depending on one control bit v. An elemen-
tary block P2/1 is controlled by a single bit v and forms a two-bit output (y1,y2),
where y1 = x1+v and y2 = x2–v. Since there are only two permutations of this type, el-
ementary CPM implements all possible permutations. With the increase of the
CPB input size, implementation of all permutations becomes problematic, for

FIGURE 3.1 The structure of a CPB: a)—elementary P2/1 block; b)—structure

of an active layer, c)—general structure of multilayered CPBs, d) –inverse
P–1n/m block.
 Substitution—Permutation Networks with Minimal Controlled Element 125

mostly all practically significant values of the input size n CPBs implementing all
possible n! permutations can be built. At the same time, such operating blocks are
fast enough to ensure high encryption speed based on variable permutations. In
layered CPBs, the number of active layers s is related to parameters m and n as
follows: s = 2m/n.
Assume that some CPB implements a set of different permutations corre-
sponding to different values of the controlling vector V. According to the number
of layers, vector V can be represented as a union of s vectors V1,V2,...,Vs ∈ GF(2)n/2;
that is, V = (V1, V2, …, Vs). When the value of the controlling vector is fixed, a cer-
tain permutation ∏V is implemented. The block of controlled permutations Pm/n
can be described using an ordered set of modifications {∏0, ∏1, …, ∏2m–1}, where
each modification ∏V, V = 0, 1, …, 2m–1 is a fixed permutation of n bits. Permuta-
tions ∏V will be called modifications of controlled permutation. Execution of the
controlled permutation Pm/n(V)(X) consists of the execution of the permutation ∏V
over X : Y = Pm/n(V)(X) = ∏V(X). For cryptographic applications, the most interest-
ing are values of n, which are natural powers of two. The most promising is de-
velopment of CPBs of different orders, because the number of active layers in a
CPB decreases with the decrease of the order, which results in the improvement of
CPB the operating speed.

Definition 3.1
Assume that for a given d ≤ n of arbitrary sets of indexes α1, α2, …, αh and β1, β2,
…, βh there exists at least one value of the controlling vector V such that input bits
xα1, xα2, …, xαh are transformed into output bits yβ1, yβ2, …, yβh, respectively. The
maximum possible value of d is called the order of the Pm/n CPB and is denoted
as h.

The possibility of constructing CPBs of different orders, uniform enough,

which are of greatest interest (h = 1, 2, 4, …, n/4), is the most important issue of
the cipher developer’s toolset. It allows for finding the required compromise be-
tween the const of implementation and performance of the cipher being designed.
Another important issue is the simplicity of designing inverse CPBs.

Definition 3.2
Blocks of controlled permutations Pm/n and P–1m/n are called mutually inverse, if
for all possible values of vector V modifications of bit permutations ∏V and ∏–1V
implemented by blocks Pm/n and P–1m/n , respectively, are mutually inverse.

The general scheme of constructing direct and inverse layered blocks of con-
trolled permutations is shown in Figure 3.2. The characteristic issue of such a
design is that the components of the controlling vector V = (V1, V2, …, Vs) are
126 Innovative Cryptography, Second Edition

FIGURE 3.2 Structures of direct (a) and inverse

(b) blocks of controlled permutations.

distributed by active layers in different orders. In the case of a direct block, they are
distributed from top to bottom, starting from input to output, and in the case of an
inverse block, they are distributed from bottom to top (from output to input). At
the same time, the numbering of active cascades in both blocks goes similarly—
from input to output. Thus, according to the adopted agreement, the component
Vl controls the l-th active layer in the direct block, and (s – l + 1)-th active layer in
the inverse block. Layered P-box can be considered a matrix of elementary switch-
ing elements that are sequentially numbered from left to right and from top to bot-
tom in the direct P-box, and from left to right and from top to bottom in the
inverse P-box. The i-th bit of vector V controls i-th switching element of P2/1.
One active cascade can be considered a single-layered P-box Ln. Obviously,
P2/1 = P–12/1; therefore, the conversion carried out using an active cascade is an
involution. Thus, it is possible to obtain the result Ln = L–1n. The multilayered block
of controlled permutations Pm/n can be represented as a superposition:

Pm/n = LV1°π1° LV2°π2°…°πs–1° LVs.

 Substitution—Permutation Networks with Minimal Controlled Element 127

The corresponding block P-1m/n has the following structure:

P–1m/n = LVs°π–1s–1° LVs–1°π–1s–2°…°π1–1° LV1.

Thus, to build a block of controlled permutations that is an inverse of the Pm/n

block, it is enough to renumber P2/1 blocks from left to right and from bottom to
top, and replace πi by π–1s–i. Blocks of controlled permutations are used in a range of
ciphers covered in Chapter 5, “Designing Fast Ciphers Based on Controlled Opera-
tions,” and publications (for example, “Fast Encryption algorithm SPECTR-H64”
by N. D. Goots, A. A. Moldovyan, and N. A. Moldovyan) for carrying out data-
dependent bit permutations. Although controlled permutations allow for consider-
ably improving the operating speed of block ciphers while decreasing the cost of
implementation, as a cryptographic primitive, they are not free from drawbacks. The
most important drawback is that they are linear cryptographic primitives, although
the only linear combination of outputs, which is a linear boolean function, includes
all output bits y1, y2, …, yn. Such a linear combination is the sum Σ = y1 ⊕ y2 ⊕…⊕ yn,
which is equal to the sum of input bits due to the nature of permutations.
Because linear combinations with smaller numbers of outputs are nonlinear
boolean functions, variable bit permutations ensure the possibility of efficiently
building block ciphers while using additional nonlinear cryptographic primitives
playing an auxiliary role; namely, preventing linear cryptanalysis using masks with
maximum possible weight. The use of additional primitives masks the contribution
of variable permutations into the strength of the ciphers developed according to the
scheme being considered, because the high strength of such ciphers is ensured by
the two main primitives. Data-dependent bit permutations are efficient, because
they are used only in combination with the XOR operation, fixed permutations and
extension blocks implemented as simple branching of conductors. Such a formu-
lation of the problem in practice means the necessity of preliminary design of the
permutation operation, representing a nonlinear cryptographic primitive.
For solving this problem, the DDP-64 cipher described in the next section uses
the idea of truncation of the output bits of the controlled permutations block used
for implementation of variable permutations. This approach can be used while
preserving the possibility of correctly executing the decryption procedure, if the
aforementioned permutation is used as an element included into the function F of
the Feistel network. This is exactly how additional primitives are used in known
ciphers based on data-dependent permutations (for example, nonlinear operation
G in ciphers such as SPECTR-H64, SPECTR-128, and CIKS-128). Thus, the DDP-
64 cryptosystem uses controlled permutations blocks implementing variable
permutations of two types: normal and with truncated output. Controlled permu-
tations blocks with truncated output represent a nonlinear primitive according to
the cryptographic definition.
128 Innovative Cryptography, Second Edition

3.2 Block Cipher Based on Variable Permutations

When developing the DDP-64 cryptosystem (DDP stands for Data-Dependent Per-
mutations), the main idea was to build a cryptographically strong cipher, in which
variable bit permutations are the only nonlinear cryptographic primitive. Fixed
permutations, extension operations, and modulo-e bitwise summing are used as
auxiliary primitives. The following criteria were used when designing the DDP-64
cryptoscheme:

The cryptosystem must be a block iterative 64-bit cipher ensuring high rate
of the data transformation combined with relatively low cost of the hardware
implementation.
The same algorithm must be used for encryption and decryption. The change
of the transformation mode must be ensured by quick change of the subkey use
schedule.
The cipher must ensure high performance with applications requiring frequent
change of the key. To achieve this, the key schedule must be easy enough. The
key schedule must not require any precomputations for building an extended
key (set of round subkeys).
The procedure of round encryption must be characterized by relatively high
parallelism of computations to ensure fast encryption speed.
Only variable permutations must be used as the main cryptographic primitive.
In addition to bit permutations and extension nodes implemented as simple
branching of wires, only one auxiliary operation can be used—modulo-2 bit by
bit summation (XOR).

As the prototype of the round transformation, the DDP-64 cipher uses the
round transformation procedure of the SPECTR-H64 cryptosystem, which is well
suited for implementation of the adopted design criteria. Nonlinear variable per-
mutations are carried out by the operating block F, the synthesis of which is based
on the use of “truncated” variable bit permutations carried out over the left data
subgroup. Another example of the use of variable bit permutations is represented
by permutations carried out using second-order controlled permutations blocks
P32/96(V) and P–132/96(V′) shown in Figure 3.3. The P32/96(V) and P–132/96(V′) blocks are
built on the basis of the P8/12 and P–18/12 blocks of controlled permutations shown
in Figure 3.3 (a, b). The cascade of P8/12 blocks is connected to the cascade of P–18/12
block using switching that specifies the following bit permutations representing an
involution:

(1)(2,9)(3,17)(4,25)(5)(6,13)(7,21)(8,29)(10)(11,18)(12,26)
(14)(15,22)(16,30)(19)(20,27)(23)(24,31)(28)(32).
 Substitution—Permutation Networks with Minimal Controlled Element 129

FIGURE 3.3 The structure of controlled permutations blocks P8/12 (a), P–18/12 (b),
P32/96 (c), and P–18/12 (d).

Thanks to the symmetric structure of the P32/96 and P–132/96 blocks, they differ
only by the distribution of the controlling bits of vector V. Because these blocks use
the 96-bit controlling vector, and the left subgroup of the controlling data is 32 bits
in length, it is necessary to use the extension block E, for the synthesis of which the
following criteria were used:

For all values of the controlling vector, the permutation of each input bit of the
CPB must be defined by six different bits of L.
Exactly three bits of the controlling vector must depend on each bit of the con-
trolling data subgroup.

Assume that a 96-bit vector V = (V1, V2, V3, V4, V5, V6) is the output of the
block E, and a 32-bit vector X = (Xl, Xh), where Xl, Xh ∈ GF(2)16 is its input. The
DDP-64 cipher uses the extension block E'' that satisfies the previously provided
criteria. It is described by the following relationships:
130 Innovative Cryptography, Second Edition

V1 = Xl, V2 = (Xl) <<<6, V3 = (Xl)<<<12 ,

V4 = Xh, V5 = (Xh) <<<6, V6 = (Xh) <<<12.

Obviously, because the provided criteria have been met, each bit of the left data
subgroup L controls exactly six bits of the right data subgroup R (independently on
the value of the vector supplied to the input of the CPB) in each of the P32/96 and
P–132/96 blocks. It is also obvious that an arbitrarily specified input bit of the blocks in
each of the P32/96 and P–132/96 blocks moves to each of the output positions with equal
probability, provided that L is a uniformly distributed random value.
Operating blocks F represent a specific variant of specifying variable permuta-
tions. The design of each of the two F blocks used ensures the randomnicity of the
change of the output value parity. It should be mentioned that the P32/96(V) and
P–132/96(V′) CPBs are not characterized by such a property. To form an 80-bit con-
trolling vector of the F blocks, the extension block E′ is used, which is specified as
follows. Let the 80-bit vector W = (W1, W2, W3, W4, W5) be the output of the block
E, and the 32-bit vector X = (Xl, Xh), where Xl, Xh ∈ GF(2)16 be its output. Then, 16-
bit components W1, W2, W3, W4, W5 are defined by the following relations:

V1 = Xl, V2 = (Xl) <<<5, V3 = (Xl) <<<10, V4 = Xh, V5 = (Xh) <<<5.

The general scheme of the encrypting transformation implemented in DDP-64

is shown in Figure 3.4a, and the structure of the its round transformation Crypt(e)
is presented in Figure 3.4b. Bit e is the bit that specifies the transformation mode:
e = 0 corresponds to encryption, and e = 1 stands for decryption.
The use of the superscript index of the Crypt(e) procedure means that this pro-
cedure used switched permutation Π(e′): when e = 0, the procedure executes the
direct bit permutation over the current value of the left subgroup; and when e = 1,
the procedure carries out an appropriate inverse bit permutation. Two different
mechanisms determine the change of the transformation mode—change of the key
schedule and switching of the permutation Π(e′).
The DDP-64 block cryptosystem includes a simple initial transformation of a
64-bit block of input data, ten rounds of transformation using the Crypt(e) proce-
dure, and a simple final transformation. The transformation of the data block can
be represented in the following form:

C = CRYPT (e=0)(M, K) and M = CRYPT (e=1)(C, K),

where M is the plaintext, C is the ciphertext (M, C ∈ GF(2)64), and K is the secret
key (K ∈ GF(2)128). The DDP-64 cipher uses a 128-bit secret key considered as a set
 Substitution—Permutation Networks with Minimal Controlled Element 131

FIGURE 3.4 The general scheme of the DDP-64 cipher (a) and the procedure of
its round transformation Crypt(e) (b).

of four 32-bit subkeys Ki, i = 1, 2, 3, 4: K = (K1, K2, K3, K4). Each round key Qj is
made up of four independent round subkeys Gj , Sj , Tj , Uj ∈ GF(2)32, which means
that Qj = (Gj , Sj , Tj , Uj). Table 3.1 describes the key schedule using subkeys O1, O2,
O3, and O4, which are outputs of the subkeys permutation block shown in Figure
3.5a. The subkeys permutations block is made up of two P(e)2×32/1 CPBs. The first
P(e)2×32/1 is supplied with the pair of subkeys K1 and K3, and the second block accepts
the pair of subkeys K2 and K4. The output subkeys Oi depend on the value e. When
e = 0, Oi = Ki for i = 1, 2, 3, 4. If e = 0, then O1 = K3, O3 = K1, O2 = K4, and O4 = K2.
132 Innovative Cryptography, Second Edition

TABLE 3.1 Key Schedule and Specification of the Value of Bit E′ in the Encryption
(E = 0) and Decryption (E = 1) Modes

j= 1 2 3 4 5 6 7 8 9 10

Gj = O3 O2 O1 O4 O3 O3 O4 O1 O2 O3

Sj = O2 O1 O4 O3 O4 O4 O3 O4 O1 O2

Tj = O4 O3 O2 O1 O2 O2 O1 O2 O3 O4

Uj = O1 O4 O3 O2 O1 O1 O2 O3 O4 O1

e‘ (e = 0) 1 0 1 1 0 1 1 1 0 1

e‘ (e = 1) 0 1 0 0 0 1 0 0 1 0

FIGURE 3.5 Transposition of subkeys (a) and the structure of the switched
permutation (b).

The encryption procedure is carried out as follows. The input data block X is
divided into two 32-bit subgroups L and R. Then, the data encryption is carried out
according to the following algorithm:

1. Carry out the initial transformation.

2. Sequentially increasing the value j by one, from j = 1 to j = 9, carry out the
following transformations:
a. Transform (Lj, Rj): (Lj, Rj) := Crypt(Lj −1, Rj −1, Qj).
b. Swap data subgroups: (Lj, Rj) : = (Rj, Lj).
 Substitution—Permutation Networks with Minimal Controlled Element 133

3. Transform (L9, R9): (L10, R10) := Crypt(L9, R9, Q10).

4. Carry out the final transformation.

Switched permutations Π(e′) is implemented using the P(e′)2×32/1 CPB and two
fixed mutually inverse permutations Π and Π–1, as shown in Figure 3.5b. From the
scheme provided in this illustration, it is clear that the following relationships take
place: Π(0)= Π and Π(1)= Π–1. The permutation Π being used is described as follows:

(1,4,7,2,5,8,3,6)(9,12,15,10,13,16,11,14)
(17,20,23,18,21,24,19,22)(25,28,31,26,29,32,27,30).

As can be seen from the algorithm description, subkeys Ki (i = 1, 2, 3, 4) are

directly used in each round without carrying out any precomputations over them.
After addition to the left data subgroup, keys G and U are used for forming control-
ling vectors V and V′, which determine implementation of the current modifications
of the permutations implemented using blocks P32/96 and P–132/96, respectively. Sub-
keys S and T are also added to the left data subgroup; however, after completion
of this operation the result is transformed using block F. Note that the round trans-
formation doesn’t represent an involution for two reasons: the execution of the Π(e′)
operation over the left data subgroup, and the use of mutually inverse CPBs con-
trolled by binary vectors having different values in the right branch of the round
transformation. The difference between the values of controlling vectors V and V′ is
due to the transformation of the left data subgroup and to the use of different sub-
keys when forming the input values of the extension blocks corresponding to the
P32/96 and P–132/96 operations (see Figure 3.4b). To invert a certain j-th round of
encryption, appropriate subkeys must be exchanged, and bit e′ must be inverted.
That is, at the (11 − j)-th round of decryption, the following transformation must be
carried out:

X′ = Crypt(1)(Y, Q11 − j),

where Q11 − j = (Uj , Tj , Sj , Gj ), and the value was obtained using the Y = Crypt(0)(X, Q j)
transformation, where Qj = (Gj, Sj, Tj, Uj ). Table 3.1 specifies the values of bit e′ for
encryption (e = 0) and for decryption (e = 1).
The use of fixed permutations representing involutions is typical for the round
transformation of the DDP-64 cipher. The cyclic-shift operation <<< 16, carried
out over the left data subgroups is used for specifying the “symmetric” use of the
most significant (Lh) and the least significant (Ll) parts of the data subgroup L when
executing two variable bit permutations carried out using operational blocks F.
Permutation involution I2, carried out over the right data subgroup is used for
specifying the influence of each input bit of the block P32/96 on 31 output bits of
134 Innovative Cryptography, Second Edition

block P–132/96 in the case when V = V′. In this case, every i-th input bit doesn’t affect
only the i-th output bit. Note that if the I2 permutation is not used, then in the
aforementioned case, every input bit of P32/96 has the effect only to one output bit
of P–132/96. The I2 permutation has a simple structure and can be described by two
cyclic shifts by 8 bits:

Y = I2(X1,X2) = (X1 <<<8, X2 <<<8).

This permutation improves the resulting controlled permutation, correspond-

ing to sequential execution of the P32/96(V) and P–132/96(V. operations. Actually, even
if V = V′, the superposition P32/96(V) ° P–132/96(V) forms an efficient controlled per-
mutation, all modifications of which are permutation involutions. In the general
case, we obtain that V ≠ V′, because the data are combined with different subkeys
when forming controlling vectors that correspond to operations P32/96(V) and
P–132/96(V). Therefore, the influence of each input bit of block P32/96 is extended to all
output bits of block P–132/96. To study the role of the fixed permutation between two
mutually inverse CP operations, many statistical experiments were conducted pre-
viously (for example, see “Fast DDP-Based Ciphers: Design and Differential Analy-
sis of Cobra-H64” by Moldovyan N. A). These experiments have shown that the use
of such permutation considerably improves the properties of the transformation
carried out by two mutually inverse blocks of controlled permutations.
The structure of block F is shown in Figure 3.6. To ensure nonlinearity of all
linear combinations of output bits of this block, internal extending and compress-
ing mapping were used. Block F includes two three-layered CP blocks P32/48 and one
P–132/48 block separated by a fixed permutation Π', which is described as follows:

Π′ = (1,33)(2,9)(3,17)(4,25)(5)(6,13)(7,21)(8,34,29,40)
(10,35)(11,18)(12,26)(14)(15,36,22,38)
(16,30)(19,37)(20,27)(23)(24,31)(28,39)(32).

The structure of three-layered P32/48 CP blocks and P–132/48 blocks made up of

the P8/12 and P–18/12 blocks is shown in Figure 3.6b. The input value Z = (Z1, Z2, Z3,
Z4) of block F is simultaneously the input value of block P32/48. The binary vector
D = (D1, D2, D3, D4) generated at the output of block P32/48 is extended by connect-
ing a constant binary vector C = (10101010) to the size of 40 bits. The extended
vector (D1, D2, D3, D4, C) obtained using the method is supplied to the input of the
Π′ permutation. At the output of this permutation, the (H1, H2, H3, H4, H5) vector
is formed, which is divided into two vectors: (H1, H2, H3, H4) and H5. The first of
these vectors is supplied to the input of the second internal P–132/48 CPB, and the
 Substitution—Permutation Networks with Minimal Controlled Element 135

FIGURE 3.6 The structure of block F, implementing nonlinear

cryptographic transformation using variable permutations.

second vector is used as part of the controlling vector when carrying out the P–132/48
operation. The output value of block P–132/48 is simultaneously the output of block
F.
The controlling vector W = (W1, W2, W3, W4, W5) of the block F, where W1, W2,
W3, W4, W5 ∈ GF(2)16, is used as follows. Binary vectors W1, W2, and W3 control the
first, second, and third active layers of block P32/48, respectively, and vectors W4 and
W3 control the first and second active layers of block P–132/48, respectively. Vector
W6, controlling the third layer of block P–132/48, is formed using an 8-bit vector H5
according to the expression W6 = (H5, H5).
As can be easily seen, having a fixed key, the left data subgroup defines the value
of vector (D1, D2, D3, D4); and two bits with arbitrary numbers from each of vectors
D1, D2, D3, D4 are moved to vector H5, being replaced by one 1 and one 0 bit of the
constant C. Each of the bits of vector (Z1, Z2, Z3, Z4) with the probability of 1/4 can
be replaced. The probability of the bit’s being replaced by zero bits is equal to 1/8,
and the probability of the bit’s being replaced by 1 bit is the same. As a result of such
a replacement, the permutation carried out by block F arbitrarily changes the par-
ity of the weight of its output value.
136 Innovative Cryptography, Second Edition

3.3 EXTENDING THE CLASS OF CONTROLLED OPERATIONS

USING ELEMENTARY CONTROLLED INVOLUTIONS

In the previous section, the efficiency of variable permutations as a cryptographic

primitive was demonstrated. At the same time, the most important issue was the
control over the choice of different modifications of data-dependent bit permutations.
For this reason, the issue of searching for new types of data-dependent operations
that could be easily implemented in the form of fast electronic circuits gains ur-
gency. With this goal in mind, it was suggested to replace all elementary P2/1 blocks
by some other controlled elements (CEs) of minimal size (that is, having 20-bit
input and output and 1-bit controlling input) while preserving the general topol-
ogy of controlled permutations blocks. Such controlled elements were suggested to
be used as a standard design unit. To achieve this goal, it is necessary to formulate
several criteria for choosing specific variants of CEs.
Because P2/1 blocks ensure building cryptographically efficient controlled op-
erations, they can serve as a prototype for choosing CEs; that is, for formulating the
criteria for choosing specific CEs from all possible variants. Provided that the re-
quired criteria have been formulated, this task can be easily solved by exhaustive
search because of the small CE size. Denote the general form of CE as F2/1. In gen-
eral, the CE can be described as a pair of boolean functions (Figure 3.7).

FIGURE 3.7 Controlled element (a) and its representation in the form of a pair
of boolean functions (b).

Another representation of a CE is a pair of permutations of the size 2 × 2, where

one of the permutations is carried out over a 2-bit vector (x1, x2) having v = 0, and
the second having v = 1. A pair of such permutations can be represented as a pair of
tables in the form of the pair of elementary transformation schemes. In particular,
the schematic representation of the P2/1 block appears as shown in Figure 3.8.
An elementary switch can be characterized as follows. Each of the two modifi-
cations of the elementary transformations is an involution; that is, P2/1 represents
 Substitution—Permutation Networks with Minimal Controlled Element 137

FIGURE 3.8 Schematic representation of the P2/1 block in the form of two
elementary bijective transformations carried out over a 2-bit vector (x1, x2)
provided that v = 0 (a) and v = 1 (b).

an elementary controlled involution. Obviously, both elementary modifications

are bijective; consequently, each pair of boolean functions describing the P2/1 CE is
balanced. boolean functions f1 and f2 are nonlinear:

y1 = f1(x1,x2,v) = x1v ⊕ x2v⊕x1; y2 = f2(x1,x2,v) = x1v ⊕ x2v⊕x2.

Nonlinear boolean functions of three variables have the same value of nonlin-
earity in the sense of the minimal distance to the set of affine boolean functions of
three variables. With the account of the aforementioned, it is possible to suggest the
following basic criteria for choosing CEs:

C1: Boolean functions y1 = f1(x1, x2, v) and y2 = f2(x1, x2, v) must have the max-
imum nonlinearity.
C2: Modifications of elementary transformations formed by F(v)2/1 controlled
elements—namely, F(0)2/1 and F(1)2/1—must be different and represent an ele-
mentary bijective transformation of the form (x1, x2) Æ (y1, y2).
C3: Each of the two modifications of the F(v)2/1 controlled element must be an
involution.

Although among 2×2 permutations there are only linear permutations, non-
linearity of each of the CE outputs is implemented because of the dependency of the
elementary modification on the controlling bit. Two variants of searching for CEs
might be used. The first method consists of exhaustive search of all possible pairs of
boolean functions y1 = f1(x1, x2, v) and y2 = f2(x1, x2, v), while the second consists of
exhaustive search of all possible pairs of F(0)2/1 and F(1)2/1 modifications, which can
be specified as substitution tables or schematically.
The latter representation is more illustrative and simple, because the search is
limited to trying 90 pairs of modifications out of 10 existing elementary involu-
tions, shown in Figure 3.9.
138 Innovative Cryptography, Second Edition

FIGURE 3.9 Schematic representation of all existing (x1, x2) → (y1, y2) transformations
representing involutions.

There are 256 possible different boolean functions (BFs) of three variables. To
limit the exhaustive search range, it is necessary to exploit the fact that from Crite-
rion 2 (C2), which requires the bijectivity of each of modifications of F(0)2/1 and
F(1)2/1, it follows that boolean functions must be balanced. This considerably limits
the possible variants for exhaustive search from the very beginning. Thus, when try-
ing the pairs of different boolean functions it is necessary to initially select the com-
plete set of balanced boolean functions, the number of which is 70, and then choose
all nonlinear ones, which limits the number of boolean functions that are of any
interest down to 56. After that, it only remains to carry out an exhaustive search
among 56×55 variants of pairs of nonlinear balanced boolean functions of three
variables. This number of variants, equal to 3080, is considerably greater than the
number of variants for exhaustive search by pairs of elementary involutions. When
using the first approach, the CE representation will be obtained in algebraic form,
while the second approach produces an illustrative schematic form. However, as
the result, the same CEs will be chosen, satisfying criteria C1–C3.
After choosing the required controlled elements using the second approach, the
algebraic representation can be easily derived using the following approach. For any
of the two possible modifications of the chosen CE, it is possible to write boolean
functions of two variables describing the outputs y1 and y2. For example, assume that
modification of F(0)2/1 is described by a pair of boolean functions y1 = f′1(x1, x2) and
y2 = f′2(x1, x2), and modification of F(1)2/1 is described by the pair y1 = f′′1(x1, x2) and
y2 = f′′2(x1, x2). Then, the pair of boolean functions of three variables describing CE
can easily be written in the form of the following two formulae:

y1 = (v ⊕ 1)f′1(x1, x2) ⊕ vf′′1(x1, x2) ;

y2 = (v ⊕ 1)f′2(x1, x2) ⊕ vf′′2(x1, x2) .
 Substitution—Permutation Networks with Minimal Controlled Element 139

Using the second approach, the complete set of CEs satisfying the C1–C3 crite-
ria was found. This set of criteria is represented in Table 3.2, the rows and columns
of which are labeled with lowercase Latin characters denoting 10 elementary invo-
lutions shown in Figure 3.9. The “+” or “⊕” sign at the intersection of rows and
columns specifies that modifications corresponding to the given row and column
make a pair that satisfies criteria C1–C3. The row identifies modification F(1)2/1, and
the column corresponds to modification F(0)2/1. From the provided set of CEs, two
variants denoted by the “⊕” sign correspond to switching elements. In particular,
the pair e/a corresponds to the elementary block P2/1, which initially was chosen as
a prototype. Let CE described as the pair a/e be denoted by P′2/1. These two switched
elements are related by the equations P(0)2/1 = P′(1)2/1 and P(1)2/1 = P′(0)2/1.

TABLE 3.2 Complete Set of CEs Satisfying Criteria C1–C3

F(1)\F(0) a b c d e f g h i j

a ⊕ +

b + +

c + +

d + +

e ⊕ + + + + + + +

f + + + + + + + +

g + + + +

h + + + +

i + + + +

j + + + +

Thus, 40 variants of different CEs have been obtained, which can be used for
synthesis of data-dependent operations. Differential characteristics of crypto-
graphic primitives are among the most important.
Because differential characteristics of controlled operations depend on the size of
the input and the topology, describing such characteristics for practically important
variants of controlled operations built using each of the discovered CEs is an unreal-
istic job. However, this task can be solved for each individual CE. This is an interest-
ing task, because differential characteristics of the first standard design element define
differential characteristics for the given topology of the operational block. Figure 3.10
shows the variants of all possible differences related to a controlled element.
140 Innovative Cryptography, Second Edition

FIGURE 3.10 Possible variants of differences related to a CE.

The results of investigation of probabilities of all nontrivial differential charac-

teristics of all 40 variants of controlled elements are presented in Table 3.3. The no-
table fact is that characteristics turned out to be identical for four subsets of CEs,
among which two subsets are distinguished by considerably smaller predictability
of the output difference. Because of this, these subsets are preferred for building
controlled operations. When considering circuit representations of CE modifica-
tions belonging to the subset related to the first column in Table 3.3, it can be no-
ticed that neither of them includes the transposition operation. Denote CEs from
this subset as S2/1. The subset of controlled elements related to the second column
is characterized by the fact that its elements include bit transposition (with or with-
out inversion of both bits) as one of the elementary modifications; at the same
time, the second elementary modification is one of modifications typical for S2/1
elements. Elements of the second subset are denoted as R2/1, which appear the most
promising for building controlled operating blocks. Subsets of CEs related to the
third and fourth columns are classified as elements of types Z′′2/1 and Z′2/1, respec-
tively. Element P2/1 relates to Z′2/1 controlled elements.
When considering circuit representations of CEs belonging to each subset, it is
possible to discover that CEs shown in Figure 3.11 are typical for the {S2/1} subset,
CEs shown in Figure 3.12 are typical for the {R2/1} subset, and CEs presented in Fig-
ure 3.13 are typical for the {Z2/1} = {Z′2/1, Z′′2/1} subset.
For all 40 controlled elementary involutions, based on their circuit representa-
tions, pairs of boolean functions were composed as follows: y1 = f1(x1, x2, v) and y2
= f2(x1, x2, v). Based on their analysis it was discovered that each output of CEs be-
longing to the {Z2/1} subset is described by a boolean function containing the terms
 Substitution—Permutation Networks with Minimal Controlled Element 141

TABLE 3.3 Differential Characteristics of 40 Controlled Involutions of Minimal Size

(divided into four subsets)

e/g, e/h, e/i, e/j,

g/h, g/i, h/g, f/g, f/h, f/i, f/j, b/e, b/f, c/e, a/e, a/f, d/e,
CE types h/j, i/g, i/j, g/e, g/f, h/e, h/f, c/f, e/b, e/c, d/f, e/a, e/d,
i j k j/h, j/i i/e, i/f, j/e, j/f f/b, f/c f/d, f/a

0 0 1 1/4 1/4 0 1/2

1 0 1 1/2 1/2 1 0
2 0 1 1/4 1/4 0 1/2
0 1 1 1/4 1/4 1/2 0
1 1 1 1/2 1/2 0 1
2 1 1 1/4 1/4 1/2 0
1 1 0 1/2 3/4 1 1
2 1 0 1/2 1/4 0 0
1 2 0 1 1/2 0 0
2 2 0 0 1/2 1 1
0 2 1 1/4 1/4 0 1/2
1 2 1 1/2 1/2 1 0
2 2 1 1/4 1/4 0 1/2

x1v and x2v, because their sum is a linear Boolean function and, consequently, such
CEs are linear cryptographic primitives. For CEs related to subset {S2/1}, boolean
functions y1 = f1(x1, x2, v) and y2 = f2(x1, x2, v) contain only one quadratic term;
therefore, quadratic terms in these functions are different. Because of this, the sum
y1 ⊕ y2 represents a nonlinear boolean function, and CEs as such are nonlinear
primitives. For CEs related to subset {R2/1}, one of the y1 = f1(x1, x2, v) and y2 = f2(x1,
x2, v) boolean functions contains only one quadratic term, while another function
contains two such terms, one of which matches the quadratic term of the first
Boolean function. The sum y1 ⊕ y2 is a nonlinear boolean function with one qua-
dratic term; that is, CEs of the R2/1 type are nonlinear cryptographic primitives.
Thus, CEs belonging to subsets {S2/1} and {R2/1} satisfy another important criterion:

C4: The sum of boolean functions of a CE, y1 = f1(x1, x2, v) and y2 = f2(x1, x2, v)
must represent a nonlinear boolean function with maximum possible nonlin-
earity.
142 Innovative Cryptography, Second Edition

FIGURE 3.11 Typical S2/1 CEs represented by pairs of elementary

modifications: g/i (a), j/i (b), and h/j (c).

FIGURE 3.12 Typical R2/1 CEs represented by pairs of elementary modifications:

e/i (a), j/e (b), and h/f (c).

FIGURE 3.13 Typical Z2/1 CEs represented by pairs of elementary modifications:

e/b (a), d/e (b), and a/f (c).

In all cases, quadratic terms are products of the controlling bit v and one of the
input bits. This circumstance definitely shows that using only the key for forming
the controlling vector in CPBs or other operational blocks built based on S2/1 and
R2/1 CEs will result in the controlled operation carrying out linear transformation.
Only by specifying the control on the part of the data being transformed ensures
nonlinear mode for controlled operations built on the basis of substitution-
permutation networks with CEs of minimal size. In addition, it is obvious that S2/1
and R2/1 elements are preferred in comparison to Z2/1 CEs, including P2/1 elements,
both by the nonlinearity properties and by differential characteristics. This allows
for drawing a conclusion that elements of the S2/1 and R2/1 types can be used for
building promising controlled operational blocks for development of fast hard-
 Substitution—Permutation Networks with Minimal Controlled Element 143

ware cryptosystems. Complete characteristics of CEs belonging to {S2/1} and {R2/1}

subsets are presented in Table 3.4. Evaluation of the hardware implementation of
nonlinear CEs using standard 0.33-mkm technology is presented in Table 3.5.

TABLE 3.4 The Complete Set of CEs that Are Controlled Nonlinear Involution

CE CE type f1(x1,x2,v) f2(x1,x2,v)

ANF TT ANF TT

g/e R x1v⊕x2v⊕x1 00011011 x2v⊕x1⊕x2 00101101

g/h S x2v⊕x1 00011110 x1v⊕x1⊕x2 00111001

e/g R x1v⊕x2v⊕x2 00100111 x2v⊕x1 00011110

e/h R x1v⊕x2 00110110 x1v⊕x2v⊕x1 00011011

h/g S x2v⊕x1⊕x2 00101101 x1v⊕x2 00110110

h/e R x1v⊕x1⊕x2 00111001 x1v⊕x2v⊕x2 00100111

g/i S x2v⊕x1⊕v 01001011 x1v⊕x1⊕x2 00111001

g/f R x1v⊕x2v⊕x1⊕v 01001110 x2v⊕x2⊕x1⊕v 01111000

i/g S x2v⊕x2⊕x1⊕v⊕1 10000111 x1v⊕x2 00110110

f/g R x1v⊕x2v⊕x2⊕v⊕1 10001101 x2v⊕x1⊕v⊕1 10110100

i/f R x1v⊕x2⊕x1⊕1 11000110 x1v⊕x2v⊕x2⊕v 01110010

f/i R x1v⊕x2⊕1 11001001 x1v⊕x2v⊕x1⊕v⊕1 10110001

h/j S x2v⊕x1⊕x2 00101101 x1v⊕x2⊕v 01100011

j/h S x2v⊕x1 00011110 x1v⊕x2⊕x1⊕v⊕1 10010011

j/f R x1v⊕x2v⊕x1⊕v 01001110 x2v⊕x2⊕x1⊕1 11010010

f/h R x1v⊕x2⊕v⊕1 10011100 x1v⊕x2v⊕x1⊕v⊕1 10110001

f/j R x1v⊕x2v⊕x2⊕v⊕1 10001101 x2v⊕x1⊕1 11100001

→
144 Innovative Cryptography, Second Edition

CE CE type f1(x1,x2,v) f2(x1,x2,v)

ANF TT ANF TT

e/j R x1v⊕x2v⊕x2 00100111 x2v⊕x1⊕v 01001011

j/e R x1v⊕x2v⊕x1 00011011 x2v⊕x2⊕x1⊕v⊕1 10000111

j/i S x2v⊕x1⊕v 01001011 x1v⊕x2⊕x1⊕v⊕1 10010011

i/e R x1v⊕x2⊕x1⊕v⊕1 10010011 x1v⊕x2v⊕x2 00100111

i/j S x2v⊕x2⊕x1⊕v⊕1 10000111 x1v⊕x2⊕v 01100011

h/f R x1v⊕x1⊕x2⊕v 01101100 x1v⊕x2v⊕x2⊕u 01110010

e/i R x1v⊕x2⊕v 01100011 x1v⊕x2v⊕x1 00011011

In the aforementioned technology, P2/1 CEs are implemented using the area of
3 sqmil and operate at frequencies up to 2.12 GHz. The comparison demonstrates
that among nonlinear CEs are elements that are close to P2/1 switching elements by
their operating speed, but at the same time more economical by their implemen-
tation. This allows us to conclude that with the account of the comparison of
nonlinearity properties and differential characteristics, it can be expected that char-
acteristics of hardware ciphers based on variable operations and built on the basis
of nonlinear CEs will considerably exceed the implementation characteristics of the
DDP-64, CIKS-1, and SPECTR-H64 ciphers.

3.4 FULL CLASSIFICATION OF F 2/1 NONLINEAR ELEMENTS

In the previous section, the complete class of CEs that represent elementary con-
trolled involutions was built. However, there arises the problem of enumerating all
CEs of minimal size that can be used for building controlled operations similar to
CPBs by their cryptographic properties. That CEs are involutions is a useful prop-
erty that simplifies building of controlled operational blocks. However, the most
important topologies of CPBs can also be implemented using mutually inverse CEs.
For example, it is possible to use P32/96 blocks as the prototype. Therefore, the
 Substitution—Permutation Networks with Minimal Controlled Element 145

promising strategy consists in searching for all possible variants of CEs that meet
the requirements of the C1 and C2 criteria, and then separating from this class a
subset of CEs that would satisfy the additional nonlinearity criterion (C4). Solving
this problem allows us to get the full pattern of all possible variants and provides the
possibility of choosing the most suitable elements for solving the problem of syn-
thesizing controlled operations.
The analysis of all possible combinations of two nonlinear balanced boolean
functions presented in Table 3.5 allowed for discovering 288 variants of CEs satis-
fying C1 and C2 criteria, and 192 variants of CEs meeting the requirements of the
C1, C2, and C3 criteria (Table 3.6).

TABLE 3.5 Main Characteristics of the Hardware Implementation of the S2/1 and R2/1

CE CE type ASIC 0.33 mkm CE CE type ASIC 0.33 mkm

Area, Frequency, Area, Frequency,

sqmil GHz sqmil ** GHz

g/e R 3 0.95 h/j S 3 1.35

g/h S 3 1.37 j/h S 3 0.59

e/g R 2 1.92 j/f R 3 1.28

e/h R 2 1.92 f/h R 3 0.89

h/g S 3 1.35 f/j R 2 1.72

h/e R 3 0.95 e/j R 4 0.95

g/i S 3 1.37 j/e R 4 0.60

g/f R 4 0.83 j/i S 4 0.74

i/g S 4 0.74 i/e R 4 0.60

f/g R 3 0.89 i/j S 4 0.63

i/f R 3 0.89 h/f R 4 0.83

f/i R 2 1.72 e/i R

* These evaluations were obtained at the University of Patras (Greece).

** The area of the used area of a semiconductor chip is provided in technological units sqmil;
1 sqmil = 7.45 × 10–4 mm2.
146 Innovative Cryptography, Second Edition

TABLE 3.6 Complete Class of Nonlinear CEs (the {S2/1, R2/1} subset)
TT TT TT TT
10 16 10 16 10 16 10 16
73 00100111 4B 145 10000111 87 217 11000110 C6
00100111 27 00011011 1B 00011110 1E
2 00011011 1B 218 11000110 C6
00101101 2D 00100111 27
3 00011011 1B 75 01001011 4B 147 10000111 87
00110110 36 00111001 39 00110110 36
4 00011011 1B 76 01001011 4B 220 11000110 C6
01100011 63 01101100 6C 01001011 4B
77 01001011 4B 149 10000111 87
01110010 72 01001110 4E
6 00011011 1B 150 10000111 87 222 11000110 C6
01111000 78 01100011 63 01110010 72
7 00011011 1B 151 10000111 87 223 11000110 C6
10000111 87 10011100 9C 10001101 8D
80 01001011 4B 152 10000111 87
10001101 8D 10110001 B1
9 00011011 1B 81 01001011 4B 225 11000110 C6
10011100 9C 10010011 93 10110100 B4
10 00011011 1B 82 01001011 4B 154 10000111 87
11001001 C9 11000110 C6 11001001 C9
11 00011011 1B 227 11000110 C6
11010010 D2 11011000 D8
84 01001011 4B 156 10000111 87 228 11000110 C6
11011000 D8 11100100 E4 11100001 E1
13 00011110 1E 229 11001001 C9
00100111 27 00011011 1B
86 01001110 4E 158 10001101 8D 230 11001001 C9
00101101 2D 00011110 1E 00101101 2D
15 00011110 1E 87 01001110 4E 159 10001101 8D
00111001 39 00110110 36 00111001 39
16 00011110 1E 88 01001110 4E 160 10001101 8D 232 11001001 C9
01101100 6C 01100011 63 01001011 4B 01001110 4E
17 00011110 1E
01110010 72
90 01001110 4E 162 10001101 8D 234 11001001 C9
01111000 78 01101100 6C 01111000 78
91 01001110 4E 163 10001101 8D 235 11001001 C9
10000111 87 10010011 93 10000111 87
20 00011110 1E
10001101 8D
21 00011110 1E 93 01001110 4E 165 10001101 8D 237 11001001 C9
10010011 93 10011100 9C 10110100 B4 10110001 B1
22 00011110 1E 94 01001110 4E 166 10001101 8D
11000110 C6 11001001 C9 11000110 C6
95 01001110 4E 167 10001101 8D 239 11001001 C9
11010010 D2 11100001 E1 11010010 D2
24 00011110 1E 240 11001001 C9
11011000 D8 11100100 E4
97 01100011 63 169 10010011 93 241 11010010 D2
00011011 1B 00011110 1E 00011011 1B
26 00100111 27 98 01100011 63 170 10010011 93
00011110 1E 00101101 2D 00100111 27
27 00100111 27 243 11010010 D2
00111001 39 00110110 36
28 00100111 27 100 01100011 63 172 10010011 93
01001011 4B 01001110 4E 01001011 4B
245 11010010 D2
01001110 4E
30 00100111 27 102 01100011 63 174 10010011 93 246 11010010 D2
01101100 6C 01111000 78 01110010 72 01100011 63

31 00100111 27 103 01100011 63 175 10010011 93 247 11010010 D2

10010011 93 10000111 87 10001101 8D 10011100 9C
248 11010010 D2
10110001 B1
33 00100111 27 105 01100011 63 177 10010011 93
10110100 B4 10110001 B1 10110100 B4
34 00100111 27 250 11010010 D2
11000110 C6 11001001 C9
35 00100111 27 107 01100011 63 179 10010011 93
11100001 E1 11010010 D2 11011000 D8
108 01100011 63 180 10010011 93 252 11010010 D2
11100100 E4 11100001 E1 11100100 E4
 Substitution—Permutation Networks with Minimal Controlled Element 147

TT TT TT TT
10 16 10 16 10 16 10 16
37 00101101 2D 109 01101100 6C 181 10011100 9C
00011011 1B 00011110 1E 00011011 1B
110 01101100 6C 182 10011100 9C 254 11011000 D8
00100111 27 00101101 2D 00011110 1E
39 00101101 2D 255 11011000 D8
00110110 36 00111001 39
112 01101100 6C 184 10011100 9C 256 11011000 D8
01001011 4B 01001110 4E 01001011 4B
41 00101101 2D
01001110 4E
42 00101101 2D 114 01101100 6C 186 10011100 9C 258 11011000 D8
01100011 63 01110010 72 01111000 78 01101100 6C
43 00101101 2D 115 01101100 6C 187 10011100 9C 259 11011000 D8
10011100 9C 10001101 8D 10000111 87 10010011 93
44 00101101 2D
10110001 B1
117 01101100 6C 189 10011100 9C 261 11011000 D8
10110100 B4 10110001 B1 10110100 B4
46 00101101 2D 262 11011000 D8
11001001 C9 11000110 C6
119 01101100 6C 191 10011100 9C 263 11011000 D8
11011000 D8 11010010 D2 11100001 E1
48 00101101 2D 120 01101100 6C 192 10011100 9C
11100100 E4 11100001 E1 11100100 E4
49 00110110 36 265 11100001 E1
00011011 1B 00100111 27
50 00110110 36 122 01110010 72 194 10110001 B1
00101101 2D 00011110 1E 00101101 2D
123 01110010 72 195 10110001 B1 267 11100001 E1
00111001 39 00110110 36 00111001 39
52 00110110 36 124 01110010 72 196 10110001 B1 268 11100001 E1
01001110 4E 01001011 4B 01100011 63 01101100 6C
269 11100001 E1
01110010 72
54 00110110 36 126 01110010 72 198 10110001 B1
01111000 78 01101100 6C 01111000 78
55 00110110 36 127 01110010 72 199 10110001 B1
10000111 87 10010011 93 10000111 87
272 11100001 E1
10001101 8D
57 00110110 36 129 01110010 72 201 10110001 B1 273 11100001 E1
10110001 B1 10110100 B4 10011100 9C 10010011 93
130 01110010 72 202 10110001 B1 274 11100001 E1
11000110 C6 11001001 C9 11000110 C6
59 00110110 36 131 01110010 72 203 10110001 B1
11010010 D2 11100001 E1 11010010 D2
60 00110110 36 276 11100001 E1
11100100 E4 11011000 D8
61 00111001 39 133 01111000 78 205 10110100 B4
00011110 1E 00011011 1B 00100111 27
62 00111001 39 278 11100100 E4
00100111 27 00101101 2D
135 01111000 78 207 10110100 B4 279 11100100 E4
00110110 36 00111001 39 00110110 36
64 00111001 39 208 10110100 B4 280 11100100 E4
01001011 4B 01101100 6C 01100011 63
137 01111000 78 209 10110100 B4
01001110 4E 01110010 72
66 00111001 39 138 01111000 78 282 11100100 E4
01110010 72 01100011 63 01111000 78
67 00111001 39 139 01111000 78 283 11100100 E4
10001101 8D 10011100 9C 10000111 87
140 01111000 78 212 10110100 B4
10110001 B1 10001101 8D
69 00111001 39 213 10110100 B4 285 11100100 E4
10110100 B4 10010011 93 10011100 9C
142 01111000 78 214 10110100 B4 286 11100100 E4
11001001 C9 11000110 C6 11001001 C9
71 00111001 39 287 11100100 E4
11011000 D8 11010010 D2
72 00111001 39 144 01111000 78 216 10110100 B4
11100001 E1 11100100 E4 11011000 D8
148 Innovative Cryptography, Second Edition

For further classification and determining pairs of boolean functions describ-

ing the selected CEs, it is convenient to represent CEs using circuit representation;
that is, in the form of pairs of F(0)2/1 and F(1)2/1, which represent elementary bijective
transformations of the type (x1, x2) → (y1, y2). All possible variants of such trans-
formations are presented in Figure 3.14.

FIGURE 3.14 All existing variants of bijective transformations of the

(x1, x2) → (y1, y2) type.

The investigation of differential characteristics of 248 variants of CEs that have

nonlinear outputs but do not represent involutions has shown that they all can be
divided into four subsets, among which two subsets relate to the subset of 168 non-
linear CEs that have differential characteristics identical to differential characteris-
tics of controlled involutions S2/1 and R2/1 (see Table 3.7).
The study of circuit representations of CEs in the first and the second subsets
allowed us to discover that the subset that is similar by its differential characteris-
tics to the elements of the S2/1 type (and, accordingly, to the elements of the R2/1
type) is similar to {S2/1} (and, accordingly, to {R2/1}) by the characteristic elementary
modifications F(0)2/1 and F(1)2/1. Consequently, it is expedient to join these subsets of
CEs to their corresponding subsets of involutions of the types S2/1 and R2/1 into two
subclasses, {S2/1} and {R2/1}, respectively (see Figures 3.15 and 3.16).
 Substitution—Permutation Networks with Minimal Controlled Element 149

TABLE 3.7 Differential Characteristics of 248 CEs that Do Not Represent

Involutions and Are Selected from the Class of CEs with Two Nonlinear Outputs

CE examples l/h, l/i, l/m, l/n, g/o, h/p, o/l, o/m, p/k, q/i, q/m, r/i, r/m, f/u, f/w, j/v, j/x, n/

and type m/g, m/j, m/k, u/ m/p, a/r, b/t, a/x, d/w, t/h, t/n, k/v, k/x, q, n/r, u/k, v/l, x/l

i j k
q, v/s, w/t (S 2/1) t/c, u/b, w/d, p/n h/t (Z* 2/1) (Z **2/1)

(R 2/1)

0 0 1 1/4 1/4 0 1/2

1 0 1 1/2 1/2 1 0

2 0 1 1/4 1/4 0 1/2

0 1 1 1/4 1/4 1/4 1/4

1 1 1 1/2 1/2 1/2 1/2

2 1 1 1/4 1/4 1/4 1/4

1 1 0 1/2 3/4 1/2 1/2

2 1 0 1/2 1/4 1/2 1/2

1 2 0 1 1/2 1 1

2 2 0 0 1/2 0 0

0 2 1 1/4 1/4 1/2 0

1 2 1 1/2 1/2 0 1

2 2 1 1/4 1/4 1/2 0

Subsets of CEs related to the fifths and sixths columns presented in Table 3.7
are related to subsets {Z*2/1} and {Z**2/1}, respectively. Now it is natural to extend the
{Z2/1} subclass as follows: {Z2/1} = {Z′2/1, Z′′2/1, Z*2/1, Z**2/1}. This extension is natural,
because for all CEs from {Z2/1}, the sum of outputs represents a linear boolean
function. Characteristic circuit representations of CEs related to subsets {Z*2/1} and
{Z**2/1} are shown in Figures 3.17 and 3.18.
150 Innovative Cryptography, Second Edition

FIGURE 3.15 Typical CEs of the S2/1 type represented by pairs of

elementary modifications j/n (a), k/i (b), and s/x (c).

FIGURE 3.16 Typical CEs of the R2/1 type represented by pairs of elementary
modifications o/m (a), v/d (b), and c/x (c).

FIGURE 3.17 Typical CEs of the Z*2/1 type represented by pairs of elementary
modifications q/i (a), r/m (b), and g/v (c).

FIGURE 3.18 Typical CEs of the Z**2/1 type represented by pairs of

elementary modifications x/j (a), h/r (b), and t/m (c).
 Substitution—Permutation Networks with Minimal Controlled Element 151

The following assumptions have been used in the suggested classification:

If F2/1 ∈ {S2/1}, then F–12/1 ∈ {S2/1}.

If F2/1 ∈ {R2/1}, then F–12/1 ∈ {R2/1}.
Assuming that Z'2/1 and Z''2/1 CEs are not involutions, if F2/1 ∈ {Z'2/1}∪{Z''2/1},
then F-12/1 ∈ {Z'2/1}∪{Z''2/1}.
If F2/1 ∈ {Z*2/1}∪{Z**2/1}, then F–12/1 ∈ {Z2/1}∪{R2/1}∪{S2/1}, because one of the
two outputs of such F-12/1 blocks is a linear boolean function.

The first two assumptions are important for the design, because they demon-
strate that mutually inverse CEs of the S2/1 and R2/1 relate to the same subclass. Be-
cause of this, when building easily invertible operating blocks, if necessary, it is
possible to use pairs S2/1 and S–12/1 (R2/1 and R–12/1) without detriment to nonlin-
earity of the operating block being designed.

3.5 SYNTHESIS OF CONTROLLED OPERATIONAL SUBSTITUTIONS

BASED ON F 2/1 ELEMENTS

Controlled substitutions based on F2/1 elements represent one of the most efficient
cryptographic algorithms, because they can be easily implemented in custom and
programmable integrated circuits. Therefore, the issues of building controlled sub-
stitution-permutation networks based on such elements are of special importance.
This section concentrates on the principles of building controlled operational sub-
stitutions, and provides evaluations of their probabilistic characteristics. Also cov-
ered are the issues of hardware implementation complexity of such elements.

3.5.1 Principles of Building Controlled Operational Substitutions

With the account of the goals of using the use of controlled operational substitu-
tions (COS) in cryptographic algorithms and quality parameters, they must be built
according to the following principles:

The transformation carried out by a controlled operational substitution

Y=Fn/m(X, V), where X, Y∈GF(2)n, V∈GF(2)m is bijective in relation to X for a
fixed value of V.
The mechanism of controlling Fn/m controlled operational substitutions ensures
forming of the wide range of different modifications of substitution operations.
Transformation carried out by Fn/m COS is characterized by high nonlinearity.
Boolean functions implementing Fn/m COS have good correlation characteristics.
152 Innovative Cryptography, Second Edition

Hardware or hardware and software implementation of an Fn/m COS is charac-

terized by relatively low computational complexity and ensures high perfor-
mance of the information transformation.

As shown earlier in this chapter, replacing an elementary switch P2/1 in a CPB

by more general elementary transformation F2/1 while preserving the layered struc-
ture of a CPB, it is possible to synthesize efficient controlled operational substitu-
tions blocks (COSBs) over long vectors.
An elementary substitution block F2/ is used as a base element of COSB (Figure
3.19), which carries out the mapping of the form GF(2)3→GF(2)2 on the basis of two
boolean functions of three arguments: yi = f(x1, x2, v), i=1, 2, where yi ∈ GF(2), x1,
x2 ∈ GF(2) are the values of input bits, and v ∈ GF(2) is the value of the controlling
bit. The set of controlling bit will further be interpreted as controlling vector V.

FIGURE 3.19 An elementary controlled

substitution element.

The use of such elements results in the increase of the number of possible vari-
ants of building blocks of controlled operating dependent on the value of the con-
trolling vector and including blocks of controlled substitutions as a particular case,
because the aggregate of boolean functions that carry out controlled permutation
of two bits is a variant of an elementary controlled substitution F2/1.
By combining the basic substitution blocks F2/1, it is possible to synthesize Fn/m
blocks, where n is the number of input (output) bits, and m is the number of con-
trolling bits. Such blocks specify the mapping of the type GF(2)n+m→GF(2)n. The
use of a layered building scheme, each layer of which is made up of 2n F2/1 elements
 Substitution—Permutation Networks with Minimal Controlled Element 153

connected in parallel appears the most promising. Between the layers are fixed per-
mutations {P1, P2, …, Pk–1}, as shown in Figure 3.20. In this case, the Fn/m COSB can
be represented as a superposition of k substitution layers and k–1 fixed permuta-
tions, namely:

Fn/m = σ1 ° P1 ° σ2 ° P2 ° … ° Pk–1 ° σk,

n
where σj is the j-th layer of 2 F2/1 blocks, and Pj is the j-th layer of fixed permutations.

FIGURE 3.20 Layered structure of the COSB.

Basic element F2/1 has been used for synthesis of COSBs carrying out the map-
pings GF(2)112→GF(2)32, GF(2)256→GF(2)64, GF(2)576→GF(2)128. The layered
kn
structure of COSB with n = 2k-bit output of data has the controlled vector m = 2
bits long, where k is the number of base substitutions.
154 Innovative Cryptography, Second Edition

3.5.2 Probabilistic Characteristics of Controlled Operational Substitutions

When investigating the strength of encryption algorithms against a differential
method of analysis, probabilistic properties of the algorithms and cryptographic
primitives implementing those algorithms are used. In particular, an important
parameter characterizing the algorithm property against differential cryptanalysis is
the diffusion of the cryptographic primitive. Because of this, it is necessary to cover
probabilistic properties of controlled operation substitutions of the Sn/m type.
For COSs of different dimensions, it is necessary to determine the probabilities
of the event when differences with different Hamming weight appear at the output
provided that the input difference was equal to one.
The probability that the event Ω in n independent trials will appear exactly m
times is equal to the coefficient of the formal variable zm in the expression of the
generating function:
n
ϕn(z) = ∏ ( qi + pi z ),
i =1

where pi is the probability of the occurrence of the event Ω in the i-th trial, and
qi=1–pi is the probability of nonoccurrence of the even Ω in the i-th trial. Expres-
sion above is equivalent to the following equality:
n n
∏ (qi + pi z ) = ∑ Pm,n z m ,
i =1 m= 0

where left and right parts represent the same generating function ϕn(z). The left
part represents this function as a mononomial, and the right part as a polynomial.
If you open the brackets in the left part and then collect the terms, you’ll get all
probabilities P0,n, P1,n, …, Pn,n in the form of coefficients at the power of 0,
1, … of the formal variable z.
For the S2/1 block, obtaining the generating function of the probability of the
occurrence of the difference with weights wt(Δy)=2 and wt(Δy)=1 at the output
provided that the difference wt(Δx)=1 is supplied to the input is a trivial task. If
these blocks correspond to blocks of the S type (see, for example, Table 3.4), then,
with the account of differential characteristics provided in Table 3.4, the generating
function will appear as follows:

ϕ 2 2/1 (z) = 1 z + 1 z 2.
S

2 2
This means that the probabilities of the occurrence of the differences with
weights wt(Δy) = 1 and 2 are equal to P1, 2 = P2, 2 = 0.5. With the account of the cas-
cading structure of a large COS, it is possible to obtain the generating probability
functions ϕnsn/m(z) by means of iteratively substituting the expressions for generat-
 Substitution—Permutation Networks with Minimal Controlled Element 155

ing functions from the previous layer of COS into expressions of the generating func-
S 1
tion of the next layer. Thus, for n=4 ϕ 4 4/ 4 (z) = 2 ϕS4 4/4 ( z ) = 0.2 z + 0.4 z 2 + 0.2 z 3 + 0.2 z 4
and, having substituted previous expression into it, after collecting the terms, you’ll
get the expression for the generating function in the following form:
S
ϕ 4 4/ 4 (z)= 0.2z+0.4z2+0.2z3+0.2z4,

Proceeding the similar way, it is possible to obtain the following:

S
ϕ6464/192 ( z ) = 0.016z + 0.031z2 + 0.04z3 + 0.049z4 + 0.054z5 + 0.059z6 + 0.061z7 +
0.062z8 + 0.062z9 + 0.061z10 + 0.059z11 + 0.056z12 + 0.052z13 + 0.048z14 + 0.044z15
+ 0.04z16 + 0.035z17 + 0.031z18 + 0.027z19 + 0.023z20 + 0.019z21 + 0.016z22 + 0.013z23
+ 0.011z24 + 0.084z25 + 0.065z26 + 0.05z27 + 0.038z28 + 0.028z29 + 0.02z30 + 1.4 10-
3 31
z + 9.8 10-4z32 + 6.6 10–4z33 + 4.4 10–4z33 + 2.8 10–4z35 + 1.8 10–4z36 + 1.1 10–4z37 +
6.6 10–5z38 + 3.8 10–5z39 + 2.1 10–5z40 + 1.2 10–5z41 + 6.2 10–6z42 + 3.1 10–6z43 + 1.5
10–6z44 + 7.2 10–7z45 + 3.3 10–7z46 + 1.4 10–7z47 + 5.9 10–8z48 + 2.3 10–8z49 + 8.6 10–9z50
+ 3 10–9z51 + 10–9z52 + 3.1 10–10z53 + 8.8 10–11z54 + 2.3 10–11z55 + 5.6 10–12z56 + 1.2
10–12z57 + 2.3 10–13z58 + 3.9 10–14z59 + 5.6 10–15z60 + 6.5 10–16z61 + 5.7 10–17z62 + 3.5
10–18z63 + 1.1 10–19z64. Discrete probabilities distributions and discrete functions of
probabilities distributions are shown in Figures 3.21 and 3.22, respectively. These
distributions were obtained by using generating functions and simulation for S64/192
COS in cases when all bits of the controlling vector are independent and equiprob-
able, and the difference Δx with the weight wt(Δx) = 1 is supplied to the input of the
controlled operational substitution block.

FIGURE 3.21 Discrete distributions of probabilities.

Tables 3.8 through 3.12 provides distributions of the probabilities of occurrence

of the weight differences wt at the output of Sn/m blocks of different dimensions in
cases when the difference with the weight wt(Δx)=1 is supplied to the input.
156 Innovative Cryptography, Second Edition

FIGURE 3.22 Discrete functions of

probability distributions.

TABLE 3.8 Distribution of the probabilities of occurrence of the

weight differences wt at the output of the S4/4 block provided that
the difference with the weight wt(Δx)=1 is supplied to the input.

wt p

1 0.25

2 0.375

3 0.25

4 0.125

TABLE 3.9 Distribution of the probabilities of occurrence of the weight differences wt

at the output of the S8/12 block provided that the difference with the weight wt(Δx)=1
is supplied to the input.

wt p wt p

1 0.125 5 0.125

2 0.219 6 0.078

3 0.219 7 0.038

4 0.195 8 0.008
 Substitution—Permutation Networks with Minimal Controlled Element 157

TABLE 3.10 Distribution of the probabilities of occurrence of the weight differences wt

at the output of the S16/32 block provided that the difference with the weight wt(Δx)=1 is
supplied to the input.

wt p wt p wt p wt p

1 0.063 5 0.13 9 0.049 13 3.4 10–3

2 0.12 6 0.12 10 0.032 14 1.1 10–3

3 0.14 7 0.095 11 0.018 15 2.4 10–4

4 0.15 8 0.071 12 8.5 10–3 16 3.1 10–5

TABLE 3.11 Distribution of the probabilities of occurrence of the weight differences wt

at the output of the S32/80 block provided that the difference with the weight wt(Δx)=1 is
supplied to the input.

wt p wt p wt p wt p

1 0.031 9 0.077 17 0.011 25 5.8 10–5

2 0.061 10 0.067 18 6.8 10–3 26 2.0 10–5

3 0.076 11 0.057 19 4.2 10–3 27 6.4 10–6

4 0.090 12 0.041 20 2.5 10–5 28 1.7 10–6

5 0.093 13 0.037 21 1.4 10–3 29 3.7 10–6

6 0.096 14 0.029 22 7.0 10–4 30 6.3 10–8

7 0.091 15 0.021 23 3.3 10–4 31 7.5 10–9

8 0.085 16 0.015 24 1.5 10–4 32 4.7 10–10

Such characteristics can also be obtained for controlled operational substitu-

tions of the R type. To achieve this, it is necessary to find the expression for the gen-
erating probabilities function:
3 1
z + z 2;
R
ϕ 2 2/1 (z) =
4 4
158 Innovative Cryptography, Second Edition

TABLE 3.12 Distribution of the probabilities of occurrence of the weight differences wt

at the output of the S64/192 block provided that the difference with the weight wt(Δx)=1 is
supplied to the input.

wt p wt p wt p wt p

1 0.016 17 0.035 33 6.6 10–4 49 2.3 10–8

2 0.031 18 0.031 34 4.4 10–4 50 8.6 10–9

3 0.040 19 0.027 35 2.8 10–4 51 3.0 10–9

4 0.049 20 0.023 36 1.8 10–4 52 10–9

5 0.054 21 0.019 37 1.1 10–4 53 3.1 10–10

6 0.059 22 0.016 38 6.6 10–5 54 8.8 10–11

7 0.061 23 0.013 39 3.8 10–5 55 2.3 10–11

8 0.062 24 0.011 40 2.1 10–5 56 5.6 10–12

9 0.062 25 0.084 41 1.2 10–5 57 1.2 10–12

10 0.061 26 0.065 42 6.2 10–6 58 2.3 10–13

11 0.059 27 0.05 43 3.1 10–6 59 3.9 10–14

12 0.056 28 0.038 44 1.5 10–6 60 5.6 10–15

13 0.052 29 0.028 45 7.2 10–7 61 6.5 10–16

14 0.048 30 0.02 46 3.3 10–7 62 5.7 10–17

15 0.044 31 1.4 10–3 47 1.4 10–7 63 3.5 10–18

16 0.040 32 9.8 10–4 48 5.9 10–8 64 1.1 10–19

that is, the probability of the occurrence of the differences with weight wt(Δy) = 1
P1, 2 = 0.75, and wt(Δy) = 2 P2, 2 = 0.25. Using an iterative procedure, on the basis of
the expression above, it is possible to obtain several distributions of the probabili-
ties of occurrence of differences with different weights at the output of R blocks of
different dimensions provided that the difference with weight wt(Δx)=1 was sup-
plied to the block input (Tables 3.13 through 3.17).
 Substitution—Permutation Networks with Minimal Controlled Element 159

TABLE 3.13 Distribution of the probabilities of occurrence of the

weight differences wt at the output of the R4/4 block provided that
the difference with the weight wt(Δx)=1 is supplied to the input.

wt p

1 0.56

2 0.33

3 0.094

4 0.016

TABLE 3.14 Distribution of the probabilities of occurrence of the weight differences wt

at the output of the R8/12 block provided that the difference with the weight wt(Δx)=1 is
supplied to the input.

wt p wt p

1 0.42 5 0.02

2 0.33 6 4.8 10–3

3 0.16 7 7.3 10–4

4 0.065 8 6.1 10–5

TABLE 3.15 Distribution of the probabilities of occurrence of the weight differences wt

at the output of the R16/32 block provided that the difference with the weight wt(Δx)=1 is
supplied to the input.

wt p wt p wt p wt p

1 0.32 5 0.055 9 1.2 10–3 13 2.3 10–6

2 0.29 6 0.025 10 3.2 10–4 14 2.8 10–7

3 0.19 7 0.01 11 7.6 10–5 15 2.2 10–8

4 0.11 8 3.6 10–3 12 1.5 10–5 16 9.3 10–10

For comparison, Figure 3.23 provides distributions of the probabilities of

occurrence of the differences with different weights at the output of COS of S- and
R-types provided that the difference with weight wt(Δx) = 1 has been supplied to
160 Innovative Cryptography, Second Edition

TABLE 3.16 Distribution of the probabilities of occurrence of the weight differences wt

at the output of the R32/80 block provided that the difference with the weight wt(Δx)=1 is
supplied to the input.

wt p wt p wt p wt p

1 0.24 9 8.3 10–3 17 5.2 10–6 25 3.2 10–11

2 0.24 10 4.0 10–3 18 1.6 10–6 26 4.5 10–12

3 0.19 11 1.9 10–3 19 4.4 10–7 27 5.3 10–13

4 0.13 12 8.1 10–4 20 1.1 10–7 28 5.3 10–14

5 0.086 13 3.3 10–4 21 2.1 10–8 29 4.2 10–15

6 0.052 14 1.3 10–4 22 5.8 10–9 30 2.6 10–16

7 0.03 15 4.8 10–5 23 1.2 10–9 31 1.0 10–17

8 0.016 16 1.6 10–5 24 2.0 10–10 32 2.2 10–19

the input. Analysis of the obtained histograms allows us to conclude that S-type
COSs are preferred when designing block cryptographic algorithms, because they
have better difference properties.

FIGURE 3.23 Distributions of the probabilities of the occurrence of the

differences with different weights at the output of S- and R-type COS provided
that the difference with weight wt(Δx) = 1 has been supplied to the input.
 Substitution—Permutation Networks with Minimal Controlled Element 161

TABLE 3.17 Distribution of the probabilities of occurrence of the weight differences

wt at the output of the R64/192 block provided that the difference with the weight
wt(Δx)=1 is supplied to the input.

wt p wt p wt p wt p

1 0.18 17 2.6 10–4 33 1.5 10–10 49 8.4 10–21

2 0.2 18 1.3 10–4 34 4.6 10–11 50 1.2 10–21

3 0.17 19 6.4 10–5 35 1.4 10–11 51 1.7 10–22

4 0.14 20 3.1 10–5 36 4.0 10–12 52 2.2 10–23

5 0.1 21 1.4 10–5 37 1.1 10–12 53 2.6 10–24

6 0.074 22 6.5–610 38 3.0 10–13 54 2.9 10–25

7 0.052 23 2.8 10–6 39 7.8 10–14 55 2.9 10–26

8 0.034 24 1.2 10–6 40 2.0 10–14 56 2.6 10–27

9 0.022 25 5.0 10–7 41 4.6 10–15 57 2.1 10–28

10 0.014 26 2.0 10–7 42 1.1 10–15 58 1.4 10–29

11 8.6 10–3 27 8.0 10–8 43 2.3 10–16 59 8.7 10–31

12 5.1 10–3 28 3.0 10–8 44 4.8 10–17 60 4.4 10–32

13 3.0 10–3 29 1.1 10–8 45 9.5 10–18 61 1.8 10–33

14 1.7 10–3 30 4.0 10–9 46 1.8 10–18 62 5.5 10–35

15 9.2 10–4 31 1.4 10–9 47 3.2 10–19 63 1.1 10–36

16 4.9 10–4 32 4.6 10–10 48 5.3 10–20 64 1.2 10–38

3.5.3 Evaluation of the Complexity of Circuit Design when

Implementing Controlled Operational Substitutions
In contrast to table substitutions with the output data block length n (log2n ≥ 5), var-
ious types of controlled permutations and controlled operational substitutions can
be easily implemented in the form of easy electronic circuits with the delay time
comparable to the time required for sequential execution of several XOR operations.
Synthesized blocks of controlled operational substitutions are characterized by
low complexity of circuit implementation CΩ(Fn/m), which is interpreted as the
162 Innovative Cryptography, Second Edition

number of gates implementing the Fn/m circuit. Here, Ω = {&, v, –} is the complete
basis of simplest logical operations in use. One-bit boolean functions in the ele-
mentary F2/1 block in this basis have the complexity CΩ(F2/1) = 9. When evaluating
the speed parameters of a block of controlled operational substitutions, consider
the time required to execute the slowest operation called the delay clock τΩ. In the
preceding complete basis τΩ = τ&, for existing blocks of controlled operational per-
mutations, the time required to carry out the transformation is t(Fn/m) = kτ&, and
implementation complexity appears as CΩ(Fn/m) = mCΩ(F2/1) = 6m. Based on con-
temporary electronics technologies, this allows us to produce cryptochips imple-
menting block cryptoalgorithms, including blocks of controlled operational
substitutions with the large input size (n = 32, 64, 128, 256). Thanks to this, it is
possible to reach the encryption speed considerably exceeding 1 Gbps.
Despite initial orientation toward hardware implementation, efficient use of
controlled operations can result in considerable advances in the operating per-
formance of software-oriented ciphers. This is because some types of controlled
operations, such as controlled permutations, are highly efficient as cryptographic
primitives and are at the same time characterized by exceedingly low cost of circuit
implementation. Such a relationship between cost and efficiency makes the idea of
including new commands in the standard set of the processor command exceed-
ingly attractive for the manufacturers of commercial processors. The possibility of
ensuring the speed of software encryption up to 800–2000 Mbps considerably
increases the competitive capability of such processors while minimizing imple-
mentation costs. Implementation of a command of controlled bit permutation,
the practical application of which considerably exceeds the range of purely crypto-
graphic applications (data encryption and hashing algorithms), appears to be the
most promising. Variants of implementation of such a command will be consid-
ered in Chapter 4, “Switched Controlled Operations.”

3.6 VARIANTS OF REPRESENTATION AND CRITERIA FOR

SELECTION OF F 2/2 CONTROLLED ELEMENTS

In previous sections of this chapter, controlled SP-networks (controlled opera-

tional substitutions) based on the F2/1 controlled element were considered. How-
ever, building efficient CSPNs based on other blocks, such as elementary F2/2
controlled elements, is also of great interest. The schematic representation of an
elementary F2/2 block is shown in Figure 3.24. Such blocks also can be easily imple-
mented as fast electronic circuits. In this case, while preserving the general topology
of controlled SP-networks, it is possible to replace all elementary F2/1 CEs by an-
other standard CE with 2-bit input and output, and a 2-bit controlling input.
 Substitution—Permutation Networks with Minimal Controlled Element 163

FIGURE 3.24 Controlled element F2/2 (a) and its implementation using two boolean
functions (b).

Practical expediency of migration to the use of CEs with 2-bit controlling input
is related to their hardware implementation on the basis of programmable logical
matrices, where standard logical blocks usually have two logical cells representing
16-bit memory cells. Each of such memory cells allows for implementing an arbi-
trary boolean function of four variables. When implementing any CE of the F2/1
type, two cells are used, each of which implements specific boolean functions of
three variables. This means that only half of the resource of the memory cell is used
(in other words, only 50 percent of the cell size), because for implementing a
boolean function of three variables, 8-bit memory is enough. Apparently, it is im-
possible to efficiently use the remaining part of the memory.
Migration to CEs of the F2/2 type ensures the complete use of the cell’s poten-
tial. In addition, using extended controlling input creates the prerequisites for spec-
ifying stronger influence of the controlling data subgroup on the data being
transformed. In particular, this allows for increasing the nonlinearity of each of the
CE outputs, and increase of its algebraic degree of nonlinearity and intensification
of the avalanche effect in case of modification of single bits of the controlling data
subgroup. It is reasonable to assume that an appropriate choice of the F2/2-type CE
will allow for considerable increase of the cryptographic characteristics of the op-
erational block being synthesized. This will provide the possibility of reducing the
number of the transformation rounds while preserving high cryptographic strength
of the algorithms based on controlled operations. This, in turn, ensures the possi-
bility of reducing the complexity of the hardware implementation (in case of
pipelined architectures) and an increase in the encryption speed (in case of iterative
implementation architecture).
164 Innovative Cryptography, Second Edition

For synthesizing efficient multilayered controlled SP networks, it is necessary to

formulate several criteria for choosing specific variants of F2/2 controlled elements.
In general, an F2/2 controlled element can be represented as:

Two boolean functions of four variables.

Four 2×2 substitutions, each of which is carried out over the 2-bit input binary
vector (x1, x2) having v = (0, 0), (0, 1), (1, 0), and (1, 1), respectively.

Boolean functions of four variables have different values of nonlinearity in the

sense of the minimal distance to the set of affine boolean functions of four vari-
ables, different values of the algebraic degree of nonlinearity, and greater variety of
differential characteristics in comparison to boolean functions of three variables.
These circumstances must be taken into account when formulating criteria for
choosing CEs of the F2/2 type and their classification.

Criteria for Building F2/2 Blocks

Based on the considerations in the preceding section and the results obtained in
previous sections of this chapter, the basic criteria for designing and choosing F2/2
blocks appear as follows:

Any of the two outputs of an F2/2 block must represent a nonlinear Boolean
function of four variables: y1 = f1(x1, x2, v1, v2) and y2 = f2(x1, x2, v1, v2), each of
which must satisfy the degree of nonlinearity close to maximum.
Each of four elementary modifications of the F2/2 block—namely, F(0), F(1), F(2),
F(3)—must carry out a bijective transformation (x1, x2) → (y1, y2).
Each of the four modifications F(v) of the controlled element must represent an
involution.

It is possible to use two variants of searching for efficient F2/2 controlled ele-
ments satisfying the preceding criteria:

Exhaustive search of all possible pairs of boolean functions y1 = f1(x1, x2, v1, v2)
and y2 = f2(x1, x2, v1, v2).
Exhaustive search of all possible sets of modifications F(0), F(1), F(2), F(3), carry-
ing out the 2×2 transformation.

For the first variant, the number of computations required for choosing
elementary controlled elements of the F2/2 type satisfying the formulated criteria
is large enough. Obviously, there exist 216 various boolean functions of four vari-
ables. Consequently, in the general case it is necessary to try 216⋅(216–1) ≈ 4,3⋅109
 Substitution—Permutation Networks with Minimal Controlled Element 165

sets of different boolean functions. To limit the number of variants to try, it

is possible to use the requirement that the boolean function be balanced,
which is the con-sequence of the second criterion of choice. The number of balanced
boolean functions of n variables is # { f ( x1 , ..., xn )} Bal = ⎝ 2n−1 ⎠ , consequently, for
⎛ 2n ⎞
⎜ ⎟

n = 4 #{f(x1, ..., x4)}Bal = 12,870, determining this value for balanced functions with
even even n, the number of Boolean function will be 10,920. Consequently, in this
case it will be necessary to try H 1,2⋅108 sets of boolean functions, which also re-
quires considerable computational overhead.

TABLE 3.18 The Set of Boolean Functions f(x1, x2, x3, x4) : GF(2)4 → GF(2)

Nonlinearity of a

Boolean function 6 5 4 3 2 1 0

NL ( f )

Number of Boolean
896 14,336 28,000 17,920 3,840 512 32
functions

Number of balanced
0 0 10,920 0 1,920 0 30
Boolean functions

It is possible to slightly reduce the amount of computations, if you take into ac-
count the requirement to the linear combination of boolean functions implement-
ing an F2/2 block to be balanced (this requirement also follows from the second
criterion). Obviously, distribution of the Hamming weights in a linear combination
of boolean functions will be determined by the following expression:

#{F2/m : wt ( f1 ⊕ f2 ) = l} = #{F2 / m : wt ( f1 ⊕ f2 ) = 2 h − l} =
2 2
⎛ 2 h−1 ⎞ ⎛ 2h ⎞ ⎛ 2
h −1 ⎞

# f{ } ⎜ ⎟
Bal ⎜ h −1 l ⎟
=⎜ ⎟ ⎜
h −1 ⎜ h −1 l ⎟
⎟ ,
2 − ⎝ 2 ⎠ 2 −
⎝ 2⎠ ⎝ 2⎠

where h = 2 + m; m = 1, 2; l{0, 2, …, 2h–2, 2h}. Hence, for the case h = 3, the

following result is obtained: #{F2 /1 : wt ( f1 ⊕ f2 ) = 4} = 2, 520 balanced linear combi-
nations of boolean functions at the output of the F2/1 element, and for the case
h = 4 the result will be # {F2 / 2 : wt ( f1 ⊕ f2 ) = 8} = 63, 063, 000 balanced linear combi-
nations determining the number of variants to try.
166 Innovative Cryptography, Second Edition

Visual Design of F2/2 Blocks

When using the second approach to building efficient F2/2 controlled elements, the
choice of pairs of boolean functions can be reduced to the formal choice of con-
trolled elements with the predefined properties. In this case, F2/2 blocks are formed
by four different modifications depending on the controlling vector v = (v1, v2), v1,
v2 ∈ GF(2) and carrying out the mapping (x1, x2) → (y1, y2):

F(0), if v = (0, 0)
F(1), if v = (0, 1)
F(2), if v = (1, 0)
F(3), if v = (1, 1)

To carry out a bijective transformation as a whole, the transformation carried

out by modifications F(0)  F(3) must be bijective. There are 24 variants of bijective
modifications (see Figure 3.14). Visual design is reduced to the choice of the quar-
tets of modifications from the set of bijective variants. It is necessary to note that
every elementary modification carries out a linear transformation. Nonlinear
properties of F2/2 blocks depend on specific features of the choice of elementary
modifications depending on the value v = (v1, v2). Among the entire variety of
244 = 331,776 variants of sets of quartets of 2  2 substitution transformations
carrying out bijective mapping, only 126,720 define nonlinear F2/2 blocks satisfying
criteria 1-2. With the account of the third criterion of choice, 104 variants of
building F2/2 blocks satisfying criteria 1-3 are obtained. At the same time, the most
important issue is that such a considerable reduction of the number of the variants
worth trying is ensured at the initial stage. When using the first approach, the third
criterion works less efficiently.
Given the specified modifications F(0)  F(3), it is easy to obtain the algebraic
normal form of boolean functions f1 and f2 implementing the F2/2 block. Let
{f 11 (x1, x2), f 12 (x1, x2)} be the boolean function implementing modification
F(0) for v = (0, 0), and {f 12 (x1, x2), f 22 (x1, x2)}, {f 13 (x1, x2), f 32 (x1, x2)}, {f 14 (x1, x2),
f 42 (x1, x2)}-boolean functions implementing modifications F(1), F(2), and F(3) for
v = (0, 1), v = (1, 0), v = (1, 1), respectively. Then, specific boolean functions
implementing the required F2/2 block can be obtained as follows:
y1 = ( v1 ⊕ 1)( v2 ⊕ 1) f11 ( x1 , x2 ) ⊕ ( v1 ⊕ 1)v2 f12 ( x1 , x2 ) ⊕ v1 ( v2 ⊕ 1) f13 ( x1 , x2 ) ⊕ v1v2 f14 ( x1 , x2 ) ,

y2 = ( v1 ⊕ 1)( v2 ⊕ 1) f21 ( x1 , x2 ) ⊕ ( v1 ⊕ 1)v2 f22 ( x1 , x2 ) ⊕ v1 ( v2 ⊕ 1) f23 ( x1 , x2 ) ⊕ v1v2 f24 ( x1 , x2 ) .

 Substitution—Permutation Networks with Minimal Controlled Element 167

For example, for the elementary F2/2 block presented in Figure 3.25, the ob-
tained result appears as follows:

f 11 (x1, x2) = x2; f 12 (x1, x2) = x1;

f 12 (x1, x2) = x1 ⊕ x2 ⊕ 1; f 22 (x1, x2) = x2;
f 13 (x1, x2) = x1; f 32 (x1, x2) = x1 ⊕ x2 ⊕ 1;
f 14 (x1, x2) = x1 ⊕ x2; f 42 (x1, x2) = x2.

Consequently,

y1 = v1 v2x1 ⊕ v1v2x2 ⊕ v1x1 ⊕ v1x2 ⊕ v1v2 ⊕ v2x1 ⊕ v2 ⊕ x2;

y2 = v1v2x2 ⊕ v1x2 ⊕ v2x1 ⊕ v2x2 ⊕ v1v2 ⊕ v1 ⊕ x1;
y1 ⊕ y2 = v1v2x1 ⊕ v1x1 ⊕ v2x2 ⊕ v2 ⊕ v1 ⊕ x2 ⊕ x1.

FIGURE 3.25 A variant of the F2/2 block

implementation.
This page intentionally left blank
 4 Switched Controlled
Operations

4.1 BUILDING CONTROLLED SUBSTITUTION-PERMUTATION

NETWORKS OF DIFFERENT ORDERS

Properties of controlled operations built based on controlled substitution-

permutation networks (CSPNs) can be characterized both with and without
association to the use of cryptographic primitives. In the first case, which is of the
greatest interest to the goals of this book, they depend on the following issues:

Properties of controlled elements used for building the network

Network homogeneity
Network topology describing relations between controlled elements and with
the controlling input

169
170 Innovative Cryptography, Second Edition

Dimensions of the information and controlling inputs of the operational block

The size of the controlling data subgroup

It is expedient to carry out synthesis of operational blocks intended for use in

encryption algorithms considering these issues. When they are implemented, it is
possible to use the predefined influence of each input bit to each output bit as the
initial criterion. In case of controlled permutations, this can be implemented for
controlled operational substitutions of the first order. As shown in the previous
chapter, replacement of each elementary switch in the Pn/m block of the first order
by any controlled element (CE) from the set {R2/1, S2/1, Z2/1} ensures the possibility
of building controlled SP-networks Rn/m, Sn/m, and Zn/m satisfying the initial crite-
rion. This example demonstrates that topological structure of controlled substitu-
tions blocks of different types can be taken as prototypes when building controlled
substitution-permutation networks Fn/m of different types.
When building controlled permutations a block for cryptographic applications,
the order of controlled permutation is of special interest. Therefore, it is expedient
to further extend this concept to controlled substitution-permutation networks of
the Fn/m type build based on F2/1 and F2/2 controlled elements with 2-bit input. In
case of bit permutation, the concept of order is defined with the account of the vari-
ants of placement of the specified number of input bits into the specified number
of output bits of the controlled permutations block. In case when networks are built
based on controlled elements other than elementary switches, such a direct physi-
cal interpretation of the order concept is blurred by the presence of the modulo-2
bit-by-bit addition and inversion within the CE. Because of this, for Fn/m blocks the
concept of order must be provided in the more general form, using the concept of
influence propagation instead of the physical bit permutation. Propagation of the
influence of one input bit for a certain fixed value of the controlling vector V, in
turn, can be interpreted as passing of the single-bit difference through controlled
substitution-permutation networks; in the course of which difference propagation
can take place. In the latter case it is possible to state that for the specified value V,
the input bit (or simply input) under consideration influences specific output bits
(or simply outputs). This influence can be shown as the propagation of single-bit
differences Δ1 and δ1. A typical scheme of propagation of the influence of one (left
and right) input in R2/1 and S2/1 elementary blocks is shown in Figure 4.1. In these
schemes, typical features are clearly visible: in R2/1 controlled elements, the influ-
ence of the right (propagation of the difference Δ1) and left (propagation of differ-
ence δ1) inputs is asymmetric, and in elementary S2/1 blocks, this propagation is
symmetric.
 Switched Controlled Operations 171

FIGURE 4.1 Typical scheme of the propagation of the input bits influence in R2/1
(a) and S2/1 (b) controlled elements.

From the scheme illustrating the propagation of the influence on two outputs
in elementary blocks R2/1 and S2/1 (Figure 4.1), it is clear that in R2/1 blocks, the in-
fluence of each input can propagate in cross directions depending on the value of
the control bit. In S2/1 elements, the left (right) input influences only the left (right)
output. This shows that R2/1 elements have more in common with P2/1, than with
S2/1. In the case of R2/1, similar to similar to P2/1, the influence of the left and the
right inputs can propagate in cross directions depending on the value of the con-
trol bit, which allows for drawing a conclusion on the expediency of introducing
the concept of order for R2/1 elementary blocks.
The order for Rn/m controlled substitution-permutation networks has the fol-
lowing meaning. Assume that an arbitrary mapping of k inputs xα1, xα2, …, xαk and
k outputs yα1, yα2, …, yαk is specified as follows:

xα1 ↔ yβ1,…, xαi ↔ yβi,…, xαk ↔ yβk

(here the “↔” sign stands for switching (mapping) of the pair of inputs and out-
puts). Assume that there exists such a value of control vector, that for each i = 1, 2,
…, k, inversion of xαi results in inversion of yβi provided that all inputs except for
xαi.are fixed. At the same time, inversion of outer outputs, including outputs from
the set yα1, yα2, …, yαk, might or might not be inverted. The maximum value of k,
for which this condition has been satisfied, can be adopted as the value of order h.
Having adopted such interpretation of the order of a controlled substitution-
permutation network of the R type, then replacement of all P2/1 controlled elements
172 Innovative Cryptography, Second Edition

in a certain Pn/m block of order h by R2/1 elements results in forming an Rn/m con-
trolled substitution-permutation network of order h. In case of the aforementioned
replacement, it can be stated that a controlled permutations block and a controlled
substitution-permutation network of the R type have the same topology. The anal-
ogy between controlled substitution-permutation networks of the Sn/m type and
controlled permutations block is less obvious; however, to unify the approach to
different types of substitution-permutation networks, the following definition of
the order of Fn/m-type controlled substitution-permutation network will be adopted:

Definition 4.1
Assume that Fn/m controlled substitution-permutation network has been specified.
The Fn/m block has the order h, if it has the same topology as a certain controlled
permutations block of order h.

In the course of the propagation of the influence of inputs on the outputs, the
important property is the existence of the value V ensuring the influence of a given
input to the specified number of arbitrarily chosen outputs. The larger the number
of such output, the more pronounced the avalanche effect.
In most cryptoschemes based on controlled operations, mutually inverse oper-
ational blocks are used. Similarly to the case of building controlled permutations
block, for every controlled substitution-permutation network of the Fn/m type, it is
easy to synthesize the corresponding inverse block F–1n/m. In contrast to building in-
verse controlled permutations blocks, where only inverse fixed permutations were
required, building F–1n/m blocks in general case requires the use of inverse active lay-
ers; that is, active layers made up of inverse controlled elements. The general
scheme of mutually inverse F-blocks is shown in Figure 4.2.
The most interesting subclasses of controlled elements—namely, {R2/1} and
{S2/1}—for each specific type of controlled element also include its inverse element.
This means that direct and inverse blocks will be equivalent in a certain sense. In case
of controlled substitution-permutation network built based on Z2/1 controlled ele-
ments, switching to inverse blocks is in general related to the change of differential
and nonlinear properties. At the same time, depending on the Z2/1 element, proper-
ties of Z–12/1 elements turn out to be different even with the limits of {Z′2/1}, {Z′′2/1},
{Z*2/1}, and {Z**2/1} subclasses. Further on, the main attention will be drawn to con-
trolled substitution-permutation networks based on nonlinear controlled elements.
All the aforementioned demonstrates that topological structures developed for
controlled permutations blocks can be used also for controlled substitution-per-
mutation networks of the Rn/m and Sn/m types. Because of this, building controlled
substitution-permutation networks of the first order based on the recursive scheme
shown in Figure 4.3a, and inverse first-order controlled substitution-permutation
networks based on the recursive scheme of the second type.
 Switched Controlled Operations 173

FIGURE 4.2 Structure of mutually inverse

blocks Fn/m (a) and F–1n/m (b).

FIGURE 4.3 Building a first-order controlled substitution-permutation network R2n/2m+n

(a) and its inverse network R–12n/2m+n (b) using first-order blocks Rn/m (a) and R–1n/m (b).

When considering the given pair of recursive design schemes, it is easy to show
that the minimum number of layers required to implement a first-order controlled
substitution-permutation network Fn/m makes

s' = log2n.
174 Innovative Cryptography, Second Edition

It is also possible to build controlled substitution-permutation networks Fn/m of

orders 2, 4, …, n/4, and n on the basis of the scheme of recursive design with order
duplication (recursive scheme of the third type) shown in Figure 4.4 for the case of
R-blocks. The latter scheme of recursive design was used for building controlled
permutations blocks of different orders for the case when n = 32. By analogy, this
scheme can be applied for the arbitrary value n = 2k, where k is a positive integer
number. However, this has not been proven in a formal way. Consider the proce-
dure of building an R-type controlled substitution-permutations network for the
case of an arbitrary k (obviously, this design also covers building appropriate con-
trolled permutations blocks).
Assume it is necessary to build a block with the input size n = 2k and order
h = 2q, where q < k. Take the first-order block R2k – q/m/1, where the Rn/m/h designa-
tion has been adopted, for which index h denotes the order of the controlled
substitution-permutation network. Executing q sequential steps of the recursive
procedure of building a controlled substitution-permutation network with dupli-
cation of the order according to the scheme shown in Figure 4.4 will produce the
following result:

R2k– q/m0/1 →R2k– q + 1/m1/2 →R2k– q + 2/m2/22 → …

→ R2k– q + i/mi/2i → … → R2k/mq/2q.

FIGURE 4.4 Structure of the R2n/2m+2n (a) and R4n/4m+8n (b) controlled
substitution-permutation networks.
 Switched Controlled Operations 175

Thus, the required controlled substitution-permutation network has been built.

The values mi after each step of the recursive procedure can be easily defined. The
number of layers in the resulting controlled substitution-permutation network is
equal to the number of layers in the source first-order substitution-permutation
network R2k – q/m/1 (s′ = k – q) plus the duplicated number of steps of the recursive
procedure (2q), which makes:

s = k + q = log2n + log2h = log2nh.

The latter formula allows for determining the number of layers for arbitrary
values of n and h ≤ n/4. The case h = n/2 doesn’t present any practical interest,
because it requires the use of the same number of active layers as in the case
of the controlled substitution-permutation network of order h = n, for which
S = 2log2n – 1. This specific feature can be easily explained, because in case of order
h = n/2 in the previously considered method of formal procedure of building a
CSPN, it is necessary to use the original CSPN with a 2-bit input, which has the order
h = 2, because according to the controllability definition it must implement at least
two different permutations of the input bits, and there are only two of them. With
the use of such an initial block (for example, F2/1 controlled element) at each step of
the recursive procedure, the block of minimum order is implemented.
Figure 4.5 shows examples of controlled substitution-permutation networks
Fn/m of orders h = 1, 2, …, n/4, n for the case when n = 32. The initial block of the
recursive building procedure with the duplication of order is enclosed by the
dashed frame. The design schemes considered here are universal for the input size
equal to natural powers of two. However, in certain particular cases other variants
of CSPN topology are preferred, which are characterized by bilateral symmetry and
higher structuredness, which simplifies their circuit implementation. In addition,
for symmetric blocks the mechanism of forming control vectors satisfying several
predefined criteria is simplified. The use of symmetric structure results in the most
significant simplification in case of building a switched controlled substitution-
permutation network.

Definition 4.2
A controlled substitution-permutation network is called switched, if it can imple-
ment both direct controlled operation and its inverse operation depending on the
value of some additional control bit.

Several reasons for which the use of controlled operation is the most promising
for the synthesis of block ciphers will be covered later. Also covered will be different
variants of building them based on controlled elements of different standard sizes.
176 Innovative Cryptography, Second Edition

FIGURE 4.5 Controlled operational blocks F32/m of

different orders: a) h = 32, b) h = 8, c) h = 4, d) h = 2,
e) h = 1.

At the same time, the important role of symmetric CSPN topologies and several dif-
ferences of this concept for the cases of use of different mechanisms for specifying
the switching property (which also can be called the invertibility property) will be
traced. For example, when using the invertibility mechanism at the cost of inversion
of the control bits, operational blocks are built using controlled elements, most ele-
mentary modification of which is divided into pairs of mutually inverse modifica-
tion. Symmetric (or bilaterally symmetric) CSPNs are defined as follows.

Definition 4.3
A controlled substitution-permutation network is called symmetric, if for each
i = 1, 2, …, s – 1, the following relationships are true: Li = Ls–i+1 and
πi = (πs–i)–1.
 Switched Controlled Operations 177

In other variants of building the invertible controlled substitution-permutation

network, switching is ensured by means of permutation of control vectors corre-
sponding to specific pairs of active cascades. In this case, a symmetric controlled
substitution-permutation network is the one, the structure of which satisfies the
following definition.

Definition 4.4
Controlled substitution-permutation network is symmetric, if in this network
for each i = 1, 2, …, s − 1, the following relationships are true: Li = L–1s–i+1 and
πi = (πs–i)–1.

Other, asymmetric topologies of switched controlled substitution-permutation

networks will also be covered. However, the most economic solutions in terms of
hardware expenses are ensured using controlled substitution-permutation networks
with symmetric topology. The most interesting is the fact that some controlled sub-
stitution-permutation networks can be implemented both using symmetric and
asymmetric structure. At the same time, both variants of the network structure re-
quire an equal number of active layers and ensure similar differential and nonlinear
properties, such as the same algebraic degree of nonlinearity. This demonstrates that
implementation of additional symmetry property is achieved without detriment to
the cryptographic properties of the controlled substitution-permutation networks in
cases when the symmetry is optimally combined with the input size of the block
being synthesized.
In the “Cryptography: Fast Ciphers” publication by A. A. Moldovyan, N. A.
Moldovyan, N.D. Goots, and B. V. Izotov, it was shown that for arbitrary k first-
order controlled permutations blocks synthesized according to the first scheme of
recursive synthesis, implement such a set of permutations modifications that can be
split into pairs of mutually inverse modifications. This means that there exists the
principal possibility of building switched controlled permutation blocks of the first
order for arbitrary input sizes n=2k. If a controlled substitution-permutation net-
work of the first order is built according to the first recursive scheme using standard
controlled element F2/1 representing an involution, then for arbitrary k this CSPN
implements the set of modifications of controlled operation that can be split into
pairs of mutually inverse modifications. This statement can be easily proven using
topological transformations applicable for the case F2/1 = P2/1.

Statement 4.1
One step of the recursive procedure of building controlled substitution-permutation
networks of the third type preserves the property of splitting modifications of the
original controlled substitution-permutation network into pairs of mutually inverse
modifications provided that the original CSPN is characterized by such a property.
178 Innovative Cryptography, Second Edition

Proof
Consider an F2n/2m+2n block built according to the recursive scheme of the third type
of using the Fn/m original block (Figure 4.6). The block built this way can be repre-
sented as a superposition of single-layer L1 CPSP, F2n/2m CSPN representing a
cascade of two Fn/m blocks and single-layer CSPN LS. The F2n/2m block will be desig-
(W ) (W )
nated as (F 1 n/m|F 2 n/m), where W1 and W2 are control vectors corresponding to
the left and right Fn/m blocks. Control vectors of blocks L1 and LS are designated as
V1 and VS, respectively. Let original blocks Fn/m have the splitting property under
consideration. Then, for arbitrary W1 and W2 there exist values W′1 and W′2, such
that the following condition is satisfied:
(W′1) (W′2) (W1) −1 (W2) −1 (W1) (W2) −1
(F n/m|F n/m) = ((F n/m) |(F n/m) ) = (F n/m|F n/m) .

FIGURE 4.6 The structure of the F2n/2m+2n blocks.

Now it is easy to prove that the CSPN F2n/2m+2n controlled substitution-permu-

tation network with control vectors V′1 = VS, V′S = V1, W′1, and W′2 implement
modification inverse in relation to the one that is implemented with control vectors
V1, VS, W1 and W2. Actually, taking into account that F2/1 controlled elements are
involutions, and, consequently, the same CSPNs L1 and LS also are controlled in-
volutions, for transformation of the input vector X the result will appear as follows:
 Switched Controlled Operations 179

(V1) (W1) (W2) (VS)

Y = (X) L1 • (F n/m|F n/m) • LS ;
(V′1) (W′1) (W′2) (V′S)
Y′ = (Y) L1 • (F n/m|F n/m) • LS
(V1) (W1) (W2) (V ) (V ) (W′ ) (W′ ) (V )
= ((X) L1 • (F n/m|F n/m) • LS S ) L1 S • (F 1 n/m|F 2 n/m) • LS 1
(V ) (W ) (W ) (V ) (V ) (W′ ) (W′ ) (V )
= (X) L1 1 • (F 1 n/m|F 2 n/m) • LS S • L1 S • (F 1 n/m|F 2 n/m) • LS 1
(V1) (W1) (W2) (W′1) (W′2) (V1)
= (X) L1 • (F n/m|F n/m) • (F n/m|F n/m) • LS
(V1) (W1) (W2) (W1) (W2) −1 (V1)
= (X) L1 • (F n/m|F n/m) • (F n/m|F n/m) • LS
(V1) (V1)
= (X) L1 • LS = X.

This is exactly what was required to prove.

Using Statement 4.1, it is easy to prove the following theorem that is of practi-
cal importance for applied issues, because it demonstrates the principal possibility
of building switched controlled permutations blocks and controlled substitution-
permutation networks of orders h = 1, 2, …, n/4, n.

Theorem 4.1
For orders h = 1, 2, …, n/4, n and n = 2k, where k is a positive integer number,
controlled substitution-permutation networks build according to the recursive
scheme of the third type using a typical F2/1 controlled element representing an
involution, implement the set of modifications of the controlled operation
Fn/m, which can be split into pairs of mutually inverse modifications.

Proof
In the case of h = n, the statement follows directly from the bilateral symmetry of
the controlled substation-permutation network of the maximum order. In case of
h = 1, the proof can be easily carried out using the topological conversion for the
case F2/1 = P2/1, described in “Cryptography: Fast Ciphers” by A. A. Moldovyan, N.
A. Moldovyan, N. D. Goots, and B. V. Izotov. Because in controlled substitution-
permutation networks of orders h = 2, …, n/4 a first-order controlled operational
substitution is used, for which the splitting property takes place, then, according to
Statement 4.1, this property takes place for h = 2. By sequentially applying State-
ment 4.1, it is easy to prove that the same property takes place also for h = 4, …, n/4.
The proven fact allows for building switched controlled substitution-permutation
networks of different orders. However, to obtain more illustrative structuredness of
such a design, it is necessary to use symmetric controlled substitution-permutation
networks in particular cases or other design mechanism in the general case.
180 Innovative Cryptography, Second Edition

When evaluating hardware resources required for implementing Fn/m con-

trolled substitution-permutation networks of different orders, it is possible to
use the formula NCE = (n log2 nh)/2 for computing the number of controlled
elements NCE in a CSPN. Tables 4.1 and 4.2 provide assessments of the required
resources in case of custom VLSI circuits manufactured using 0.33-mkm technology.

TABLE 4.1 Chip Area Required for Implementing F32/M Substitution-Permutation

Networks of Different Orders (in sqmil units)

CE h=1 h=2 h=4 h=8 h = 32

e/g, e/h, f/i, f/j 160 192 224 256 288

g/e, g/h, h/g, h/e, g/i, f/g,

i/f, h/j, j/h, j/f, f/h
240 288 336 384 432

g/f, i/g, e/j,

j/e, j/i, i/e, 320 384 448 512 576

i/j, h/f

TABLE 4.2 Chip Area Required for Implementing F64/M Substitution-Permutation

Networks of Different Orders (in sqmil units)

CE h=1 h=2 h=4 h=8 h = 16 h = 64

e/g, e/h, f/i, f/j 384 448 512 576 640 704

g/e, g/h, h/g, h/e, g/i, f/g,

i/ f, h/j, j/h, j/f, f/h
576 672 768 864 960 1056

g/f, i/g, e/j,

j/e, j/i, i/e, 768 896 1024 1152 1280 1408

i/j, h/f

From the data provided in Tables 4.1 and 4.2, it is obvious that all considered
controlled substitution-permutation networks require reasonable hardware re-
sources, and, therefore can be used for implementing ciphers of different types.
32-bit F32/96 CSPNs and 64-bit F64/192 CSPNs characterized by low-circuit imple-
mentation complexity appear the most promising for this purpose. Evaluations
 Switched Controlled Operations 181

provided in Tables 4.1 and 4.2 demonstrate that ciphers based on controlled sub-
stitution-permutation networks can be implemented economically enough. The
complexity of their implementation is approximately equal to, and, in some cases
(for certain types of controlled elements) considerably lower than implementation
of ciphers based on data-dependent permutations.
This book provides detailed coverage of controlled elements of the F2/1 and F2/2
types. However, similar ciphers based on controlled substitution-permutation net-
works of other size can be built; for example, F3/2, F4/1, F3/3, and F4/2. In the latter
case, the 6×4 S-boxes are practically used. For this purpose, it is possible to use
S-boxes employed in the DES cipher. They are covered in detail in many publica-
tions on cryptography, and therefore won’t be considered here. It is only necessary
to point out that the criteria of choice of F4/2 controlled elements must not neces-
sarily match the criteria of choice for 6×4 substitutions discussed earlier when
substantiating their choice for cryptographic applications.
This is because F4/2 elements are assumed to be used in cryptosystems of other
type; namely, in cases when control data subgroup and data subgroup being trans-
formed remain independent in the course of executing a controlled operation built
on their basis. In case of the DES algorithm 6×4, substitutions are used differently:
a cascade of eight such substitutions actually implements a fixed substitution car-
ried out over a 32-bit data subgroup by means of executing controlled operations
over 4-bit data subgroups (the choice of one of the four substitutions of the 4×4
type depending on the values of two bits belonging to other subgroups). Because of
the sharp growth of the number of controlled elements satisfying the criteria of
applicability of synthesis of controlled substitution-permutation networks, when
migrating from F2/1 to F2/2 and F3/1 elements it is possible to assume that there will
be many F4/2 elements suitable for synthesis of controlled substitution-permutation
networks, and their number would considerably exceed the number of 6×4 sub-
stitutions considered satisfying criteria of applicability in classical substitution-
permutation ciphers.
Thus, cryptoschemes based on the use of variable operations implemented
using substitution-permutation networks provide the following possibilities:

Efficiently use controlled elements of comparatively low size, including mini-

mal CEs.
Considerably extend the number of variants of F4/2 elements and larger CEs
that are of interest for cryptographic applications.

Controlled elements with minimal input size (F2/1 and F2/2) are minimal build-
ing blocks for the synthesis of cryptographic operations. Their application is expe-
dient because of the following reasons:
182 Innovative Cryptography, Second Edition

They have been tried and tested in multiple ciphers; in particular, in the ciphers
based on variable bit permutations.
The complete classification of F2/1 controlled elements has been built, and two
best subclasses of such elements have been found.
Criteria of the choice of F2/2 elements have been defined and their detailed
classification has been developed.
The use of such elements ensures considerably more economic hardware im-
plementation in comparison to building controlled substitution-permutation
networks with the input size of 4 bits or more.

The use of F3/1 elements also is interesting and promising and ensures building
of economic ciphers. Although 3-bit input introduces some limitations on the use
of such elements, they can be employed, for example, for synthesis of controlled
substitution-permutation networks oriented toward the following applications:

In cryptographic systems with splitting into unequal data subgroups (for

instance, when a 128-bit data block is split into one 32-bit and one 96-bit
subgroup, and the latter is transformed using a controlled substitution-
permutation network, while the first subgroup is used for specifying the con-
trol vector).
In hash functions, where there is no need to ensure reversibility of transforma-
tion, and, therefore, it is possible to use the operation of extension of the binary
vector being transformed.
In the round function of the generalized Feistel cryptoscheme.

4.2 PROBLEMS WITH BUILDING BLOCK CIPHERS WITH

SIMPLE KEY USE SCHEDULE

The use of data-dependent operations as a basic cryptographic primitive—that is,

the use of variable transformation operations—creates prerequisites for building
fast ciphers characterized by low complexity of circuit implementation. Based on
primitives of this type, it is possible to build transformation cryptoschemes, which
strengthen the computations parallelism, and make it possible to transform round
subkeys simultaneously with data subgroup transformation. The latter is the
prerequisite for the application of the simple key use schedule, consisting in that
instead of round keys fragments of the secret key (subkeys) or some of their
combinations are used.
 Switched Controlled Operations 183

Simple key use schedule ensures the following possibilities:

Considerable additional economy of the circuit resources in case of hardware

implementation of ciphers.
Improvement of the performance of encrypting devices in case of frequent key
change, which is important for most network applications.

Examples of ciphers based on data-dependent operations and using simple

schedule of key use are SPECTR-H64, SPECTR-128, CIKS-128, COBRA-F64a,
COBRA-F64b, etc. However, no matter how complex transformations might be
used in one round of iterative cryptoschemes where the encryption mode switches
to the decryption mode by means of changing the order of using round keys to the
inverse one, simple schedule of key use results in that for certain classes of keys
(even if their share in the complete keyspace is negligible) the encryption procedure
will coincide the decryption procedure. Such keys are considered weak. In case of
the aforementioned cryptoschemes, the simple key use schedule results in the exis-
tence of weak keys of this type because in both encryption mode the same trans-
formation procedures are used. Furthermore, for certain key subclasses the use of
simple key use schedule results in that all round key turn out identical, and, conse-
quently, all rounds of encryption represent the same transformation (this take place
even in some practically used ciphers, for example, in GOST 28147–89 cryptosys-
tem). The latter circumstance represents a prerequisite for implementation of the
slide attack suggested in “New Types of Cryptanalytic Attacks Using Related
keys” by E. Biham. Although the probability of choosing a weak key is very low
(2–192 – 2–128) for the aforementioned ciphers, it is highly desirable to eliminate this
feature. When building round hash functions based on the use of block ciphers, the
presence of even a very small share of weak keys is undesirable. For example, for
iterative hash functions, where blocks of hashed data take part in the transforma-
tion instead of the key, the presence of weak keys provides the possibility of easily
forming large number of different messages, the hash function of which equals the
same value, which cannot be tolerated.
The following approaches can be suggested to eliminate weak keys in iterative
block ciphers using simple key use schedule:

The use of different transformation procedures for encryption and decryption.

A considerable drawback of this approach is that in case of hardware imple-
mentation it actually requires you to implement two algorithms. In addition, a
class of keys is preserved, for which all rounds of encryption represent the same
transformation, although that transformation differs from the decryption
round. Because of this, prerequisites for slide attack still remain.
184 Innovative Cryptography, Second Edition

Including constants the values of which depend on the round number and
encryption mode into the round transformation. This method allows for elim-
inating both weak keys and similarity of all encryption rounds. A certain draw-
back of this approach is that at least one additional operation must be included
into each round, and, in addition, it is necessary to implement the mechanism
of appropriate change of the order of using constants when changing the en-
cryption mode.
The use of switched operations controlled by a bit specifying direct or inverse
order of the use of round keys (thanks to which the choice of the encryption or
decryption mode is ensured). This approach requires minimum additional
expenses for implementation of circuit resources and eliminates the need in
switching constant values in each round when changing the encryption mode.
Furthermore, it creates prerequisites for substantiating ciphers, in which the
change of the order of the round keys use is not required. The latter circum-
stance even allows for reducing the general cost of hardware implementation.

The comparison of all the previous approaches shows that the use of switched
controlled operation is of greatest interest. The main issue here consists in devel-
opment of switched operations satisfying the following requirements:

Low cost of circuit implementation

Efficiency of the use of the scheme as cryptographic primitive
High performance

The switching property of the operation is in essence a special variant of the im-
plementation of the controllability property. This inspires the idea of implement-
ing switched controlled operations by means of appropriate modification of the
schemes used for building controlled operations. In addition, there are prerequi-
sites for efficient implementation of switched controlled operations, in which the
entire set of modifications that can potentially be implemented is split into pairs of
mutually inverse modifications. Assume that in some hypothetic controlled oper-
ation there is an additional 1-bit control input, to which bit e is supplied, specify-
ing the mode of operation. Assume that when e = 0 the direct controlled operation
is executed, and when e = 1 the inverse operation corresponding to it takes place.
This means that for each fixed value of the control vector the direct modification
will take place in the course of encryption (e = 0), and the corresponding inverse
operation will take place in the course of decryption (e = 1), which means that a
certain switched controlled operation is implemented. The idea of building a
switched controlled operation can be efficiently implemented based on symmetric
topologies of controlled permutation networks and controlled substitution-
 Switched Controlled Operations 185

permutation networks. Subsequent few sections of this chapter will cover building
of switched controlled operations of different types.

4.3. THE NOTION OF SWITCHED OPERATION

In general, the concept of controlled operation can be defined as follows.

Definition 4.5
Let {F1, F2,…, F2m} be a set of operations defined by the formula Y = Fi = Fi(X1,
X2,…, Xq), where i = 1, 2,…, 2m, X1, X2,…, Xq are input n-bit binary vectors
(operands), and Y is the output n-bit vector. Then, the operation F(V) dependent of
V and defined by the formula Y = F(V)(X1, X2,…, Xq) = FV(X1, X2,…, Xq), where
V is m-bit control vector is called controlled q-bit operation. Operations F1, F2,…,
F2m will be called modifications of controlled operation F(V).

Examples of controlled operations are controlled permutations and controlled

2-bit operations. The concept of inverse controlled operation is of the greatest in-
terest for further consideration.

Definition 4.6
Let {F1, F2,…, F2m} be a set of modifications of the controlled operation F(V).
Operation (F(V))–1 containing modifications F1–1, F2–1,..., F2m–1 is called inverse in
relation to the controlled operation F(V), if for all V modifications FV–1 and FV are
mutually inverse.

In general, switched operation can be defined as follows.

Definition 4.7
Let F′(e), where e ∈ {0,1} be some operation depending on e, and containing two
modifications: F′(0) = F ′1 and F′(1) = F′2, where F′2 = F′–11. Then operation F′(e) is
called switched operation.

Further on, various kinds of controlled operations will be considered. How-

ever, the switched controlled operation determined as follows is the most impor-
tant and presenting the greatest interest.

Definition 4.8
Let two modifications of the switched operation F′(e) represent a pair of mutually
inverse controlled operations F′(0) = F(V) and F ′(1) = (F(V))–1. Then F ′(e) is called
switched controlled operation F(V,e).
186 Innovative Cryptography, Second Edition

For the first time, a particular case of switched controlled operations, namely,
switched controlled permutations were built based on permutation networks with
symmetric structure. Building controlled operations based on controlled substitu-
tion-permutation networks considerably extends the class of switched controlled
operations and provides new possibilities of designing fast block ciphers oriented
toward efficient hardware implementation. It is possible to suggest several ap-
proaches to implementation of switched controlled operations based on substitu-
tion-permutation networks. The main approaches among them are based on the
use of:

Elements of the network topology symmetry

Symmetry of the bit distribution of the control vector

In the first case, the internal node of switched controlled operation is imple-
mented as some switching block that changes the distribution of control bits so that
for the specified control vector the modification being implemented switches from
direct to inverse one. This case ensures the possibility of using the control vector,
in which every bit is independent. In the second case, internal nodes of switched
controlled operations are implemented as 1) the switching block of smaller size and
implemented with lower overhead for circuit resources and 2) the extension block
implemented as simple branching of wires and introducing practically no addi-
tional expenses for the hardware. In the first variant, the extension block is not re-
quired, although in particular cases of the use of switched controlled operations it
can be used, for example, for forming the control vector of large size based on a
data subgroup of small size. The symmetry of the topological structure of a certain
switched controlled operation assumes that controlled elements located in sym-
metric positions are either involutions of mutually inverse controlled elements of a
generally type.
When using special types of controlled elements, the switching mechanism con-
sists of inversion of all bits of the control vector instead of stepwise redistribution of
control bits over controlled elements of the controlled substitution-permutation
network. To implement this switching mechanism, the controlled element is de-
signed so all its modifications are split into pairs of mutually inverse modifications.
If such controlled elements are included into symmetric topology, switching of the
direct controlled operation to the inverse operation is carried out by means of in-
verting each bit of the control vector.
 Switched Controlled Operations 187

4.4 CONTROLLED OPERATIONAL SUBSTITUTIONS AS A CLASS

OF PAIRWISE MUTUALLY INVERSE MODIFICATIONS

Recursive schemes of building permutation networks are of practical importance

and can be used for designing controlled operational substitutions. For building
switched controlled operational substitutions, it is interesting to prove that the re-
cursive building procedure forms controlled permutation network and substitu-
tion-permutation networks, the set of implemented modifications of which is split
into pairs of mutually inverse modifications. This result has been proven in “Cryp-
tography: Fast Ciphers” by A. A. Moldovyan, N. A. Moldovyan, N. D. Goots, and
B. V. Izotov for recursive first-order blocks of controlled permutations. The scheme
of recursive procedure of building a first-order block of controlled permutation can
be extended to controlled operational substitutions by means of replacing an ele-
mentary controlled switch with the controlled substitution element F2/1. This re-
sults in a recursive scheme of the procedure of building switched controlled
operational substitutions, shown in Figure 4.7 and related to the first type. This pro-
cedure consists of the use of two identical parallel Fn/m blocks, the inputs of which
are connected to the outputs of the active cascade Ln made up of n parallel F2/1
elements according to the following rule. The left (right) 1-bit output of each i-th
F2/1 element of the active cascade Ln is connected to the i-th 1-bit input of the left
(right) Fn/m block. As a result, the F2n/2m+n block is formed. At the first step of the
recursive building procedure of the first type uses controlled F2/1 elements as Fn/m
blocks, and active L2 cascaded made up of two F2/1 elements as Ln (Figure 4.7c).
The proof of splitting of all modifications of the controlled permutations
blocks into pairs of mutually inverse modifications is based on the use of specific
features of the topology of recursive procedure of the first type, and that the
switched element is an elementary controlled involution. Considering this, it is
easy to show that this proof also can be extended to controlled permutation blocks
with similar topology, if elementary controlled operational substitution (that is, F2/1
controlled element) represents an elementary controlled involution. Because of
availability of many different variants of F2/1 elements characterized by nonlinear
properties, it is possible to build many different switched controlled operational
substitutions.
The specified type of splitting also takes place in cases with switched controlled
operational substitutions obtained according to the recursive building procedure of
the second type, which is analogous to the similar recursive building procedure of
the first type. This recursive procedure consists of the following. Outputs of two
parallel F′n/m blocks are connected to the input of the active Ln cascade according to
the following rule. The left (right) 1-bit input of each i-th F2/1 element of the active
Ln cascade is connected to the i-th 1-bit output of the left (right) F′n/m block. As a
188 Innovative Cryptography, Second Edition

FIGURE 4.7 The first variant of the

recursive procedure of building
controlled substitution-permutation
network: a) block size duplication step,
b) schematic representation of the
duplication step, c) the first step of the
building procedure.

result, the F′2n/2m+n block is formed. At the first step of the recursive building pro-
cedure of the second type, F2/1 controlled elements are used as F′n/m blocks. The
F′2n/2m+n. block is bilaterally symmetric in relation to the F2n/2m+n block obtained
using the recursive scheme of the first type (Figure 4.8).
This means that if in the bits of the control vectors in F′2n/2m+n blocks are dis-
tributed by controlled elements according to the rule corresponding to inverse con-
trolled substitution-permutation networks, the result will be F′2n/2m+n = (F′2n/2m + n) –1.
Because modifications of F2n/2m+n blocks are split into pairs of mutually inverse
modifications, from the latter relationship it follows that this property also takes
place for F′2n/2m+n controlled substitution permutation networks. The first and the
second types of the recursive building procedure at each step result in the synthe-
sis of first-order substitution-permutation networks.
Two previously considered variants of the building procedure can be used for
building mutually inverse blocks when using F2/1 controlled elements of the general
 Switched Controlled Operations 189

FIGURE 4.8 The second variant of

recursive procedure of building controlled
substitution-permutation networks: a)
block duplication size step, b) schematic
representation of the duplication step,
c) the first step of the building procedure.

type. In this case, the first-type recursive procedure is carried out using direct F2/1
elements, and the recursive procedure of the second type is carried out using cor-
responding inverse (F2/1)–1 elements as shown in Figure 4.9.
The use of the third type of recursive procedure of building controlled permu-
tation blocks ensuring synthesis of networks of maximum order is also of interest
for synthesis of controlled substitution-permutation networks. This variant can be
represented as a combination of the first two. Within a single step, the F2n/2m+2n
block is formed on the basis of two Fn/m blocks and two active Ln cascades (Figure
4.10). In this case, both the input size of the CSPN input and its order are dupli-
cated. At the first step of the building procedure, two controlled F2/1 elements and
two active cascades of the L2 type are used. Because F2/1 elements have the maxi-
mum order, each step of recursion results in the synthesis of a CSPN of maximum
order with the duplicated input size. In all three types of recursive building proce-
dures, the use of controlled elementary involutions F2/1 is assumed to ensure that
190 Innovative Cryptography, Second Edition

FIGURE 4.9 Schemes of recursive building of controlled substitution-permutation

networks with mutually symmetric topologies.

implemented modifications are split into the pairs of mutually inverse modifica-
tions (in case of the general building procedure, this condition is not mandatory).
Such a splitting serves as evidence of the principal possibility of building switched
controlled operations, although the issue of the complexity of this synthesis de-
serves to be considered separately.
Because of the internal bilateral symmetry of F2n/2m+2n blocks, the existence of the
aforementioned splitting for them is obvious. Actually, for each value of the control
vector V = (V1, V2, ..., Vs), a modification is implemented, which is inverse in relation
to the modification corresponding to the control vector V′ = (Vs, Vs–1, ..., V1)
obtained on the basis of V by writing V1, V2, ..., Vs components in the inverse order.
Similarly, it is possible to show that the aforementioned splitting can be implemented
for every symmetric substitution-permutation network. Symmetric controlled sub-
stitution-permutation networks (and controlled permutations blocks as a particular
case) are convenient for synthesis of switched controlled operations of different types.
That being so, in symmetric controlled substitution-permutation networks it is
possible to use controlled elementary involutions, and pairs of mutually inverse F2/1
elements of the general type, located in symmetric positions. For example, if at the
first step of the third-type recursive building procedure two controlled elementary
involutions F*2/1 are used, and at each step of the recursive procedure cascades built
on the basis of direct F2/1 elements and corresponding inverse (F2/1)–1 elements are
employed as upper Ln and lower L–1n active cascades, a new wide class of symmetric
controlled substitution-permutation networks will be obtained. This scheme is pre-
sented in Figure 4.11.
 Switched Controlled Operations 191

FIGURE 4.10 The third variant of FIGURE 4.11 Recursive procedure of

recursive procedure of building building mutually inverse controlled
controlled substitution-permutation substitution-permutation networks based
networks: a) block size duplication on mutually inverse controlled elements:
step, b) schematic representation of a) direct block, b) inverse block.
the duplication step.

Using the property of the order duplication implemented in the third type of
the recursive building procedure, it is possible to build controlled substitution-
permutation networks of orders 2, 4, …, n/4. This operation is carried out by anal-
ogy to the synthesis of controlled permutations blocks of the same orders, described
earlier in the “Cryptography: Fast Ciphers” publication by A. A. Moldovyan, N. A.
Moldovyan, N. D. Goots, and B. V. Izotov. The minimal number of active cascades
required for implementation of a first-order controlled substitution-permutation
network makes smin = log2n. This can be easily discovered by considering the first or
the second variants of the recursive building procedure. By carrying out the recur-
sion step of the third type when using two Fn/m blocks of the first order, you’ll obtain
the F2n/2m +2n block of the second order with the following number of layers:

smin = 2 + log2n = 1 + log22n,

192 Innovative Cryptography, Second Edition

where 2n is the size of the synthesized block of the second order; that is, for this
input size the minimum number of active cascades required for implementation of
the second-order controlled substitution-permutation network is greater by one
than the smin value for the first-order controlled substitution-permutation network.
If the initial Fn/m block has the order h, the third-type recursion step ensures
building of the F2n/2m+2n block of order 2h. It can be easily shown that for the given
values n and h ≤ n /4 the smin value makes smin = log2nh. The case h = n/2 can be
implemented; however, it is of no practical interest, because its implementation
requires you to use smin = 2log2n – 1 active cascades, which is equal to the number
of active cascades in a controlled substitution-permutation network of order n.
Now it is necessary to prove that the controlled substitution-permutation net-
works of orders 2, 4, …, n/4 have the property of modifications splitting into two
subsets of mutually inverse modifications. Figure 4.12 illustrates the structure of the
F block of order 2h, where internal blocks F′ and F′′ have the order h and are char-
acterized by this property. At the first step of recursion, it is possible, for example,
to take mutually inverse first-order controlled substitution-permutation networks
built using elementary controlled involutions according to the first and the second

FIGURE 4.12 The third variant of recursive

building of symmetric substitution-permutation
networks using different blocks: a) general
scheme, b) the first step of the building
procedure.
 Switched Controlled Operations 193

recursive building schemes. In the particular case, it is possible to take the pair
of F′2/1 and F′′2/1 controlled elements as original blocks F′ and F′′. For F′2/1 and
F′′2/1 controlled elements, the following relations are true: F′(0)2/1 = (F′(1)2/1)–1 and
F′′(0)2/1 = (F′′(1)2/1)–1, which means that the recursive procedure uses controlled
elements with the set of modifications that can be split into two subsets of mutu-
ally inverse modifications. For such controlled elements, it is possible to take CEs
described as the following pairs of elementary modifications: q/u, v/s, u/q, x/r, w/t,
r/x, s/v, and t/v.
The control vector V corresponding to block F can be represented in the form
of concatenation of elements V1, V2, V3, V4, which are control vectors of the upper
cascade Ln, block F′, block F′′ and lower cascade Ln, respectively: V = (V1, V2, V3, V4).
For an arbitrary control vector V, because of the assumed properties of blocks F′ and
F′′, it is possible to specify another control vector V′ = (V4, V′2, V′3, V1), where V′2 is
such a control vector of block F′, for which the latter implements the modification
inverse in relation to the modification implemented at V2; and V′3 is such a control
vector of block F′′, for which the latter implements the modification that is inverse
in relation to the modification implemented with V3. Because of the bilateral sym-
metry of the inclusion of the upper and lower cascades Ln, block F with V′ = (V4, V′2,
V′3, V1) implements the modification that is inverse in relation to the modification,
which it implements having V = (V1, V2, V3, V4). Actually, it is possible to represent
the F2n/2m +2n controlled substitution-permutation network as a superposition of a
single-layered Ln controlled substitution-permutation network, F′2n/2m controlled
substitution-permutation network representing a cascade of two blocks, F′n/m and
F′′n/m, and a single-layered controlled substitution-permutation network Ln–1.
(V ) (V )
Denote block F′2n/2m as (F′ 2 n/m|F′′ 3 n/m), where V2 and V3 are control vectors
corresponding to the left and right internal blocks.
Now, convert the input vector X according to the following scheme:
(V1) (V2) (V3) –1 (V4)
Y = (X) Ln • (F′n/m|F′′ n/m) • (Ln ) ;
(V4) (V′2) (V′3) (V )
Y′ = (Y) Ln • (F′ n/m|F′′ n/m) • (Ln–1) 1 =
(V ) (V ) (V ) (V ) (V ) (V′ ) (V′ ) (V )
= ((X) Ln 1 •(F′ 2 n/m|F′′ 3 n/m)•(Ln–1) 4 ) Ln 4 •(F′ 2 n/m|F′′ 3 n/m)•(Ln–1) 1
(V ) (V ) (V ) (V ) (V ) (V′ ) (V′ ) (V )
= (X) Ln 1 •(F′ 2 n/m|F′′ 3 n/m)•(Ln–1) 4 •Ln 4 •(F′ 2 n/m|F′′ 3 n/m)•(Ln–1) 1
(V ) (V ) (V ) (V ) (V ) −1 (V )
= (X) Ln 1 •(F′ 2 n/m|F′′ 3 n/m) • (F′ 2 n/m|F′′ 3 n/m) • (Ln–1) 1
(V ) (V )
= (X) Ln 1 • (Ln–1) 1 = X.

Thus, for an arbitrary value of the control vector V, it is possible to specify the
value V′, such that the following relationship is true F(V′)2n/2m+2n = (F(V)2n/2m+2n)–1,
which is exactly what was required to prove.
194 Innovative Cryptography, Second Edition

If internal blocks F′ and F′′ are built according to the recursive scheme of the
first or second type, they are characterized by the splitting property being consid-
ered. Consequently, this property has been proven for second-order F blocks.
Using such second-order blocks, according to the scheme under consideration, it is
possible to build blocks of order 4, characterized by this splitting property. Further,
it is possible to consider blocks of orders 8, 16, and higher orders.
Thus, in the example of three types of a recursive procedure of building Fn/m
blocks, it is principally possible to build switched controlled operational substitu-
tion of orders 1, 2, …, n; however, symmetric topology providing a convenient im-
plementation of the mechanism of inverting a controlled operation is implemented
only in the case of maximum order. In case of orders 2, 4, …, n/4 the development
of the switching mechanisms for distribution of control bits requires detailed elab-
oration considering each step of the recursive building procedures used in the
course of synthesizing Fn/m blocks. In further sections, particular cases of building
symmetric switched controlled operations of the first and second orders will be
used, along with another scheme of order duplication allowing for simplification of
the synthesis of switched controlled operations of orders 1, 2, 4, …, n/4 for an
arbitrary value of n representing a natural power of two.

4.5 SWITCHED CONTROLLED OPERATIONAL SUBSTITUTIONS

WITH SYMMETRIC TOPOLOGICAL STRUCTURE

When developing ciphers using controlled permutations, symmetric controlled

permutations blocks P32/96 and P64/192 have found a wide application. These blocks
have the second and the first orders, respectively. Using topologies of these blocks,
it is possible to build switched controlled operational substitutions F(V,e)32/96 and
F(V,e)64/192, characterized by different properties that are determined by the choice
of controlled elements of a specific type. In contrast to synthesis of controlled
permutations block, which is carried out using a single variant of a controlled
element—namely, elementary controlled permutation P2/1 representing an involu-
tion—in case of a controlled substitution-permutation network, there are consid-
erably more different types of controlled elements available. Some of these elements
are involutions, while most other elements are not. Consider the procedure of
building a controlled substitution-permutation network with symmetric topology.
First, it is necessary to build first-order blocks F8/12 and F–18/12, which contain three
active cascades (Figure 4.13). In this case, the F8/12 block will be built using F2/1
elements of arbitrary type, and F–18/12 blocks will be built using F–12/1 elements,
which are inverted F2/1 elements.
 Switched Controlled Operations 195

FIGURE 4.13 The structure of operational blocks F8/12 and F–18/12.

If the standard element is an elementary controlled involution, the following

relationship is true: F–12/1 = F2/1. In this case, active cascades in blocks F8/12 and
F–18/12 are identical and represent single-layer controlled substitution-permutation
networks representing involutions.
Having built F8/12 and F–18/12 blocks, it is possible to proceed with building six-
layer blocks F32/96 and F64/192. The F32/96 block is implemented using four F8/12 blocks
that make up the input cascade, and four F–18/12 blocks that form the output cascade
(Figure 4.14a).
Outputs of the first cascade are connected to the inputs of the second cascade
according to the fixed permutation I1, which represents an involution and is de-
scribed by the following cyclic structure:

(1)(2,9)(3,17)(4,25)(5)(6,13)(7,21)(8,29)(10)
(11,18)(12,26)(14)(15,22)(16,30)(19)(20,27)(23)(24,31)(28)(32).

The controlled operational block F–132/96 (Figure 4.14b) is an inverted block

F32/96. It has the similar structure, differing only in that the components of control
vector V1, V2, V3, V4, V5, and V6 are distributed by active layers from bottom to top,
while in the direct block they are distributed from top to bottom.
Block F64/192 is implemented using eight F8/12 blocks that make up the input cas-
cade, and eight F–18/12 blocks that make up the output cascade (Figure 4.14c). The
outputs of the first cascade are connected to the inputs of the second cascade ac-
cording to the fixed permutation I2, which represents an involution and is
described by the following cyclic structure:
196 Innovative Cryptography, Second Edition

(1)(2,9,3,17,4,25,5,33,6,41,7,49,8,57)(10)
(11,18,12,26,13,34,14,42,15,50,16,58)(19)
(20,27,21,35,22,43,23,51,24,59)(28)(29,36,30,44,31,52,32,60)(37)
(38,45,39,53,40,61)(46)(47,54,48,62)(55)(56,63)(64).

FIGURE 4.14 The structure of operational blocks:

F32/96 (a), F–132/96 (b), F64/192 (c), F–164/192 (d).

Because of bilateral symmetry of blocks F32/96 and F64/192, inverse blocks F–132/96
and F–164/192 corresponding to them are different only in that the components of the
control vector V = (V1, V2, ..., V6) are distributed over active cascade in the inverse
order. In the case of direct controlled substitution-permutation networks, they are
 Switched Controlled Operations 197

distributed from top to bottom, and in the case of inverse controlled substitution-
permutation networks, they are distributed from bottom to top. Because of the
symmetry of the F32/96 and F64/192 blocks, modifications implemented by them with
control vector V = (V1, V2, ..., V6) are inverse in relation to modifications imple-
mented with control vector V′ = (V6, V5, ..., V1), where for i = 1, 2, …, 6 compo-
nents Vi are 16 bits in length for F32/96 and 32 bits in length for F64/192. This property
is true also for the pair of blocks F–132/96 and F–164/192. This is because the Vi com-
ponent controls the i-th active layer in case of F32/96 and F64/192 and (7 – i)-th active
layer in case of F–132/96 and F–164/192. This, in turn, means that by changing the order
in which the components of control vector are used, it is possible to specify the
switching from direct controlled substitution-permutation network to the inverse
one. Obviously, this method of building switched controlled operational substitu-
tions is suitable for an arbitrary symmetric structure of a controlled substitution-
permutation network. In other words, the problem of building switched controlled
operational substitution can be solved by previously building a controlled substi-
tution-permutation network with symmetric topology.
If every value Vi, where i = 1, 2,…, s, is formed before the data bits pass the
i-th layer, the delay time of the controlled substitution-permutation network will
be defined by the number of active layers. The delay time of one active layer fits
within the limits between τ and 2τ depending on the variant of circuit implemen-
tation of controlled elements. Here, τ is the delay time of the XOR operation de-
noted as ⊕, which approximately corresponds to the delay of the signal passing
through one gate. The delay time of switched controlled operational substitution is
practically equal to the delay of controlled substitution-permutation network of
normal type.
For building a switched block F(V,e)32/96, it is possible to supply the components
of the control vector to active cascades of block F(V)32/96 through the P(e)96/1 block of
permutation of 16-bit components Vi, as shown in Figure 4.15. The P(e)96/1 block is
implemented as a single-cascade controlled permutation block made up of three
parallel single-layer P(e)2×16/1 blocks (Figure 4.15a). Each of the P(e)2×16/1 blocks has
16-bit left and 16-bit right inputs and outputs. The P(e)2×16/1 block represents 16 par-
allel blocks P(e)2/1, controlled by the same bit e. The right (left) input (output) bit of
each of 16 parallel P(e)2/1 blocks forms the right (left) 16-bit input (output) of the
P(e)2×16/1 block. The control vector V = (V1, V2, ..., V6) is supplied to the input of
block P(e)96/1. Each of the P(e)2×16/1 blocks, depending on e, carries out a permutation
of some pair of 16-bit components of the control vector V, so that when e = 0, com-
ponents V1, V2, ..., V6 are distributed from top to bottom, and when e = 1, these
components are distributed from bottom to top. This mechanism ensures imple-
mentation of the direct F32/96 operation having e = 0, and inverse operation F–132/96
having e = 1. The structure of the switched block F(e)32/96 is shown in Figure 4.15b.
198 Innovative Cryptography, Second Edition

FIGURE 4.15 Building of the switched block F(V,e)32/96: a) mechanism of redistribution

of the control vector components, b) structure of the switched controlled operational
substitution F(V,e)32/96.

Proceeding in a similar way, it is possible to build a switched controlled substi-

tution-permutation network F(V,e)64/192 using a single-cascade permutation block
P(e)192/1, representing three parallel single-layered P(e)2×32/1 blocks (Figure 4.16a).
Each P(e)2×32/1 block is a set of 32 parallel blocks P(e)2/1, each of which is controlled
by bit e. The structure of the F(e)64/192 block is shown in Figure 4.16b.

FIGURE 4.16 Building a switched F(V,e)64/192 block: a) mechanism of redistribution

of the control vector components, b) structure of the switched controlled
operational substitution F(V,e)64/192.
 Switched Controlled Operations 199

4.6 SWITCHED CONTROLLED SUBSTITUTION-PERMUTATION

NETWORKS OF DIFFERENT ORDERS

The use of symmetric topology when designing switched controlled substitution-

permutation networks is a particular case. In the general case, building a controlled
permutation block with symmetric structure characterized by predefined values of
order and input size is a difficult task. Because of this, methods of synthesizing
switched controlled operational substitutions of different orders are the issue of
great interest. The most important is synthesis of blocks of orders 2, 4, 8, ..., n/4
(switched blocks of order n with symmetric topology can be easily synthesized
using the recursive procedure of the third type considered in Section 4.4). A uni-
versal method of building switched controlled substitution-permutation networks
can be obtained on the basis of using two mutually inverse blocks Fn/m and F–1n/m of
the order of half of the required, and two mutually inverse cascades Ln (input) and
L–1n (output), connected to blocks Fn/m and F–1n/m according to the scheme shown
in Figure 4.17. In this case, the following typical rule of recursive building proce-
dure is implemented: each controlled element of the top (input) and bottom (out-
put) cascades is connected to each of the Fn/m and F–1n/m blocks.

FIGURE 4.17 Building a switched controlled operation on the basis

of two mutually inverse controlled substitution-permutation networks.
200 Innovative Cryptography, Second Edition

This scheme of building a switched controlled operation is similar to one step of

a recursive building procedure of the third type. However, in this case, the use of two
mutually inverse internal substitution-permutation networks ensures implementa-
tion of the pairs of mutually inverse modifications for each fixed bit permutation
π (permutation π–1 is determined by the choice of π). However, for this scheme to
duplicate the order of the controlled substitution-permutation network being
synthesized, permutation π must correspond to the typical rule of the recursive
building procedure (obviously, permutation π–1 also will correspond to this rule). The
number of permutation π satisfying this rule is exceedingly large; however, it is expe-
dient to choose the permutation that is used in the course of the recursive building
procedure, because this simplifies the description of the operational block structure.
Using mechanisms of recursive building of controlled substitution-permutation
networks, it is easy to build Fn/m substitution-permutation networks of orders 1, 2,
4, ..., n/4. If this procedure is carried out using elementary controlled involutions
F*2/1 or F2/1 elements of arbitrary type, in both cases it will be easy to build a con-
trolled substitution-permutation network F–1n/m inverse in relation to the specified
s-cascades block:

Fn/m = L°π1°L°π2°…°πs – 1°L:

F–1n/m = L–1 °π–1s – 1°L–1 °π–1s – 2°…°π–11°L–1.

If the Fn/m block has order h, then the F–1n/m block also has order h, and, with all
this being so, implementation of controlled permutations blocks Fn/m and F–1n/m of
the same order requires the use of the same minimum number of active layers.
Thus, the method represented in Figure 4.17 allows for creating a switched
controlled substitution-permutation network F(V,e)2n/2(m + n) of order 2h using two
mutually inverse controlled substitution-permutation networks Fn/m and F–1n/m of
the same order h. Here, V = (V1, V2, V3, V4) is the control vector of the newly-built
controlled substitution-permutation network. It can be easily shown that for all
values of V the following relationships are true:

X = F(V,1)2n/2(m+n)(Y), if Y = F(V,0)2n/2(m+n)(X),
X = F(V,0)2n/2(m+n)(Y), if Y = F(V,1)2n/2(m+n)(X).

If n = 2k, where k is some natural number, the minimum number of active lay-
ers in block Fn/m (or F–1n/m) of order h = 1, 2,…, n/4 makes

smin = log2hn.

For the case of minimum order h = n the result is as follows:

smin = log2hn–1.
 Switched Controlled Operations 201

To build a switched block F(V,e)n′/m′ of order h′ = 2, 4,…, n′/4, where n′ = 2n and

m′ = 2(n+m) using the previously described method, it is necessary to use blocks
Fn/m and F–1n/m of order h = h′/2 and add two extra active layers.
Thus, the minimum number of required active layers is

s′min = log2hn + 2 = log24hn = log2h′n′.

In the case when h′ = n′ corresponds to switched controlled substitution-

permutation networks of maximum order, which can be built using blocks Fn/m
and F–1n/m of order h = n, it is possible to prove that in this case

s′min = log2h′n′–1.

If n = 2k, it is easy to create a block F(V)n/m of maximum order with the sym-
metric structure. Consequently, a switched block F(V,e)n/m of maximum order can
also be built using the method described in Section 4.4.

4.7 SIMPLIFICATION OF THE HARDWARE IMPLEMENTATION OF

SWITCHED CONTROLLED OPERATIONAL SUBSTITUTIONS

Variants of synthesis of switched controlled operational substitutions considered

earlier use the stepwise change of the distribution of all control bits of the m-bit vec-
tor V. The switching property in this case is ensured for an arbitrary distribution of
dependent or independent control bits. However, implementation of these schemes
of building switched controlled operational substitutions requires that m/2 switch-
ing elements P2/1 be used (each of which changes the distribution of two control
bits). When developing ciphers, the size of the control data subgroup, depending on
which the control vector V is formed, in most cases is considerably smaller than the
value m and is equal to the value n (that is, to the size of the controlled substitution-
permutation network input). Controlled substitution-permutation networks in
which the m/n ratio is equal to a natural number are the most convenient to use,
because this allows us to ensure a certain uniformity of the influence of all bits of
the controlling data subgroup on the choice of the current modification of the
controlled operational substitution. For n = 32, the aforementioned ratio in second-
order blocks is 3. The same value takes place in first-order controlled substitution-
permutation blocks with the 64-bit input. In these cases, it is expedient to specify the
dependence of “nonintersecting” triads of bits of the control vector V on each bit of
the controlling data subgroup. This is achieved by extending the controlling data
subgroup (for example, by increasing its length three times). The extended data sub-
group can be used directly as the control vector. The control vector can also be
formed by superposition (usually carried out with the XOR operation) over the
202 Innovative Cryptography, Second Edition

extended controlling data subgroup of one or more subkeys. In this case, the cur-
rently implemented CSPN modification is dependent on the data subgroup and the
secret key.
If the control vector is an equiprobable random value, it is possible to use
arbitrary distribution of control bits over controlled elements of the controlled sub-
stitution-permutation network. If there is a dependency between control bits, the dis-
tribution is chosen based on specific criteria ensuring the uniformity of the influence
of all bits of the controlling subgroup on the choice of the current modification of the
controlled operation. Distribution of control bits satisfying specific criteria can most
easily be built for certain specific topological structures of controlled substitution-
permutation networks. For example, symmetric structures of the F32/96 and F64/192
blocks described in the previous section can serve as examples. In case of 64- and 128-
bit ciphers, achieving independence of the bits in control vector is related to splitting
the input data block into subgroups of different size. At the same time, the control-
ling subgroup must have the size two or three times greater than the data subgroup
being transformed. Such splitting is not typical, and requires specialized cryp-
toschemes to be developed. In addition, in this case a larger number of rounds are
required to ensure the influence of each input data bit on each output bit.
Because dependence of control bits in vector V cannot be eliminated in a rea-
sonable way, it is expedient to try to find more economic mechanisms of switching
the distribution of control bits resulting in inversion of controlled substitution-
permutation networks; that is, in change of the direct operation to the inverse one.
Actually, it is possible to assume that it is enough to carry out a certain permutation
of n bits in the controlling data subgroup that will result in redistribution of m bits
of vector V depending on the operation mode bit e. It is also possible to assume that
the implementation of such a method of inverting the controlled operation must be
based on the use of the symmetry of the CSPN topological structure, and on the
corresponding symmetry of the bit distribution in the controlling data subgroup.
Now it is time to consider the method of inverting controlled substitution-permu-
tation networks demonstrating practical applicability of this approach. The most
considerable advantage of the discussed methods of switching bit distribution in
the controlling data subgroup is that their implementation requires using only n/2
P2/1 switching elements instead of m/2 elements, as was the case of switching arbi-
trary distribution of bits in control vector V. In case of implementation of switched
controlled substitution-permutation networks F(e)32/96 and F(e)64/192, the number of
required P2/1 blocks will be smaller by 32 and 64 elements, respectively. This will
allow us to reduce the cost of circuit implementation down to the values of
1.03–1.17 of the implementation complexity of F32/96 and F64/192 controlled sub-
stitution-permutation networks that do not have the switching property. The
previously specified dispersion of values relates to different complexity of imple-
mentation different types of F2/1 control elements and to the possibility of different
 Switched Controlled Operations 203

values of their circuit implementation (circuit resources required for implementing

the switching mechanism remain fixed).
Switched controlled substitution-permutation networks F(e)32/96 and F(e)64/192 of
this type have the same size of the control and information inputs, and the extension
block represents an internal component. If it is supposed to superimpose keys over the
extended control vector being formed, it is necessary to make a provision of additional
input for supplying keys, and additional circuits for the operation that will carry out
this superposition. In most cryptoschemes based on controlled operation, the element
for superimposing subkeys over extended control vector is not used. In these cryp-
toschemes, it is possible to use simpler switched controlled operational substitutions.
Figure 4.18 schematically shows the Fn/m controlled substitution-permutation
network with a bilaterally symmetric structure as a superposition of two mutually

FIGURE 4.18 Comparison of two variants of implementing switched

controlled operational substitutions: a) with arbitrary control vector,
b) using extension of the control data subblock.
204 Innovative Cryptography, Second Edition

inverse blocks Fn/m′ and F–1n/m′. This scheme illustrates the procedure of building
switched operational blocks in the case when all control bits are independent (a),
and in case of extension of the controlling data subgroup for forming the control
vector (b). In the latter case, control bits of vectors V′1 and V′2 are distributed over
blocks Fn/m′ and F–1n/m′ according to the bilateral symmetry, thanks to which in the
case of permutation of vectors L1 and L2, correct switching of the controlled sub-
stitution-permutation network from direct controlled operation to inverse control
operation is ensured.
Switched controlled substitution-permutation networks F(e)32/96 and F(e)64/192
can be easily built according to the design scheme oriented toward economical
hardware implementation (Figure 4.18b). In comparison to normal controlled sub-
stitution-permutation networks F32/96 and F64/192, the F(e)32/96 and F(e)64/192 blocks
used in the previously described variant of implementation require 16 and 32
additional P2/1 elementary switches, respectively.

4.8 SWITCHED CONTROLLED SUBSTITUTION-PERMUTATION

NETWORKS WITH CONTROLLED ELEMENTS INCLUDING PAIRS
OF MUTUALLY INVERSE MODIFICATIONS

A promising area of investigation is implementation of switched controlled opera-

tional substitutions, in which the mechanism of inverting the controlled operation
being executed is based on that the controlled substitution-permutation network is
built based on controlled elements F2/1, F2/2 or F3/1, modifications of which are split
into pairs of mutually inverse modifications. Such controlled elements can be in-
verted by means of inverting control bits. In case of the F2/2 element, this is imple-
mented if all of the two pairs of modifications corresponding to the pairs of control
vectors, such as (00) and (11), and to the (01) and (10) pair, includes two mutually
inverse modifications.
The method of inverting controlled substitution-permutation networks based
on inverting all control bits also requires the use of symmetric CSPN topology and
symmetric distribution of control bits. Because of the latter circumstance, this
method is applicable only in cases when no more than half of the control bits are
independent (the same bit must be supplied to the control input of two controlled
elements placed in bilaterally symmetric positions). If the control vector of the Fn/m
block is formed based on a data subgroup that is n bits in size, then, as a rule, bits
of the control data subgroup can be easily distributed symmetrically. However, if
the m/n ratio is an odd number, then bits from one-half of this data subblock must
be used for controlling more elementary substitution elements in comparison to
 Switched Controlled Operations 205

the bits from the second half. This nonuniformity is not critical; however, it must
be taken into account when developing switched controlled operational substitu-
tions intended for use in specific ciphers. A certain drawback of the method of
inverting controlled substitution-permutation network by means of inverting con-
trol bits is that the aforementioned symmetric distribution of control bits makes it
impossible to implement one of the useful criteria of forming control vectors. This
criterion can be formulated as follows: control bits must be distributed so that
neither of the bits of the data subgroup being transformed is exposed to the influ-
ence of the same bit of the control data subgroup twice.
Despite the aforementioned specific features, the CSPN inversion method
under consideration is of practical importance, because it provides another way of
economic implementation of the mechanism of switching between direct and in-
verse operations. Consider the variants of building switched controlled operational
substitutions of this type using different types of controlled elements.

4.8.1 Switched Controlled Substitution-Permutation Networks

on the Basis of F2/1 Elements
Having considered the existing types of nonlinear controlled elements F2/1, de-
scribed in Chapter 3, it can be easily discovered that elements specified by pairs of
modifications q/u, r/x, s/v, t/w, u/q, x/r, v/s, and w/t (Figure 4.19) are controlled
elementary substitutions implementing pairs of mutually inverse modifications.

FIGURE 4.19 Pairs of mutually inverse elementary transformation

of the (x1,x2) → (y1,y2) type.
206 Innovative Cryptography, Second Edition

The use of other pairs of elementary modifications of 2×2 substitutions doesn’t

result in building of the variants of F2/1 elements satisfying the criterion of nonlin-
earity of both outputs. The previously listed eight variants are the only ones. Actu-
ally, there are four pairs of modifications of 2×2 substitutions, each specifying two
variants of S2/1 controlled elements differing by the choice of modification imple-
mented at zero (or one) value of the control bit. The most favorable is the circum-
stance that each output of these elements is a nonlinear boolean function, the
arguments of which are two input bits and a control bit, and the sum of outputs
represents a nonlinear boolean function of the aforementioned variables. This
means that these are elements of the S2/1 type. Table 4.3 describes the aforemen-
tioned four variants of elements characterized by the S(1) = (S(0))–1 property as pairs
of boolean functions of three variables.

TABLE 4.3 Boolean Functions Describing S2/1, Controlled Elements

Implementing Pairs of Mutually Inverse Modifications

y = f (x , x , v) y = f (x , x , v) y ⊕y
1 1 1 2 2 2 1 2 1 2

q/u vx1 ⊕ x2 vx2 ⊕ x1 ⊕ x2 vx1 ⊕ vx2 ⊕ x1

s/v vx1 ⊕ v ⊕ x2 vx2 ⊕ v ⊕ x1 ⊕ x2 ⊕ 1 vx1 ⊕ vx2 ⊕ x1 ⊕ 1

t/w vx1 ⊕ x2 ⊕ 1 vx2 ⊕ v ⊕ x1 ⊕ x2 vx1 ⊕ vx2 ⊕ v ⊕ x1 ⊕ 1

r/x vx1 ⊕ v ⊕ x2 ⊕ 1 vx2 ⊕ x1 ⊕ x2 ⊕ 1 vx1 ⊕ vx2 ⊕ v ⊕ x1

u/q vx1 ⊕ x1 ⊕ x2 vx2 ⊕ x1 vx1 ⊕ vx2 ⊕ x2

v/s vx1 ⊕ v ⊕ x1 ⊕ x2 ⊕ 1 vx2 ⊕ v ⊕ x1 vx1 ⊕ vx2 ⊕ x2 ⊕ 1

w/t vx1 ⊕ x1 ⊕ x2 ⊕ 1 vx2 ⊕ v ⊕ x1 ⊕ 1 vx1 ⊕ vx2 ⊕ v ⊕ x2

x/r vx1 ⊕ v ⊕ x1 ⊕ x2 vx2 ⊕ x1 ⊕ 1 vx1 ⊕ vx2 ⊕ v ⊕ x2 ⊕ 1

 Switched Controlled Operations 207

4.8.2 Switched Controlled Substitution-Permutation Networks

on the Basis of F2/2 Elements
In comparison to the synthesis of F2/1 elements forming of elementary controlled
substitutions of the F2/2 type is related to consideration of significantly larger num-
ber of variants. However, the requirement of mutual reversibility of two pairs of the
F2/2 element’s modification considerably narrows the range of choice. Furthermore,
in contrast to the case of F2/1 elements, for which this requirement didn’t result
in discarding the most efficient nonlinear elements of this type, in the case of F2/2
elements the most efficient variants (in terms of the nonlinearity criteria) do not
satisfy the condition. This requires us to ensure the possibility of splitting four im-
plemented modifications into two pairs of mutually inverse modifications. Never-
theless, the remaining types of F2/2 elements are characterized by good nonlinear
properties and by the modifications propagation characteristics. This allows us
to use them for building switched controlled operation substitutions suitable for
applying in cryptosystems. At least, boolean functions describing each of their two
outputs and their sum have higher values of nonlinearity and algebraic degree of
nonlinearity in comparison to F2/1 elements.
At the same time, despite considerable limitations implied by the
F(11) = (F(00))–1 and F(10) = (F(01))–1 conditions, the number of F2/2 elements of this
type, implementing four different modifications is large enough. In addition, vari-
ants of F2/2 elements implementing the same modification at two different values of
the control vector (v1, v2) are also possible. For example, both outputs of the
m/e/e/n elements (where the latter notation lists modifications of 2×2 substitu-
tions implemented at the values of the control vector equal to (0, 0), (0, 1), (1, 0),
and (1, 1), respectively), and their sum, are nonlinear boolean functions of four
variables:

y1 = v1v2x1 ⊕ v1v2x2 ⊕ v1v2 ⊕ v1x2 ⊕ v2x2;

y2 = v1x1 ⊕ v1x2 ⊕ v2x2 ⊕ v1 ⊕ v2 ⊕ x2 ⊕ 1;
y1 ⊕ y2 = v1v2x1 ⊕ v1v2x2 ⊕ v1v2 ⊕ v1x1 ⊕ v2x1 ⊕ v1 ⊕ v2 ⊕ x2 ⊕ 1.

It is necessary to mention that when fixing one control bit (v1 or v2) in the
m/e/e/n element, it turns into an element of the S2/1 type. Consider several
examples of controlled elements with four different modifications. Element q/k/l/u
is described by the following boolean functions (Figure 4.20a):

y1 = v1v2x1 ⊕ v1x2 ⊕ v2x2 ⊕ v2x1 ⊕ v1x1 ⊕ v1 ⊕ v2 ⊕ x2;

y2 = v1v2x2 ⊕ v1v2 ⊕ x1 ⊕ x2 ⊕ v2;
y1 ⊕ y2 = v1v2x1 ⊕ v1v2x2 ⊕ v1v2 ⊕ v1x1 ⊕ v1x2 ⊕ v2x1 ⊕ v2x2 ⊕ v1 ⊕ x1.
208 Innovative Cryptography, Second Edition

FIGURE 4.20 Switched controlled elements: a) q/k/l/u, b) q/o/p/u.

Element q/o/p/u is described by the following boolean functions (Figure 4.20b):

y1 = v1v2x1 ⊕ v1v2 ⊕ v1 ⊕ x2;

y2 = v1v2x2 ⊕ v1v2 ⊕ v1x2 ⊕ v2x2 ⊕ v2 ⊕ x1 ⊕ x2;
y1 ⊕ y2 = v1v2x1 ⊕ v1v2x2 ⊕ v1x2 ⊕ v2x2 ⊕ v1 ⊕ v2 ⊕ x1.

The variants of implementation of F2/2 controlled elements switched by means

of inverting control bits can be used for the synthesis of switched controlled oper-
ational substitutions.
Note that in switched controlled operational substitutions on the basis of F2/2
elements, the symmetric distribution of control bits assumes that the same control
vector (v1v2) is supplied to the control input of the elements located in symmetric
positions; that is, these elements implement the same modification of the 2×2
substitution.

4.9 EXTENSION OF THE SWITCHING PROPERTY OF

CONTROLLED OPERATIONAL SUBSTITUTIONS

One of the most important goals of using switched controlled operational substi-
tutions is elimination of the homogeneity of iterative encryption when using rela-
 Switched Controlled Operations 209

tively short keys in case of a simple key use schedule. To achieve this goal of having
only one switched operation in the procedure of a single encryption round, it is
possible to set different values of the operation mode switching bit in sequential
rounds, so that they form a periodic sequence of one and zero values. A more effi-
cient variant is using several switched controlled operational substitutions in the
same round. This allows for ensuring more significant difference in the procedures
of sequential rounds. Recurrence of the encryption rounds takes place only when
bits on the switching input of all switched controlled operational substitutions are
repeated. It is possible to develop a cryptoscheme with a larger number of switched
operations carried out in parallel over reduced data subgroups. This will ensure the
possibility of using a large number of independent switching bits; however, the
efficiency of controlled operations grows considerably when such operations are
used for transforming large data subgroups. Consequently, the use of large number
of switched operations within one round is not proposed.
Nevertheless, the idea of introducing more considerable differences into the
neighboring rounds and into the rounds separated by several steps from each other
also deserves attention. This task can be solved by means of developing switched
controlled operational substitutions with an extended switching range, where
switching is carried out using switching vector E with the length equal; for example,
to k = 4 – 8 bits instead of a single switching bit. It is possible to assume that for a
given value E = (e1, e1, …, ek), some controlled operation will be executed, and that
E = (e1 ⊕ 1, e1 ⊕ 1, …, ek ⊕ 1) will correspond to the inverse controlled opera-
tion. This produces 2k/2 pairs of mutually inverse controlled operations.
Implementation of switched controlled operational substitution with an ex-
tended switching range is also based on the stepwise modifications of the distribu-
tion of control bits over elementary controlled substitution blocks F2/1 for a certain
fixed topology. The type of controlled substitution-permutation network is deter-
mined by the topology of interrelations between controlled elements and distribu-
tion of the control bits. Earlier, switched controlled operational substitutions with
two-variant distribution were covered, which were switched by a single bit e. By
analogy, it is possible to build switched controlled operational substitutions with
multivariant distribution of control bits. Evaluation of the maximum length of the
switching vector E is not a difficult task. To achieve this, it is necessary to account
for the following specific features characteristic of switched controlled operational
substitutions based on redistribution of control bits:

The original controlled substitution-permutation network Fn/m must have sym-

metric topology.
210 Innovative Cryptography, Second Edition

Two bits supplied to the input of the same elementary switch P2/1, which is a
part of a certain switching block of control bits P(E)m/g (in case of all indepen-
dent bits in control vector) or P(E)n/g (in case of economic implementation of a
switched controlled operational substitution when using permutation of the
bits of controlling data subgroup), where g is the length of vector E, must be
supplied to the input of one or more pairs of symmetrically placed controlled
elements F2/1 in the Fn/m block.

If these conditions have been satisfied, then inversion of all bits of an

arbitrary vector E will result in forming of a new controlled operation that is
an inverse of the original one; that is, the following relationship will take place:
F(V,E)n/m = (F(V,E′)n/m)–1. This means that the number of pairs of mutually inverse
modifications of the controlled operation F(V,E)n/m is equal to 2g – 1. The greatest
value of g corresponds to the case g = m/2 (implementation of a switched controlled
operational substitution with m independent control bits) and g = n/2 (economic
implementation of a switched controlled operational substitution). For blocks of
the F(V,E)32/96 type, it is possible to have up to 247 or 215 different variants of distrib-
ution of control bits depending on the method of implementation of a switched
controlled operational substitution (general or economic).
Even in the case of the economical type of implementation of a switched con-
trolled operational substitution, the switching range is wide enough. In practice, it
is sufficient to use vectors E up to six bytes in length, which ensures availability of
32 different pairs of mutually inverse controlled operations implemented using a
single switched controlled operational substitution. This means that every bit of
vector E will control many elementary switches in P(E)m/g or P(E)n/g blocks.
When building switched controlled operational substitutions in practice, it is
convenient to structure F2/1 controlled elements so that they form pairs of active
cascades or pairs of some internal CSPNs within the original Fn/m controlled sub-
stitution-permutation network. These pairs must be switched by one of the bits of
vector E. This simplifies the design and analysis of switched controlled operational
substitutions with an extended switching range. The most important circumstance
is that the properties of the original controlled substitution-permutation network
(such as nonlinearity, avalanche effect, etc.) in a certain sense remain intact for each
variant of a controlled operational substitution belonging to the switching range.
Therefore, substantiation of a controlled substitution-permutation network is at
the same time substantiation of the switched controlled operational substitution as
a cryptographic primitive. Figure 4.21 presents the scheme of building a switched
 Switched Controlled Operations 211

FIGURE 4.21 Building a switched controlled operational substitution

based on controlled substitution-permutation network with bilaterally
symmetric topology: a) with an even number of active cascades,
b) with odd number of active cascades (L* stands for involution).

controlled operational substitution inverted by means of permutation of control

vectors corresponding to symmetrically placed active layers in cases when the num-
ber of such layers is even (a) and odd (b). Different combinations of initial values
of bits e1, e1, …, es/2 correspond to different direct controlled operational substitu-
tion. Simultaneous inversion of all switching bits transforms each block into the
corresponding inverse controlled operational substitution. Similar schemes of
building controlled operational substitutions with an extended switching range can
also be used in cases when controlled operational substitutions are built based on
controlled elements with mutually inverse modifications (Figure 4.22).
212 Innovative Cryptography, Second Edition

FIGURE 4.22 Building of a switched controlled operational

substitution with extended switching range on the basis of
controlled substitution-permutation networks with bilaterally
symmetric topology: a) with an even number of active
cascades, b) with an odd number of active cascades.

SUMMARY

One of the most important problems related to designing ciphers with simple key
use schedule is preventing the occurrence of weak keys. In this chapter, it was
shown that the use of data-dependent operations is a prerequisite for the develop-
ment of inexpensive hardware-oriented ciphers. This chapter also suggested an
approach for solving the problem of weak keys based on using switched controlled
operations. Several variants of methods of building switched controlled operations
have been suggested. Being a particular case of the controllability property, the
switching property can be easily and seamlessly built into various types of con-
trolled operations.
Another problem is related to so-called slide attacks covered in “Advanced
Slide Attacks” by A. Biryukov and D. Wagner. This type of attack is based on the
 Switched Controlled Operations 213

periodicity of the recurrent subkeys use, which results in occurrence of the same
round transformations. The potential possibility of implementing such attacks
must be taken into account when designing ciphers of the type under considera-
tion. The use of long secret key (128…256 bits) allows us to easily build the sched-
ule of key use, free from any periodicity, thus eliminating the prerequisite to
implementation of slide attacks. However, when using short keys, a situation fre-
quently encountered in practical application, simple key schedule actually repre-
sents the use of the same subkeys in each round. This case is the most favorable for
slide attacks. Thus, the need for ensuring the possibility of eliminating repetitions
of round transformations by means of using some other mechanisms irrelevant to
the key length is obvious.
The switching property allows for suggesting three variants of such mechanisms:

Using mixed iterative transformation, including the combination of encrypting

(e = 0) and decrypting (e = 1) rounds. Such a mixed transformation can be rep-
resented in the form of a certain sequence of values of bit e; for example, 0, 0,
1, 0, 1, 1, 0, 0, 1, 0 (10 encryption rounds) and 1, 1, 0, 1, 0, 0, 1, 1, 0, 1 (10
decryption rounds). This method is the simplest one that can be used for
introducing aperiodicity. However, it is necessary to avoid the cases when two
sequential rounds are mutually inverse (in some cryptoschemes, such cases are
possible).
Development of a special variant of switched operations that can be called ex-
tended switched operations. These are some F(E,V) operations dependent on
parameter E, where E is some k-bit vector (k ≥ 2) dependent on e and on the
number of encryption round. At the same time, for all V modifications F(E,V)
and F(E',V) are mutually inverse having E ⊕ E' = {1}k. Thus, F(E,V) contains 2k–1
pairs of mutually inverse modifications of controlled operation F(V), which al-
lows for easily building 2k unique round transformation for each round subkey.
The use of a large number of round transformations of different types allows
for easy elimination of the periodicity when using the same round subkey in all
encryption rounds; that is, in the case of the simplest key use schedule. For
example, an improved switched controlled permutations block P(E,V)32/96, where
E = (e1, e2, e3), can be easily built using independent switching bits e1, e2, and e3
for each P(e)2×16/1 block (see Figure 4.15). Proceeding in a similar way, it is
possible to transform block P(V,e)64/192 (see Figure 4.16) into P(V,E)64/192, where
E = (e1, e2, e3).
Development of the round transformation containing several (for example, k)
switched controlled operations controlled by independent switching bits e1,
e2,…, ek, each of which is assigned a value dependent on the round number.
214 Innovative Cryptography, Second Edition

Thus, the following conclusions can be drawn:

The use of switched controlled operations allows us to avoid the occurrence of
weak keys in ciphers using the simplest key schedule.
The use of extended switched controlled operations allows us to prevent repe-
titions of the same round transformations when using the same round key in all
encryption rounds.
The use of switched controlled operations allows us to eliminate the vulnera-
bility to slide attacks based on the possibility of choosing the same round keys
for all encryption rounds in ciphers with simple key schedule.
The use of controlled operations and switched controlled operations ensures
development of fast and inexpensive hardware-oriented ciphers.
Switched controlled operations in combination with controlled operations
allows for efficient use of new types of cryptoschemes combining Feistel net-
works with substitution-permutation networks.
There are diverse mechanisms for defining the switching property for con-
trolled substitution-permutation networks.
There exist efficient cryptoschemes for building switched controlled operations
of orders 1, 2, 4,…, n/4, n, where n is the bit width of the switched controlled
operation input.
In terms of a variety of solutions for building switched controlled substitution-
permutation networks, the use of controlled elements of the F3/1 type provides
the best possibilities in comparison to F2/1 and F2/2 elements. Migration to
switched controlled operations on the basis of F3/2 and F4/1, 1 elements will
provide even greater possibilities for designing efficient switched controlled
operations. However, full classification of controlled elements of the latter type
is considerably more complex task in comparison to classification of F2/1, F2/2,
and F3/1 controlled elements.
Switched controlled substitution-permutation networks by their properties are
identical to normal controlled substitution-permutation networks, because they
have similar topologies. Evaluations of probabilistic properties, nonlinearity, and
other characteristics obtained for normal controlled substitution-permutation
networks can be extended to switched controlled substitution-permutation
networks.
Provided that a correct cryptoscheme has been chosen, switched controlled
operations and controlled operations introduce the same delay into the en-
cryption procedure having the same number of active layers.
Switched controlled operations allow for using cryptoschemes free from inver-
sion of the key use schedule when changing the encryption mode, thus provid-
ing further possibilities of reducing the complexity of circuit implementation
for block ciphers.
 5 Designing Fast Ciphers
Based on Controlled
Operations

T
his chapter deals only with the block cipher algorithms developed by the au-
thors of the book. All terms and designations used here correspond to those
in the two previous chapters, unless otherwise specified.

5.1 THE SPECTR-H64 BLOCK CIPHER

This algorithm is a practical implementation of the main ideas—of block cipher

synthesis based on controlled operations and aimed at high-speed information
handling with a 32-bit data exchange bus considered in the previous chapters.

215
216 Innovative Cryptography, Second Edition

5.1.1 The General Scheme of Block Encryption

For the SPECTR-H64 algorithm, the general encryption scheme (encryption and
decryption) is determined by the formula:

Y = F(X, Q(e)),

where Q(e) = H(K, e) is the extended key, a function of the 256-bit secret key K and
the encryption mode e (e = 0—encryption, e = 1—decryption). In encryption
mode, X is the initial block of binary data (plaintext), and in decryption mode, it is
the transformed block of binary data (ciphertext). In encryption mode, the result-
ing value Y is ciphertext, and in decryption mode, it is plaintext.
The secret key K is represented as a combination of eight 32-bit subkeys;
namely, K = K1||K2||…||K8, where K1, K2, …, K8 ∈ GF(2)32.
The encryption algorithm (the F function) is described in Section. 5.1.2, and
the procedure for building the Q(e) = H(K, e) working key is in Section 5.1.3.

5.1.2 The Encryption Algorithm

The F function (Figure 5.1) is implemented with the following procedures:

Initial transformation—IT.
12 rounds (loops) of transformations using the Crypt procedure.
Final transformation—FT.

First, the IT procedure is performed: Y = IT ( X , QIT ) .

(e )

The Y block is divided into two subblocks of the same length—L0 and R0; in
other words, (L0, R0) = Y, where L0, R0 ∈ GF(2)32. Then, 12 rounds of transforma-
tion are performed with the Crypt procedure according to the formulas:

L j = Crypt( R j −1 , L j −1 , Q (j e ) );
Rj = Lj–1 ( j = 1, 2, …, 12).

After the 12th round over the X = (R12, L12) block, the final transformation, FT,
is performed according to the formula:

Y = FT( X , QFT
(e )
).
 Designing Fast Ciphers Based on Controlled Operations 217

X
Initial
(e)
transformation IT QIT

L0 R0

Crypt Q1(e)
1st round

L1 R1
2nd round Crypt Q2(e)

L2 .. R2 ..
...
. .

Crypt Qr(e)
rth round

Lr Rr

Final FT Q (e)
F
T
transformation
Y

FIGURE 5.1 A basic model of an iterative block cipher

algorithm.

Initial Transformation
The initial transformation IT is as follows:

Y = IT(X, A),

where X, Y ∈ GF(2)64, A ∈ GF(2)32.

The implementation scheme of this transformation is shown in Figure 5.2,
where each pair of bits of the input block X with the indices 2j–1 and 2j (j = 1, 2, ...,
32) is either permuted (aj = 1) or not permuted (aj = 0), after which each even bit is
inverted. The bit values of the Y vector are calculated with the following formulas:

y2j–1 = (x2j–1 ⊕ x2j)aj ⊕ x2j–1 and y2j = (x2j–1 ⊕ x2j)aj ⊕ x2j ⊕ 1.

218 Innovative Cryptography, Second Edition

FIGURE 5.2 Initial transformation (s = n/2).

The Crypt Procedure

A formal record of the Crypt procedure looks as follows:

R = Crypt(R, L, (A(1), A(2), A(3), A(4), A(5), A(6))),

where L, R ∈ GF(2)32 and A(1), A(2), …, A(6) ∈ GF(2)32.

The elements A(1), A(2), …, A(6) are the formal parameters of key information;
in other words, Q (j i , e ) is an element of round key Q(j e ) = (Q(j1,e ), Q(j 2,e ), ..., Q (j 6,e ) ), and
corresponds to the A(i) parameter. Accordingly, R and L are formal parameters for
the left and right parts of the input data block.
One feature of such an implementation of the Crypt procedure is the use of six
subkeys with a length of 32 in one round.
The procedure uses:

The rotation operation “>>>” by a fixed number of bits

Bit-wise addition modulo 2 “⊕”
A nonlinear vector boolean function G
−1
Controlled permutation boxes P32/80 and P32 / 80 of the first order
A procedure for expanding control vector E (expansion box)
−1
Two-stage Clos networks C<8, 4> and C<4, 8> are used as P32/80 and P32 / 80
boxes,
respectively, when for the C<8, 4> box the smaller boxes are R3 and R2 boxes, and for
C < 4,8> = C −<14,8> they are the R −21 and R −31 boxes. This differs from the classical struc-
ture of the C<8, 4> Clos network in that the order of R2 boxes is changed (see the box
numeration in Figure 5.3). A commutation between the third and fourth layers in
box P32/80 has this involution:

π = (1)(2, 9)(3, 17)(4, 25)(5)(6, 13)(7, 21)(8, 29)(10)(11, 18)(12, 26)

(14)(15, 22)(16, 30)(19)(20, 27)(23)(24, 31)(28)(32).
 Designing Fast Ciphers Based on Controlled Operations 219

The sequence of transformations and their interaction is shown in Figure 5.4.

FIGURE 5.3 The controlled permutations box P32/80.

FIGURE 5.4 The Crypt procedure scheme.

The time base of operations in Crypt procedure is presented in Table 5.1.

220 Innovative Cryptography, Second Edition

TABLE 5.1 The Time Base for Performing an Operation in the Crypt Procedure

Time base (τ ⊕ ) Operations

1 0 U = L>>>11 U′ = L>>>17 U′′ = L>>>11

2 0÷1 V = EA(1)|| (U) V′ = EA(3)|| (U′) V′′ = EA(5)|| (U′′) W = L⊕A(3)

A(2) A(4) A(6)

3 0÷5 R = P32/80( )(R) X = P32/80( )(A(4))

V V′

4 1÷5 X' = GA(3)|| A(4) (W)

5 5÷6 R=R⊕X

6 6÷7 R = R ⊕ X′

7 7 ÷ 12

As it follows from Table 5.1, most operations are performed concurrently, and
the total time required for the performance of the procedure is equal to the con-
secutive performance of 12 operations of the XOR type.

This index can be improved if a matrix structure of implementing R2 boxes in

–1
boxes P32/80 and P32/80 is used. In this case, the time for the Crypt procedure’s
implementation will not exceed the time it takes to consecutively perform nine
operations of the XOR type.

Vector Boolean Function G

A controlled substitution operation is used as the vector boolean function G, one
of the implementations of a sequential bijective model Formally, the G function
looks like this:

X' = G(W, A, B), where X', W, A, B ∈ GF(2)32.

The formal parameters A and B correspond to the formal parameters A(3) and
(4)
A of the Crypt procedure. In vector form, the G function is determined by the
formula:

X' = M(0) ⊕ M(1) ⊕ (M(2) ⊗ A) ⊕ (M(2) ⊗ M(5) ⊗ B) ⊕ (M(3) ⊗ M(5)) ⊕ (M(4) ⊗ B).

The binary vectors M(0), M(1), …, M(5) are expressed recursively via W; namely,

M ( 0 ) = ( m1( 0 ), m2( 0 ), m3( 0 ), ..., m31

(0) (0)
, m32 ) = ( w1 , w2 , w3 , ..., w31 , w32 )
 Designing Fast Ciphers Based on Controlled Operations 221

and ∀ j = 1, 2, …, 5,

M ( j ) = ( m1( j ), m2( j ), m3( j ) , ..., m31

( j) ( j)
, m32 ) = (1, m1( j −1), m2( j −1), ..., m31
( j)
).

Taking into account the option of concurrent performance of some opera-

tions, it is easy to establish that the G function is implemented during four delay
time units (4τ ⊕) instead of the allowable five time units—in other words, there is a
reserve kept for its meshing.

Grounds for Choosing a Nonlinear G Function

Let’s define the mapping G: GF(2)32 × GF(2)32 × GF(2)32 → GF(2)32 as a boolean
vector function Y = G(X, A, B) of the following appearance:

(y1, y2, …, y32) = (g1(X, A, B), g2(X, A, B), …, g32(X, A, B)),

where gi are certain generator boolean functions.

If, for each i, the condition gi(X, A, B) = gi(x1, x2, …, xi, A, B) is true, then such
a mapping is a sequential model of a controlled substitution operation. If the func-
tions g i ( X , A, B ) = xi ⊕ g′i ( x1, x2, ..., xi−1, A, B ) are selected as generator functions
in the considered model, then the vector boolean function G implements bijective
mapping by X. A single unified boolean function of eight variables is used as a gen-
erator functions prototype in the G function. It looks as follows:

g = g(z1, z2, …, z8) = z7 ⊕ z8 ⊕ ϕ(z1, z2, …, z6),

where ϕ(z1, z2, …, z6) = z1z2 z3 ⊕ z1z4 ⊕ z2z5 ⊕ z3z6 is a bent function, defined as
follows.

Definition 5.1
A boolean function f(X) (X ∈ GF(2)n) is called perfect nonlinear, or a bent func-
*
tion [76], if for ∀ α ∈GF(2)", the following equality is true: U α ( f ) = ±2 n / 2 .

In differential, linear, and other types of cryptanalysis, the leading role belongs
to the notion of the Walsh-Hadamard transformation, which is a modification of
the discrete Fourier transform.

Definition 5.2
A Walsh-Hadamard transformation (WHT) of a real function f(X) ∈ GF(2) over
an α vector (X, α ∈ GF(2)n) is a linear transformation, which takes its values from
the set of real numbers, and has the following form:
222 Innovative Cryptography, Second Edition

Uα ( f ) = ∑ f ( X )(−1)α• X
X ∈ GF ( 2 ) n

A Walsh-Hadamard transformation of the g function consists of 64 elements

having the value |U*α(g)| = 32 for all vectors α = (α1, α2, …, α6, 0, 0), and for the
rest of the 192 elements, they have a value of U*α(g) = 0. With respect to the selected
structure and properties of bent functions, we have the following characteristics of
the g function:

The nonlinearity of the g function is equal to N(g) = 2m–1 – 2((m+2)/2)–1 = 112

(with m = 8), which is quite close to the maximally possible nonlinearity of
boolean functions of 8 variables (Nmax = 2m–1 – 2(m/2)–1 = 120).
g is a correlation immune function on a set of vectors {(z1, z2, …, z8)}⊂GF(2)8,
where z7 ≠ 0 or z8 ≠ 0, which makes up 75% of the whole GF(2)8 set.
g possesses good autocorrelation properties, because for all nonvanishing
avalanche vectors (Δz1, Δz2, …, Δz8)∈GF(2)8 except for three—((0, …, 0, 0, 1),
(0, …, 0, 1, 0), and (0, …, 0, 1, 1))—the 8th order propagation criterion is
fulfilled; that is, the function Δg = g(z1, z2, …, z8) ⊕ g(z1 ⊕ Δz1, z2 ⊕ Δz2, …,
z8 ⊕ Δz8) is balanced (see Section 4.2.6).
The degree of the algebraic normal form of function g is equal to 3 (deg(g) = 3).

A transition from the general form of the g function to certain generator func-
tions of a controlled substitution operation sequential model is performed by the
following substitution of variables:
⎛ z1 z2 z3 z4 z5 z6 z7 z8 ⎞
⎜⎜ ⎟,
⎝ xi − 2 xi−5 bi ai x i −3 xi − 4 xi−1 xi ⎟⎠

where ∀i∈{1, 2, …, n} and n = 32.

Thus, generator functions look as follows:

yi = gi(X, A, B) = xi ⊕ xi−1 ⊕ xi−2ai ⊕ xi−2xi−5 bi ⊕ xi−3xi−5 ⊕ xi–4bi,

where xi, ai, and bi are the components of vectors X, A, B∈GF(2)32, and the initial
conditions correspond to the vector (x–4, x–3, x–2, x–1, x0) = (1, 1, 1, 1, 1).
In cryptographic primitives, linear transformations of original vectors are often
used as intermediate transformations. In connection with this, to increase the
effectiveness of estimating such primitives, the following properties of transfor-
mations should be taken into account:
 Designing Fast Ciphers Based on Controlled Operations 223

Statement 5.1
If B is a nonsingular matrix of the order n over the GF(2) field, and the
g(X) = f(XB) relationship is true for a boolean function f(X), f(X) and g(X)
have the same algebraic degree (deg(f) = deg(g)) and nonlinearity (N(f) = N(g),
N*(f) = N*(g)), and they also have the same dimension.

Statement 5.2
If a boolean function has the form f(X) = haff(X1) ⊕ hbent(X2), where
haff(X1) (X1 ∈ GF(2)') and hbent(X2)(X2 ∈ GF(2)n–l, n – l is even) are affine and
bent functions, respectively, the original function has the linear dimension l and a
nonlinearity value of N(f) = 2n–1 – 21/2(n+l)–1.

According to the scheme of the Crypt procedure (Figure 5.4), the G function is
preceded by a linear transformation X = L ⊕ A that does not change either the ini-
tial values of nonlinearity or the degree of the algebraic normal form of generator
functions (see Statement 5.1), but does complicate the resulting appearance of the
generator functions. The function G' = G(L ⊕ A) is bijective by L at various fixed
values of the A and B parameters.

The Extension Procedure for Control Vector E (Extension Box)

This procedure is intended for building an 80-bit control vector from a 32-bit one.
It formally looks as follows:

V = (V1||V2||V3||V4||V5) = E(U, A, B) = EA||B(U),

where V ∈ GF(2)80, V1, V2, V3, V4, V5 ∈ GF(2)16, U, A, B ∈ GF(2)32.

Actually, the V vector is calculated according to the formulas:

V1 = Uhi; V2 = Pπ(1)((U ⊕ A)hi); V5 = Pπ(1)((U ⊕ A)lo),

V3 = Pπ(5)((U ⊕ B)hi); V4 = Pπ(5)((U ⊕ B)lo),

where the transformation Pπ(s) looks as follows: Pπ(s)(Z) = (Zhi)>>>s||(Zlo)>>>s.

For the P32/80 box, there is a correspondence of the V and U vector bit-numbers
shown in Table 5.2. For example, 17 in the first line means that the P2/1 box control
( 2)
input v1(1) is fed the value u17, 221 corresponds to a value of v13 = u22 ⊕ a22, and 72
( 4)
corresponds to a value of v10 = u7 ⊕ b7. The extension procedure E is created in
such a way that the 16 lower order bits of the U vector participate in controlling
only R2 boxes, whereas higher order bits control only R3 boxes, with all the bit
numbers of vector U being different in each R2 and R3 box.
224 Innovative Cryptography, Second Edition

TABLE 5.2 Control Bit Values for the P32/80 Box

The same E extension procedure is used for the box P32−1/80,, but, due to the spe-
−1
cial numeration of box P32 /80‘s control bits, Table 5.2 is transformed into Table 5.3.
The E procedure provides for:

The uniformity of the participation of all 32 bits of the U vector in controlling

the P32/80 box.
The fact that there are five (according to the number of layers) different bits
of U vector participating in the control for a randomly chosen commutation of
one input bit with one output bit, which guarantees such a commutation with
any round key values A and B, and, consequently, corresponds to the first order
box determination.
The control vector V1 being a fixed permutation of 16 bits of the L block; in
other words, transformation in the first layer of P32/80 box is performed without
any time delay.

−1
TABLE 5.3 Control Bit Values for the P32 / 80 Box

Final Transformation
The FT procedure is a transformation that is the opposite of the IT procedure.
This transformation looks as follows:

Y = FT(X, A),

where X, Y ∈ GF(2)64, A ∈ GF(2)32.

 Designing Fast Ciphers Based on Controlled Operations 225

Initially, each even bit of the input block is inverted (see Figure 5.5), and then
each pair of the X input block with indices 2j–1 and 2j (j = 1, 2, …, 32) is either per-
muted (aj = 1) or not (aj = 0).

FIGURE 5.5 Final transformation (s = n/2).

The bit values of the Y vector are calculated with the use of the following
formulas:

y2j–1 = (x2j–1 ⊕ x2j ⊕ 1)aj ⊕ x2j–1 and y2j = (x2j–1 ⊕ x2j ⊕ 1)aj ⊕ x2j ⊕ 1.

5.1.3 The Schedule for Using Round Keys

In a 12-round SPECTR-H64 block cipher, the extended key Q(e) is a combination
of 14 subkeys; namely,

Q(e ) = (QIT
(e )
, Q1(e ) , Q2(e ) ,..., Q12
(e ) (e )
, QFT ),

where ∀j = 1, 2, …, 12 Q (j e ) = (Q(j1,e ) , Q(j 2,e ) ,..., Q (j 6,e ) ),

when QIT (e ) (e )
, QFT , Q(j h ,e ) ∈ GF(2)32 ∀h = 1, 2,..., 6.
(e)
The Q extended key is a series of 72 32-bit binary vectors, each being one of
eight secret subkeys K1, K2, …, K8.
Some elements of the Q(e) extended key have fixed values—Kj, the rest being
determined via Oi parameters, which are calculated, in turn, by the formulas:

O2i–1 = K2i–1+e and O2i = K2i–e,

where K = K1||K2||…||K8 and i = 1, 2, 3, 4.

The commutation scheme between Oi and Kj is shown in Figure 5.6.
226 Innovative Cryptography, Second Edition

FIGURE 5.6 The subkey commutation scheme.

(e ) (e )
The correspondence of subkeys QIT , QFT , Q(j1,e ), Q(j 2,e ), ..., Q(j 6,e ) (j = 1, 2, …, 12)
is specified in Table 5.4.

TABLE 5.4 Schedule for Using Round Keys

For example, for the fifth round ( j = 5), the subkey sequence K1||K2||O7||
O6||K4||K3 corresponds to the formal parameters A(1), A(2), …, A(6) of the Crypt
procedure; namely,

Q5(e ) = (Q5(1,e ), Q5( 2,e ), Q5(3,e ), Q5( 4 ,e ), Q5(5,e ), Q5(6,e ) ) = (K 1 , K 2 , O7 , O6 , K 4 , K 3 ).

That is, Q5(e ) = (K 1 , K 2 , K 7+e , K 6−e , K 4 , K 3 ).

For the encryption mode— Q5(0) = (K 1 , K 2 , K 7 , K 6 , K 4 , K 3 ),
and for the decryption mode—Q5(e ) = (K 1 , K 2 , K 8 , K 5 , K 4 , K 3 ).
 Designing Fast Ciphers Based on Controlled Operations 227

(e ) (e )
For the initial and final transformations, the keys QIT and QFT look as
follows:
(e )
QIT = O1 and QFT
(e )
= O2 .

That is,
(e )
QIT = K 1+e and QFT
(e )
= K 2 −e .

For the encryption mode,

( 0)
QIT = K 1 and QFT
( 0)
= K2,

and for the decryption mode

(1)
QIT = K 2 and QFT
(1)
= K1 .

5.2 THE SPECTR-128 CIPHER (ALGORITHM)

This algorithm is a practical implementation of the main ideas for synthesis of a fast
block cipher based on controlled operations and considered in previous chapters, and
it is aimed at high-speed information processing with a 64-bit data exchange bus.

5.2.1 A General Scheme of Block Encryption

For the SPECTR-128 algorithm, a general encryption scheme (encryption and de-
cryption) is determined by the formula:

Y = F(X, Q(e)),

where Q(e) = H (K, e) is an extended key that is a function of a 256-bit secret key K
and the encryption mode e (e = 0—encryption, e = 1—decryption), while in the
encryption mode X is the initial block of binary data (plaintext), and in the de-
cryption mode it is a transformed block of binary data (ciphertext). In encryption
mode, the resulting value Y is ciphertext, and in decryption mode, it is plaintext.
The secret key K is represented as a combination of four 64-bit subkeys;
namely, K = K1||K2||K3||K4, where K1, K2, K3, K4 ∈ GF(2)64.
The encryption algorithm (the F function) is described in Section. 5.2.2, and
the procedure for building the Q(e) = H(K, e) working key is in Section 5.2.3.
228 Innovative Cryptography, Second Edition

5.2.2 The Encryption Algorithm

The F function (Figure 5.1) is implemented using the following procedures:

The initial transformation—IT

12 rounds (loops) of transformations using the Crypt procedure
The final transformation—FT

First, the IT procedure is performed: Y = IT( X , QIT

(e )
).
Block Y is divided into two subblocks of the same length—L0 and R0; in other
words, (L0, R0) = Y, where L0, R0 ∈ GF(2)64. Then, 12 rounds of transformation are
performed using the Crypt procedure according to the formulas:

L j = Crypt(R j −1, L j −1, Q(j e ) ) ;

Rj = Lj–1 (j = 1, 2, …, 12).

After the 12th round, the final transformation FT is performed over the block
X = (R12, L12) according to the formula:

Y = FT( X, QFT
(e )
).

Initial Transformation
The initial transformation IT looks as follows:

Y = IT(X, A),

where X, Y ∈ GF(2)128, A ∈ GF(2)64.

The implementation scheme of this transformation is shown in Figure 5.2, in
which each pair of bits of the input block X with the indices 2j–1 and 2j(j = 1, 2, ..., 64)
is either permuted (aj = 1) or not permuted (aj = 0), after which each even bit is
inverted. The bit values of vector Y are calculated by the following formulas:

y2j–1 = (x2j–1 ⊕ x2j)aj ⊕ x2j–1 and y2j = (x2j–1 ⊕ x2j)aj ⊕ x2j ⊕ 1.

The Crypt Procedure

Formally, the Crypt procedure looks as follows:

R = Crypt(R, L, (A(1), A(2), A(3), A(4))),

where L, R ∈ GF(2)64 and A(1), A(2), A(3), A(4) ∈ GF(2)64.

 Designing Fast Ciphers Based on Controlled Operations 229

The elements A(1), A(2), A(3), and A(4) are formal parameters of the key informa-
tion; in other words, Q (j i ,e ) is an element of the round key Q(j e ) = (Q(j1,e ), Q(j 2,e ), Q(j 3,e ),
Q (j 4 ,e ) ), and corresponds to parameter A(i). Accordingly, R and L are the formal
parameters for the left and right parts of the input data block.
One feature of such an implementation of the Crypt procedure is the use of
four subkeys with a length of 64 in one round—all the bits of 256-bit secret key K
are used. In addition, a more complicated vector boolean function G is used.
The procedure employs:

The rotation operation “>>>” by a fixed number of bits

Bit-wise addition modulo 2—“⊕”
A nonlinear vector boolean function G
Controlled permutations boxes P64/192 and P64−1/192 of the first order
The control vector E extension procedure (expansion box)

A two-stage Clos network C<8, 8> is used as P64/192 and P64−1/192 boxes (Figure 5.7)
when the first layer is made up of R3 boxes, and the second is made up of R 3−1 boxes.
Since the structure of the P64/192 and P64−1/192 boxes are the same, in Figure 5.7, col-
umn (I) corresponds to a control vector for the direct transformation, and column
(II) to a reverse transformation.

FIGURE 5.7 Controlled permutations box P64/192.

The sequence of transformations and their interaction are shown in Figure 5.8.
The time base of operations in the Crypt procedure is presented in Table 5.5.
230 Innovative Cryptography, Second Edition

FIGURE 5.8 The Crypt procedure scheme.

TABLE 5.5 The Time Base for Operations in the Crypt Procedure

(τ⊕ )

R = P –1
64/192(V") (R)

As it follows from Table 5.5, most of the operations are performed concur-
rently, and the total time required for the performance of the procedure is equal to
the consecutive performance of 14 operations of the XOR type.
 Designing Fast Ciphers Based on Controlled Operations 231

Vector Boolean Function G

A controlled substitution operation—which is one of the implementations of a
sequential bijective model—is used as a vector boolean function G. Formally, the G
function looks as follows:

X' = G(L, A, B), where X', L, A, B ∈ GF(2)64.

The formal parameters A and B correspond to the formal parameters A(3) and
A(4) of the Crypt procedure. In vector form, the G function is determined by the
formula:

X' = L(0) ⊕ A(0) ⊕ (L(1) ⊗ B(2)) ⊕ (L(6) ⊗ L(8)) ⊕ (A(2) ⊗ L(7)) ⊕

⊕ (A(1) ⊗ B(1)) ⊕ (L(3) ⊗ L(9)) ⊕ (L(1) ⊗ L(9) ⊗ A(2)) ⊕ (L(1) ⊗ L(6) ⊗ L(9) ⊗ B(1)),

where vectors Lj (j = 0, 1, 2, …, 9) are expressed recursively via L; namely,

L( 0 ) = ( l1( 0 ), l2( 0 ), l3( 0 ), ..., l63

(0) (0)
, l64 ) = L = ( l1 , l2 , l3 , ..., l63, l64 )

and ∀j = 0, 1, ..., 5,

L( j ) = ( l1( j ), l2( j ), l3( j ), ..., l63

( j) ( j)
, l64 ) = (1, l1( j −1), l2( j −1), l3( j −1), ..., l63
( j −1)
).

Vectors A(j) and B(j) for j = 0, 1, 2 are determined in a similar manner.

Taking into account the option of concurrently performing some operations,
it is easy to establish that the G function is implemented during five time delay units
(5τ ⊕).

Grounds for Selecting a Nonlinear G Function

We’ll define the mapping of G—GF(2)64 × GF(2)64 × GF(2)64 → GF(2)64—as a
boolean vector function Y = G(X, A, B) with the following appearance:

(y1, y2, …, y64) = (g1(X, A, B), g2(X, A, B), …, g64(X, A, B)),

where gi represents certain generator boolean functions. If gi(X, A, B) = = gi(x1, x2,

…, xi, A, B) is true for each i condition, then such a mapping is a sequential model
of a controlled substitution operation. If the function g i ( X , A, B ) = xi ⊕ g′( x,
i 1
x2, ..., xi−1, A, B ) is selected as a generator function in the considered model, then
the vector Boolean G function implements bijective mapping by X. A single unified
boolean function of 12 variables is used as a generator functions prototype in the G
function. It looks as follows:
232 Innovative Cryptography, Second Edition

g = g(z1, z2, …, z12) = z11 ⊕ z12 ⊕ ϕ(z1, z2, …, z10),

where ϕ(z1, z2, …, z10) = z1z2 ⊕ z3z4 ⊕ z5z6 ⊕ z7z8 ⊕ z9z10 ⊕ z1z5z9 ⊕ z1z3z7z9 is a bent
function (see Definition 5.1. A Walsh-Hadamard transformation (see Definition
5.2) of the g function consists of 1024 elements possessing the value |U*α(g)| = 128
for all vectors α = (α1, α2, …, α10, 0, 0), and for the rest of the 3072 elements, they
have the value U*α(g) = 0. With respect to the selected structure and properties of
bent functions, we have the following characteristics of the g function:

The nonlinearity of the g function is equal to N(g) = 2m–1 – 2((m+2)/2)–1 = 1984

(with m = 12), which is quite close to the maximum possible nonlinearity of
boolean functions of 12 variables (Nmax = 2m–1 – 2(m/2)–1 = 2016).
g is a correlation immune function on a set of vectors {(z1, z2, …, z12)} ⊂
GF(2)12, where z11 ≠ 0 or z12 ≠ 0, which makes up 75% of the whole GF(2)12 set.
g possesses good autocorrelation properties because for all nonvanishing
avalanche vectors (Δz1, Δz2, …, Δz12)∈GF(2)12 except for three—((0, …, 0, 0,
1), (0, …, 0, 1, 0), and (0, …, 0, 1, 1))—the propagation criteria of the 12 th order
is fulfilled; that is, the function Δg = g(z1, z2, …, z12) ⊕ g(z1 ⊕ Δz1, …, z12 ⊕ Δz12)
is a balanced one.
The degree of the algebraic normal form of function g is equal to 4 (deg(g) = 4).

A transition from the general form of the g function to certain generator func-
tions of a sequential model of a controlled substitution operation is performed by
the following substitution of variables:

⎛ z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 ⎞

⎜⎜ ⎟,
⎝ li−1 bi−2 li−6 li−8 ai−2 li−7 bi−1 ai−1 li−9 li−3 li ai ⎟⎠

where ∀i∈{1, 2, …, n} and n = 64.

Thus, generator functions look like:

yi = gi = li ⊕ ai ⊕ li−1bi–2 ⊕ li−6li−8 ⊕ ai–2li−7 ⊕ ai–1bi–1 ⊕ li–3li–9 ⊕

li–3ai–2li–9 ⊕ li−1bi–1li–6li–9,

where lj, aj, bj are the components of vectors L, A, B∈GF(2)64, and the initial con-
ditions correspond to the vector (x–4, x–3, x–2, x–1, x0) = (1, 1, 1, 1, 1).

The Procedure for Extending Control Vector E (Extension Box)

This procedure is intended for building a 192-bit control vector from a 64-bit one.
Formally, the E procedure looks as follows:
 Designing Fast Ciphers Based on Controlled Operations 233

V = (V1||V2||V3||V4||V5||V6) = E(U, A) = EA(U),

where V ∈ GF(2)192, V1, V2, V3, V4, V5, V6 ∈ GF(2)32, U, A ∈ GF(2)64.

The V vector is calculated according to the formulas:

V1 = Uhi V2 = Pπ(1)((U ⊕ A)hi) V3 = Pπ(11)(Uhi) ⊕ Pπ(8)(Ahi)

V6 = Ulo ⊕ (Alo)>>>28 V5 = Pπ(1)((U ⊕ A)lo) V4 = Pπ(11)(Ulo) ⊕ Pπ(8)(Alo),

where the Pπ(s) transformation looks like Pπ(s) (Z) = (Zhi)>>>s||(Zlo)>>>s.

For the P64/192 box, you see the correspondence of the V and U vectors’ bit-
numbers, which is shown in Table 5.6. For example, 19 in the fourth line, corre-
( 4)
sponding to vector V4, means that the value u19 is used as the control bit v10 ; in
other words, v102 of V. 22 corresponds to the value u22, and 7 to the value u7.

Table 5.6 The Correspondence between the U and V Vector Bits for the P64/192 Box

Similarly, Table 5.7 shows the correspondence of bit numbers for vectors V and
A; the table’s analysis proves that V1 does not depend on A.

Table 5.7 The Correspondence between the A and V Vector Bits for the P64/192 Box

The extension is done in such a way that the 32 high order bits of vector A con-
trol only R3 boxes, and those of the lower order control only boxes R 3−1 , whereas in
234 Innovative Cryptography, Second Edition

each box R3 and R 3−1 all bit numbers of vectors U and A are different. Moreover,
there are no two P2/1 boxes with control bits of the same expression of the ui ⊕ aj
type.
The E procedure provides for:

The uniformity of the participation of all 64 bits of the U vector in controlling

the P64/128 box.
The fact that, for a randomly chosen commutation of one input bit with one
output bit, there are six different bits of the U vector and five different bits of
the A key participating in the control, which guarantees the implementation of
all commutation variants.
The control vector V1 being a fixed substitution of 32 bits of the U vector; in
other words, transformation in the first layer of the P64/192 box is performed
without a time delay.

Final Transformation
The FT procedure is a transformation that is the reverse of the IT procedure. This
transformation looks as follows:

Y = FT(X, A),

where X, Y ∈ GF(2)128, A ∈ GF(2)64.

Initially, each even bit of the input block is inverted (see Figure 5.7), and then
each pair of the X input block with indices 2j–1 and 2j (j = 1, 2, …, 64) is either per-
muted (aj = 1) or not (aj = 0).
The bit values of the Y vector are calculated using the following formulas:

y2j–1 = (x2j–1 ⊕ x2j ⊕ 1)aj ⊕ x2j–1 and y2j = (x2j–1 ⊕ x2j ⊕ 1)aj ⊕ x2j ⊕ 1.

5.2.3 The Schedule for Using Round Keys

In a 12-round SPECTR-128 block cipher, the extended key Q(e) is a combination of
14 subkeys; namely,

Q(e ) = (QIT
(e )
, Q1(e ), Q2(e ),..., Q12
(e ) (e )
, QFT ),

where Q (j e ) = (Q(j1,e ), Q (j 2,e ), Q (j 3,e ), Q (j 4 ,e ) ) ∀j = 1, 2, …, 12,

when QIT(e ) (e )
, QFT , Q(j h ,e ) ∈ GF(2)64 , ∀h = 1, 2, 3, 4.
The extended key Q(e) is a series of 50 64-bit binary vectors, each being one of
four secret subkeys—K1, K2, K3, K4.
 Designing Fast Ciphers Based on Controlled Operations 235

The elements of the extended key Q(e) are determined via Oi parameters, which
are calculated, in turn, by the formulas:

O2i–1 = K2i–1+e and O2i = K2i–e,

where K = K1||K2||K3||K4 and i = 1, 2.

The commutation scheme between Oi and Kj is shown in Figure 5.9.

FIGURE 5.9 The subkey commutation

scheme.

(e ) (e )
The subkey correspondence QIT , QFT , Q(j1,e ), Q(j 2,e ), Q(j 3,e ), Q (j 4 ,e ) (∀j = 1, 2, …,
12) is given in Table 5.8.

TABLE 5.8 Schedule for Using Round Keys

For example, for the fifth round (j = 5), the subkey sequence O3, O1, O2, O4 cor-
responds to formal parameters A(1), A(2), A(3), A(4) of the Crypt procedure; namely,

Q5(e ) = (Q5(1,e ), Q5( 2,e ), Q5(3,e ), Q5( 4 ,e ) ) = (O3 , O1 , O2 , O4 ).

That is,

Q5(e ) = (K 3+e , K 1+e , K 2−e , K 4−e ).

236 Innovative Cryptography, Second Edition

For the encryption mode

Q5(0) = (K 3 , K 1 , K 2 , K 4 ),

and for the decryption mode

Q5(1) = (K 4 , K 2 , K 1 , K 3 ).
(e )
For the initial and final transformations, the keys QIT and QFT
(e )
look like:
(e )
QIT = O4 and QFT
(e )
= O3 .

That is,
(e )
QIT = K 4−e and QFT
(e )
= K 3+e .

For the encryption mode,

( 0)
QIT = K 4 and QFT
( 0)
= K3,

and for the decryption mode,

(1)
QIT = K 3 and QFT
(1)
= K4.

5.3 THE CIKS-128 CIPHER (ALGORITHM)

The CIKS-128 algorithm is a type of iterated block cipher that uses the scheme of
Russian patent No. 2140714 as the basic scheme for one round. Compared to
SPECTR-128, the round structure function is changed. In particular, instead of a
controlled P64/192 permutation box and a nonlinear vector boolean G function, two
identical nonlinear vector boolean G functions are used.
Like SPECTR-128, the CIKS-128 algorithm is a practical implementation of
basic ideas of synthesizing a fast block cipher based on controlled operations, which
we considered in the previous chapters. It is aimed at high-speed information pro-
cessing with a 64-bit data exchange bus.

5.3.1 A General Scheme of Block Encryption

For the CIKS-128 algorithm, a general encryption scheme (encryption and decryp-
tion) is determined by the formula:

Y = F(X, Q(e)),
 Designing Fast Ciphers Based on Controlled Operations 237

where Q(e) = H(K, e) is an extended key, which is a function of a 256-bit secret key
K and encryption mode e (e = 0—encryption, e = 1—decryption). In encryption
mode, X is the initial block of binary data (plaintext), and in decryption mode, it is
a transformed block of binary data (ciphertext). In encryption mode, the resulting
value Y is ciphertext, and in decryption mode it is plaintext.
The secret key K is represented as a combination of four 64-bit subkeys;
namely, K = K1||K2||K3||K4, where K1, K2, K3, K4 ∈ GF(2)64.
The encryption algorithm (F function) is described in Section 5.3.2, and the
building procedure for the Q(e) = H(K, e) working key can be found in Section
5.3.3.

5.3.2 The Encryption Algorithm

The F function (Figure 5.1) is implemented using the following procedures:

Initial transformation—IT
12 rounds (loops) of transformations using the Crypt procedure
Final transformation—FT

First, the IT procedure is performed: Y = IT( X, QIT(e )

).
Block Y is divided into two subblocks of the same length—L0 and R0; in other
words, (L0, R0) = Y, where L0, R0 ∈ GF(2)64. Then, 12 rounds of transformation are
done using the Crypt procedure according to the formulas:

L j = Crypt(R j −1 , L j −1 , Q (j e ) ), Rj = Lj–1 (j = 1, 2, …, 12).

After the 12th round, the final transformation FT is performed over the block
X = (R12, L12) according to the formula:

Y = FT( X , QFT
(e )
).

Initial and Final Transformations

The simplest operation of bitwise addition with the key is used here; namely,

Y = IT(X, A) = X ⊕ A

and

Y = FT(X, B) = X ⊕ B,

where X, Y, A, B ∈ GF(2)128.
238 Innovative Cryptography, Second Edition

(e )
The formal A parameter corresponds to the QIT key, and the B parameter cor-
(e )
responds to the QFT key.

The Crypt Procedure

Formally, the Crypt procedure looks like this:

R = Crypt(R, L, (A(1), A(2), A(3), A(4))),

where L, R ∈ GF(2)64 and A(1), A(2), A(3), A(4) ∈ GF(2)64.

The elements A(1), A(2), A(3), and A(4) are formal parameters of key information;
in other words, Q (j i ,e ) is an element of the round key Q(j e ) = (Q(j1,e ), Q(j 2,e ), Q(j 3,e ),
Q (j 4 ,e ) ) corresponding to the A(i) parameter. R and L are formal parameters for the
left and right parts of the input data block.
A feature of such an implementation of the Crypt procedure is the use of two
vector boolean G functions, four subkeys with a length of 64 in one round; in other
words, all bits of the 256-bit secret key K are used, and an involution between the
P64/192 and P64−1/192 boxes when the right part of the input data is transformed.
The procedure employs:

The rotation operation “>>>” by a fixed value of bits

Bit-wise modulo 2 addition “⊕”
Two nonlinear vector boolean G functions with the same structure
P64/192 and P64−1/192 controlled permutation boxes of the first order
A one-layer box of controlled permutations P2×64/1 (to provide universality for a
scheme with a noncommutative structure for information transformation)
Fixed 64-bit commutators set by the permutation π and the involution I
The extension procedure for control vector E (extension box)

A two-stage Clos network C<8, 8> is used as P64/192 and P64−1/192 boxes (Figure 5.7),
where the first layer is compiled of R3 boxes, and the second is made up of R 3−1
boxes. Since the structure of boxes P64/192 and P64−1/192 is the same, in Figure 5.7,
column (I) corresponds to a control vector for direct transformation, and column
(II) corresponds to one for a reverse transformation.
The sequence of the transformations and their interaction is shown in Figure
5.10.
The time base for performing operations in the Crypt procedure is presented in
Table 5.9.
 Designing Fast Ciphers Based on Controlled Operations 239

FIGURE 5.10 The Crypt procedure scheme.

TABLE 5.9 The Time Base for Performing Operations in the Crypt Procedure

(τ⊕ )

R = P –1
64/192(V") (R)

It follows from Table 5.9 that most operations are performed concurrently, and
the total time required for the procedure’s performance is equal to the consecutive
performance of 14 operations of the XOR type.
240 Innovative Cryptography, Second Edition

Fixed Commutators P π and I

The main purpose of the π permutation is in changing the mutual bit position of a
data block simultaneously fed to the input of two nonlinear boolean G functions
that have an identical appearance but use different round keys. The permutation
consists of four loops with a length of 16, and looks as follows:

π = (1, 50, 9, 42, 17, 34, 25, 26, 33, 18, 41, 10, 49, 2, 57, 57)
(3, 64, 43, 24, 19, 48, 59, 8, 35, 32, 11, 56, 51, 16, 27, 40)
(4, 7, 28, 47, 52, 23, 12, 63, 36, 39, 60, 15, 20, 55, 44, 31)
(5, 14, 13, 6, 21, 62, 29, 54, 37, 46, 45, 38, 53, 30, 61, 22)

Correspondingly, the Pπ substitution transformation implemented by this per-

mutation is specified by the formula Y = Pπ(X), where X, Y ∈ GF(2)64; namely,

yπ(i) = xi, ∀i = 1, 2, …, 64.

For example, y50 = x1, y9 = x50, y1 = x57, and so on.

The I involution looks like:

Y = I(X) = (X6>>>4||X5>>>4||X4>>>4||X3>>>4||X2>>>4||X1>>>4||X8>>>4||X7>>>4),

where X = (X1, X2, X3, X4, X5, X6, X7, X8) and X1, X2, …, X8∈ GF(2)8. In other words,
there is a byte permutation, and each byte shifts by 4.
To make sure involution is specified, it is sufficient to perform the I2 transfor-
mation; namely,

I2(X) = I((X6)>>>4||(X5)>>>4||(X4)>>>4||(X3)>>>4||(X2)>>>4||(X1)>>>4||(X8)>>>4||
(X7)>>>4) = I(((X1)>>>4)>>>4||((X2)>>>4)>>>4||((X3)>>>4)>>>4||((X4)>>>4)>>>4||
||((X5)>>>4)>>>4||((X6)>>>4)>>>4||((X7)>>>4)>>>4||((X8)>>>4)>>>4) =
(X1, X2, X3, X4, X5, X6, X7, X8) = X.

A P2×64/1 One-Layer Box of Controlled Permutations

A mapping implemented by the P2×ω/1 box looks like this:

(W||W') = P2×64/1(L||L', e),

when the values of jth bits of vectors W and W' (j = 1, 2, …, 64) are calculated by
the following formulas:

wj = (lj ⊕ l'j)e ⊕ lj and w'j = (l j ⊕ l'j)e ⊕ l'j.

 Designing Fast Ciphers Based on Controlled Operations 241

Vector Boolean G Function

A controlled substitution operation is used as a vector boolean G function. It is one
of the implementations of a sequential model. Formally, the G function looks like
this:

X = G(W, A, B), where X, W, A, B ∈ GF(2)64.

In vector form, the G function is determined by the formula:

X = U(0) ⊕ A(0) ⊕ (U(1) ⊗ B(0)) ⊕ (U(2) ⊗ U(5)) ⊕ (U(6) ⊗ A(1)) ⊕ (A(2) ⊗ B(1)) ⊕
⊕ (U(3) ⊗ U(4)) ⊕ (U(1) ⊗ U(4) ⊗ U(6)) ⊕ (U(2) ⊗ U(6) ⊗ B (1)) ⊕
⊕ (U(1) ⊗ U(2) ⊗ U(4) ⊗ B(1)),

where the vectors Uj (j = 0, 1, 2, …, 6) are expressed recursively via W; namely,

U ( 0 ) = (u1( 0 ), u2( 0 ), u3( 0 ), ..., u63

(0) (0)
, u64 ) = W = ( w1 , w2 , w3 , ..., w63, w64 ),

U ( j ) = (u1( j ), u2( j ), u3( j ), ..., u63

( j) ( j)
, u64 ) = (1, u1( j −1), u2( j −1), u3( j −1), ..., u63
( j −1)
).

Vectors A(j) and B(j) for j = 0, 1, 2 are determined in a similar manner.

Taking into account the option of concurrently performing certain operations,
it is easy to establish that the G function is implemented in five delay time units
(5τ⊕).

Grounds for Selecting a Nonlinear G Function

Define the mapping of G: GF(2)64 × GF(2)64 × GF(2)64 → GF(2)64 as the boolean
vector function Y = G(X, A, B) having the following appearance:

(y1, y2, …, y64) = (g1(X, A, B), g2(X, A, B), …, g64(X, A, B)),

where gi are certain generator boolean functions. A single unified boolean function
of 12 variables will be considered a generator functions prototype. It looks as follows:

g = g(z1, z2, …, z12) = z11 ⊕ z12 ⊕ ϕ(z1, z2, …, z10),

where ϕ (z1, z2, …, z10) = z1z2 ⊕ z3z4 ⊕ z5z6 ⊕ z7z8 ⊕ z9z10 ⊕ z1z5z9 ⊕ z3z5z7 ⊕ z1z3z7z9
is a bent function (see Definition 5.1). A Walsh-Hadamard transformation (see De-
finition 5.2) of the g function consists of 1024 elements possessing the value of
|U*α(g)| = 128 for all vectors α = (α1, α2, …, α10, 0, 0), and for the rest of the 3072
elements it has a value of U#α(g) = 0. With respect to the selected structure and
properties of bent functions, we have the following characteristics of the g function:
242 Innovative Cryptography, Second Edition

The nonlinearity of the g function is equal to N(g) = 2m–1 – 2((m+2)/2)–1 = 1984

(with m = 12), which is quite close to the maximum possible nonlinearity of
boolean functions of 12 variables (Nmax = 2m–1 – 2(m/2)–1 = 2016).
g is a correlation immune function on a set of z* = {(z1, z2, …, z12)} ⊂ GF(2)12
vectors, where z11 ≠ 0 or z12 ≠ 0, which makes up 75% of the whole GF(2)12 set.
g possesses good autocorrelation properties, since for all nonvanishing
avalanche vectors (Δz1, Δz2, …, Δz12)∈GF(2)12 except for three—(0, …, 0, 0, 1),
(0, …, 0, 1, 0), and (0, …, 0, 1, 1)—propagation criteria of the 12th order are
implemented; that is, the function Δg = g(z1, z2, …, z12) ⊕ g(z1 ⊕ Δz1, z2 ⊕ Δz2,
…, z12 ⊕ Δz12) is balanced.
The degree of the algebraic normal form of the g function is equal to 4 (deg(g)
= 4).

A transition from the general form of the g function to certain generator func-
tions of the sequential model of the controlled substitution operation is done using
the following substitution of variables:

⎛ z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 ⎞

⎜⎜ ⎟,
⎝ui−1 bi ui−2 ui−5 ui−6 ai−1 bi−1 ai−2 ui−4 ui−3 ui ai ⎟⎠

where ∀i∈{1, 2, …, n} and n = 64.

Thus, we have a generator function set that looks like this:

yi = gi = ui ⊕ ai ⊕ ui−1bi ⊕ ui−2ui−5 ⊕ ai–1ui−6 ⊕ bi–1ai–2 ⊕

⊕ ui–4ui–3 ⊕ ui–1ui–4ui–6 ⊕ ui−2bi–1ui–6 ⊕ ui–1ui–2bi–1ui–4,

where lj, aj, and bj are the components of vectors L, A, B∈GF(2)64, and the initial
conditions correspond to the vector (x–4, x–3, x–2, x–1, x0) = (1, 1, 1, 1, 1).

The Extension Procedure for Control Vector E

This procedure is intended for building a 192-bit control vector from a 64-bit one
using the following formal E procedure:

V = (V1||V2||V3||V4||V5||V6) = E(U, A, B) = EA||B(U),

where V ∈ GF(2)192, V1, V2, V3, V4, V5, V6 ∈ GF(2)32, U, A, B ∈ GF(2)64.

The V vector is calculated according to the formulas:

V1 = Pπ1(Ulo); V2 = Pπ2((U ⊕ A)lo); V3 = Pπ3((U ⊕ B)lo);

V4 = Pπ4(Uhi) = Uhi; V5 = Pπ5((U ⊕ A)hi); V6 = Pπ6((U ⊕ A)hi),
 Designing Fast Ciphers Based on Controlled Operations 243

where for the P64/192 box, the transformations Pπ1, Pπ2, …, Pπ6 implement the fixed
permutations of bits specified in Table 5.10.

TABLE 5.10 Control Bit Values for the P64/192 Box

For example, 32 in the first line, corresponding to vector V1, means the value
u32 is used as the control bit v (21) of V1; in other words, v2 of V. 22 in the second line
( 2)
corresponds to the control bit v32 = u22 ⊕ a22 , and 53 in the sixth line corresponds
(6)
to the control bit 9v = u53
⊕ b 53.
The E extension procedure is done in such a way that the 32 higher order bits
of the U vector participate in controlling only R 3−1 boxes, whereas the lower order
bits control only R3 boxes, all bit numbers of vectors U, A, and B being different in
each R 3−1 and R3 box.
The control vector extension procedure provides for:

The uniformity of the participation of all 64 bits of U, A, and B vectors in con-

trolling the P64/128 box.
The fact that, for a randomly chosen commutation of one input bit with one
output bit, there are six different bits of the U vector and two different bits of
keys A and B participating in the control, which guarantees the implementation
of all commutation variants.
Control vector V1 being a fixed substitution of 32 bits of the U vector; in other
words, transformation in the first layer of the P64/192 box is performed without
any time delay.

5.3.3 The Schedule for Using Round Keys

As in the 12-round SPECTR-128 block cipher, the Q(e) extended key in a CIKS-128
block cipher is a combination of 14 subkeys; namely,
244 Innovative Cryptography, Second Edition

Q(e ) = (QIT
(e )
, Q1(e ), Q2(e ), ..., Q12
(e ) (e )
, QFT ),

where Q j = (Q j , Q j , Q j , Q j ), ∀j = 1, 2, …, 12,
(e ) (1,e ) ( 2 ,e ) ( 3,e ) ( 4 ,e )

when QIT(e )
, QFT(e )
∈ GF(2)128, but Q (j h ,e ) ∈ GF(2)64 , ∀h =1, 2, 3, 4.
(e)
The Q extended key is a series of 52 64-bit binary vectors, each being one of
four secret subkeys—K1, K2, K3, K4.
The elements of the Q(e) extended key are determined via the Oi parameters,
which are calculated, in turn, by the formulas:

O2i–1 = K2i–1+e and O2i = K2i–e,

where K = K1||K2||K3||K4 and i = 1, 2.

The commutation scheme between Oi and Kj is shown in Figure 5.11.
(e ) (e )
The key correspondence QIT , QFT , Q(j1,e ), Q(j 2,e ), Q(j 3,e ), Q (j 4 ,e ) (∀j = 1, 2, …, 12) is
specified in Table 5.11.

FIGURE 5.11 Subkey commutation

scheme.

TABLE 5.11 Schedule for Using Round Keys

 Designing Fast Ciphers Based on Controlled Operations 245

For example, for the fifth round (j = 5), the subkey sequence O2, O4, O1, O3
corresponds to the formal parameters A(1), A(2), A(3), A(4) of the Crypt procedure;
namely,

Q5(e ) = (Q5(1,e ) , Q5( 2,e ) , Q5(3,e ) , Q5( 4 ,e ) ) = (O2 , O4 , O1 , O3 ).

That is,

Q5(e ) = (K 2−e , K 4−e , K 1+e , K 3+e ).

For the encryption mode Q5(0) = (K 2 , K 4 , K 1 , K 3 ), and for the decryption mode
Q5(1) = (K 1 , K 3 , K 2 , K 4 ).
For the initial and final transformations, the keys QIT (e )
and QFT
(e )
look as follows:
(e )
QIT = (O1 || O3 ) and QFT
(e )
= (O2 || O4 ).

That is,
(e )
QIT = (K 1+e || K 3+e ) and QFT
(e )
= (K 2−e || K 4−e ).

For the encryption mode,

( 0)
QIT = (K 1 || K 3 ) and QFT
( 0)
= (K 2 || K 4 ),

and for the decryption mode,

(1)
QIT = (K 2 || K 4 ) and QFT
(1)
= (K 1 || K 3 ).

Scheme Universality
To prove the universality of the scheme, it is sufficient to demonstrate the univer-
sality (reversibility) of one round scheme, or rather, the universality of the transfor-
mation highlighted in gray in Figure 5.10. Here are the formulas for e = 0 and e = 1:

e = 0 ⇒ R' = I(R) ⊕ I(G(L, A(1)||A(4))) ⊕ G(Pπ(L), A(3)||A(2)).

e = 1 ⇒ U' = I(U) ⊕ I(G(Pπ(L), A(3)||A(2))) ⊕ G(L, A(1)||A(4)).

By sequentially performing the (U = R') encryption and decryption, we get:

U' = I(U) ⊕ I(G(Pπ(L), A(3)||A(2))) ⊕ G(L, A(1)||A(4)) =

= I2(R) ⊕ I2(G(L, A(1)||A(4))) ⊕ I(G(Pπ(L), A(3)||A(2))) ⊕
⊕ I(G(Pπ(L), A(3)||A(2))) ⊕ G(L, A(1)||A(4)) = R.
246 Innovative Cryptography, Second Edition

By sequentially performing the (R = U') decryption and encryption, we get:

R' = I(R) ⊕ I(G(L, A(1)||A(4))) ⊕ G(Pπ(L), A(3)||A(2)) =

I2(U) ⊕ I2(G(Pπ(L), A(3)||A(2))) ⊕
⊕ I(G(L, A ||A )) ⊕ I(G(L, A(1)||A(4))) ⊕ G(Pπ(L), A(3)||A(2)) = U.
(1) (4)

In other words, a truly universal scheme is implemented.

5.4 PROSPECTIVE PROGRAM CIPHERS BASED

ON CONTROLLED PERMUTATIONS

Since fiber-optic channels provide for data transfer with very high speed, processor
developers consider the issue of integration (on a hardware level) of a cryptographic
means of information transformation into the processors, one that implements
one of the universally accepted algorithms meeting modern requirements of stabil-
ity and speed. One drawback of this trend is that the transformation algorithm is
forced on customers, limiting the user’s freedom of choice, and regardless of whether
the user trusts the particular algorithm.
An alternative trend in solving this problem is the extension of the list of com-
mands implementing cryptographic-like transformations with a high speed, and
created as special instructions. In particular, the implementation of controlled bit
permutation operations is rather interesting. The dimension of controlled permuta-
tion boxes that implement such operations should correspond to the bit capacity of
the processor used.
For example, for processors operating with 32-bit binary vectors (figures, words),
bit permutations are effectively implemented using a P32/96 box of the second order
of controlled permutations (Figure 5.12).
In this chapter, we consider the description of this command and how to effi-
ciently use it in software block ciphers.

5.4.1 Description of the Hypothetical DDP32 Command

(U , e )
Enter the P32 / 32 conditional symbol for the new command, and the identifier
DDP32 (Data Dependent Permutation 32 bit).
The input parameters of this command are:

X: 32-bit transformed binary vector

U: 32-bit control vector forming a permutation modification
e: 1-bit control vector with a value that determines the data transformation
mode (e = 0—direct permutation, e = 1—reverse permutation)
 Designing Fast Ciphers Based on Controlled Operations 247

FIGURE 5.12 The P32/96 controlled permutations box.

(U , e )
The result of applying the P32 / 32
command is the permutation of the 32-bit
binary vector X. In other words, the command DDP32 implements the mapping of
GF(2)32 × GF(2)32 × GF(2)→ GF(2)32; namely,

Y = P32/32(X, U, e).

Since the second order box P32/96(V) is used as the operation prototype, in which
the bit capacity of the control vector is equal to 96, in a new command, you must
implement the control vector V = E(U) expansion procedure, and the P32/96(V) box;
namely,

E: GF(2)32 → GF(2)96),

which provides the commutation of each bit of the U binary vector with three dif-
ferent bits of the 96-bit binary vector V.
−1
To perform a reverse transformation P32 / 96 (V ) in box P32/96, you have to reverse
−1
the order of vectors V1, V2, ..., V6; in other words, P32 / 96(V ) = P32 / 96(V ′ ) , where
V = (V1, V2, ..., V6) and V' = (V6, V5, ..., V1). This reversal is effectively imple-
( e)
mented using the one-layer P96 /1
box, shown in Figure 5.13.
(U , e )
Thus, the operational box implementing the P32 / 32
command looks like the one
shown in Figure 5.14.
(U , e )
Thanks to such a structure, the P32 / 32 box performs either a direct controlled
permutation operation (e = 0), or a reverse permutation operation (e = 1).
248 Innovative Cryptography, Second Edition

( e)
FIGURE 5.13 The P96 /1 box for
controlling the data transformation
(U ,e )
mode in the P32 /32 command.

(U ,e )
FIGURE 5.14 The P32 /32 controlled
permutations box.

When program ciphers are developed based on controlled permutations, it is

assumed that the value of the U = (u1, u2, ..., u32) vector is a block of transformed
data where each bit of vector U determines three different bits of the binary vector
V. We need to mention that the P32/96 box is a second order box, and therefore there
are just two variants of commutation between random input and random output
bits, and there are six elementary P2/1 switches controlled by the V vector in each
such commutation. Consequently, to provide any such commutation by the U
vector when a mapping is formed between the bits of the U and V vectors in the E
procedure, it is best to be governed by the following criterion: six various bits of the
U vector should participate in the control of six P2/1 boxes, implementing a com-
mutation between randomly chosen input and output bits.
 Designing Fast Ciphers Based on Controlled Operations 249

In particular, Table 5.12 shows an example of the correspondence between the

U and V vectors that meets such a criterion, and can be used in building an E ex-
tension procedure.

TABLE 5.12 Correspondence between the Bits of Vectors U and V for the P32/96 Box

For example, in the first row corresponding to vector V1, 10 means that the
value u10 is fed to the input v (21) controlling the second box P2/1, whereas 10 in the
( 2)
second row corresponds to the value v15 = u10 , and 26 in the sixth row corresponds
to the value v7( 6 ) = u26 .
In a hardware implementation, an elementary switch that uses no more than 12
(U , e )
transistors is implemented. Accordingly, to implement a P32 / 32
operational box, no
more than 1800 transistors will be needed. Therefore, if you include the DDP32
command into the set of the standard operations of a contemporary processor, it
will not considerably complicate the circuit implementation of such processors. The
availability of such a command will help to enhance the speed of software ciphers
using this operation (up to 1 Gbit/s and more). This will make it possible to solve
many urgent problems in developing computer security systems that provide real-
time information security in contemporary, highly efficient automation systems.

5.4.2 The SPECTR-SZ Software Cipher

Let’s look at the SPECTR-SZ program cipher, in which a new command of con-
trolled permutations, DDP32, is used. Initially, this cipher was called DDP-S, but
the name has been changed due to the following circumstances.

In its structure, the cipher being considered is an updated variant of the

SPECTR-Z software cipher, in which a looped shift operation is replaced by the
new DDP32 command.
The algorithm description has been amended, which was necessary to correctly
use the DDP32 command, and to simplify the understanding of the algorithm’s
operation.
250 Innovative Cryptography, Second Edition

This chapter also deals with two block ciphers (DDP-S64 and DDP-S128), which
significantly differ from the SPECTR-Z software cipher in their structure, and thus,
using the name DDP-S for the cipher being considered is not quite correct.

Designations and Input Data

The following additional designations were used in the description of the SPECTR-
SZ cipher:

Bytes (binary vectors with lengths of 8) will be designated by lowercase letters

without italics. For example:

u = (u0, u1, … , u7), where ∀i = 0, 1, …, 7, ui ∈ {0,1}.

The designation B will be used for a set of all bytes; namely,

B ≡ {0,1}8 and u ∈ B.

The term “word” designates 32-bit binary vectors marked by uppercase letters
in italics. For example, U = (u0, u1, …, u31), where ∀i = 0, 1, …, 31, ui ∈ {0,1}.
It is obvious that U = (u0, u1, u2, u3), where ∀j = 0, 1 …, 3, uj ∈ B, and U ∈ B4.
To designate byte sequences larger than 4, uppercase letters in bold italics will
be used; for example, Q ∈ B2051, where Q = (q0, q1, …, q2050).
The operations “+m” and “–m” are designated, respectively, as “2m congruence
addition” and “2m congruence subtraction.”
The operation “W ↔ V” designates a value exchange operation for words W
and V.

Note: As a rule, discrete mathematics considers numbers represented by binary vec-

tors of a specified size (e.g., m). For example, regular addition with the transfer of two
numbers X and Y (X ≥ 2m–1 and Y ≥ 2m–1) ceases to make sense because it is impos-
sible to represent the resulting value as one binary vector with a size of m. Therefore,
we usually speak of the “2m congruence addition” operation, and (X + Y) mod 2m is
used. When composite formulas are written, it entails an increase in the number of
brackets, and as a result, it is very difficult to quickly understand such formulas. It is
often predetermined in articles that X + Y means “2m congruence addition,” and the
“mod 2m” designation is not used. This, however, is done only if m is a fixed value. If
operations with several different values (m1, m1, …, mk) are performed, difficulties
in the visual representation of formulas and expressions emerge. So, instead of the
conventional (X + Y) mod 2m, we ask that you use X +m Y; that is:
def
m
X +m Y = ( X + Y ) mod 2 .
 Designing Fast Ciphers Based on Controlled Operations 251

The designations “+m” and “−m” have not yet been generally adopted, but we think
that such expressions are a natural development of index symbols for sets of vari-
ables, and so forth. There is no doubt that the expressions “+2m” and “−2m” are
more common, since they allow you to consider any p module, and not only a
power of 2 (e.g., “+p” and “−p”). This difference, however, is less important than
the representations of the expressions (X + Y)mod 2m and X +m Y.

The following hexadecimal constants a, b, g, d are used in the algorithm:

α = 0Dx, α ∈ B
β = FFFF07FFx , β ∈ B4
γ = B25D28A7 1A62D775x, γ ∈ B8
δ = 98915E7E C8265EDF CDA31E88 F24809DD
B064BDC7 285DD50D 7289F0AC 6F49DD2Dx, δ ∈ B32

The index “x” means that the hexadecimal number representation is used, and
the lower order bit is to the right. For example, the byte α = 0Dx can be represented
in the vector form as:

α = (α0, α1, …, α7), 1, 1, 0, 0, 0, 0).

Such a feature of number representation is a consequence of an ancient dispute

between mathematicians and programmers as to the side whether the lower order
significant bit is on (right or left).
When several sequential bytes {u0, u1, …, us–1} are represented by a binary
number, the us–1 byte in all cases is related to the higher order bits of the number.
If, for example, the 64-bit constant γ = B25D28A7 1A62D775x is represented as a
sequence of bytes u0, u1, …, u7, then u0 = 75x, u1 = D7x, …, u7 = B2x .
The SPECTR-SZ cipher is aimed at use in computers with a 32-bit processor,
and is a block stream cipher in its structure. This peculiarity of the cipher structure
stems from the fact that in the Encrypt and Decrypt procedures of data transfor-
mation, the first and last rounds implement the stream cipher scheme, and the rest
of the rounds (internal ones) implement the iterative scheme of a block cipher.

Cipher Structure
The SPECT-SZ software cipher is usually implemented as two modules (Figure 5.15):

The initialization module (used for program settings and the formation of all
necessary parameters, including the Q extended key)
252 Innovative Cryptography, Second Edition

The resident module, which serves other applications’ requests for data encryp-
tion and decryption

FIGURE 5.15 The SPECTR-Z software cipher scheme.

The Q (Q ∈ B2051) extended key, designed using the secret key K, is formed by
the initialization module in two cases:

In the application initialization stage

When the secret key is changed

The resident module consists of two Encrypt and Decrypt subprograms, which
are intended for the encryption and decryption of information represented as data
blocks with m 32-bit words in each, respectively.

The Extended Key Generation Procedure

Initially, the sequence Q' = (q0', q1', …, q'2050) (Q' ∈ B2051) is formed by repeating the
secret key K = (k0, k1, …, ks) the necessary number of times, where 8 ≤ s ≤ 2050.

Such a “strange” length of sequence Q' is stipulated by the necessity of working

with 2048 32-bit words. Indeed, the byte sequence u0, u1, …, un–1 can be used for
forming 32-bit Uj = {uj, uj+1, uj+2, uj+3} words, where j = 0, 1, …, n – 4. Therefore,
if 2048 (211) 32-bit words formed by this method are used, the length of the initial
sequence should be equal to 2051 bytes (n = 2051).

The next step is the use of the Table_H(Q') procedure to form the
H (H ∈ B2051) auxiliary key.

The Table_H Procedure

The algorithm of the Table_H(Q') procedure is as follows:
 Designing Fast Ciphers Based on Controlled Operations 253

1. Set the counter value i := 0.

2. Calculate the 32-bit number Hi' := (α23+i mod γ)17 mod δ, (Hi' ∈ B32).
3. Increase the counter value i := i + 1. If i ≠ 64, then go to step 2.
4. Create a sequence H := ||H0'||H1'||…||H63'||h0'||h1'||h2', where (h0'||h1'||h2')
are the first three bytes of the H0' = (h0', h1', h2', …, h63') number.
5. Perform the transformation H := Q' ⊕ H.
6. Represent H as the byte sequence H = (h0, h1, …, h2050).
7. STOP.

The extended key Q is finally formed with the use of the Form_Key procedure;
namely, Q = Form_Key(Q', H), when the sequence Q' is interpreted as a combina-
tion of four 512-byte sequences (data blocks)—Q'(1), Q'(2), Q'(3), Q'(4)—and three
bytes; namely,

Q' = Q'(1)||Q'(2)||Q'(3)||Q'(4)||q'2048||q'2049||q'2050.

One of two programs of the resident module is used in the FormKey procedure;
namely, the Encrypt procedure. The latter depends on three parameters, the first
one determining the length of the data block being transformed (expressed in 32-
bit words), the second determining the transformed data block itself, and the third
determining the extended key.

The FormKey Procedure

The algorithm of the FormKey procedure looks as follows:
For the Encrypt procedure, specify the parameter value m := 128, and use the H
sequence as an encryption key.

1. Transform Q'(1): Q'(1) := Encrypt(m, Q'(1), H).

2. Transform Q'(2): Q'(2) := Encrypt(m, Q'(2) ⊕Q'(1), H).
3. Transform Q'(3): Q'(3) := Encrypt(m, Q'(3) ⊕ Q'(2), H).
4. Transform Q'(4): Q'(4) := Encrypt(m, Q'(4) ⊕ Q'(3), H).
5. Form an extended key: Q := {Q'(1), Q'(2), Q'(3), Q'(4), q'2048, q'2049, q'2050}.
6. STOP.

Thus, the expanded encryption key Q is a sequence of 2051 bytes: Q = {q0, q1,
q2, …, q2047, q2048, q2049, q2050}.

The Encrypt Procedure

The Encrypt (m, T, Q) procedure is one of two programs of the resident module
used for data transformation (encryption). The Encrypt procedure depends on
254 Innovative Cryptography, Second Edition

three parameters, the first determining the length of the data block being trans-
formed (expressed in 32-bit words), the second determining the transformed data
block itself, and the third determining the extended key.
So, the length of the data block subject to transformation is determined by the
m parameter (m ≥ 4). The value of m is chosen depending on the area in which it is
used. For example, this value may be determined by the hard disk sector size, or the
size of the clipboard. In particular, for m = 128, the length of the transformed data
block (in bytes) is equal to 4m; in other words, 512 bytes.
32-bit words (subkeys) with the following appearance are used during encryption:

Qj = qj ||qj+1||qj+2||qj+3,

where j = 0, 1, …, 2047.
The Encrypt procedure includes two full and four reduced transformation
rounds (Figure 5.16). If m = 4, the full and reduced rounds are identical.

FIGURE 5.16 Order of the transformation of 32-bit words in the

SPECTR-SZ cipher.
 Designing Fast Ciphers Based on Controlled Operations 255

For a specified m, the data block being transformed is a sequence m of 32-bit

words; namely,

T = {T0, T1, T2, …, Tm–1},

where m ≥ 4 and T ∈ B4m.

The consecutive transformation of the words T0, T1, …, Tm–1 is performed
in each round. After each round, except for the last, two operations are performed:
T0 ↔ T3 and T1 ↔ T2.
The two following standard procedures are performed in round transformations:

Initialize procedure: {Set i := 0; R := Q9; V := Q17; N := Q31}.

( R ,0 )
Change NV procedure: { N := P32 / 32
( N ) ⊕ R;
n := N +11 0;
V := P32( N/32
,1)
(V ) +32 Qn }.

The First (Full) Encryption Round

The algorithm of the first (full) encryption round looks like this:

1. Perform the Initialize procedure.

2. Perform the Change NV procedure.
( R ,0 )
3. Transform: Ti := P32 / 32
(Ti −32 V ).
(V ,1)
4. Transform variable R: R := P32 / 32
( R +32 Ti ).
5. Transform: Ti := Ti +32 N .
6. Increase the counter value: i := i + 1.
7. If i ≠ m, go to step 2.
8. If m > 4, transform words T2 and T3 by one another:
T2 := T2 ⊕ Tm–2; T3 := T3 ⊕ Tm–1.
9. Perform the operations T0 ↔ T3 and T1 ↔ T2.
10. STOP.

The Four Reduced Rounds

The algorithm for the four reduced rounds looks like this:

1. Set the initial value for reduced rounds’ number counter j := 0.

2. Perform the Initialize procedure.
3. Perform the Change NV procedure.
( R ,0 )
4. Transform: Ti := P32 / 32
(Ti −32 V ) .
(V ,1)
5. Transform variable R: R := P32 / 32
( R +32 Ti ) .
256 Innovative Cryptography, Second Edition

6. Transform Ti := Ti +32 N.
7. Increase the counter value: i := i + 1. If i ≠ 4, go to step 3.
8. Perform operations T0 ↔ T3 and T1 ↔ T2. Increase the counter value:
j := j + 1.
9. If j ≠ 4, go to step 2.
10. STOP.

The Sixth (Full) Encryption Round

The algorithm of the sixth (full) encryption round looks like this:

1. Perform the Initialize procedure.

2. If m > 4, transform the words T3 and T2 by one another:
T3 := T3 ⊕ Tm–1 and T2 := T2 ⊕ Tm–2.
3. Perform the Change NV procedure.
( R ,0 )
4. Transform: Ti := P32 / 32 (Ti −32 V ) .
(V ,1)
5. Transform variable R: R := P32 / 32
( R +32 Ti ) .
6. Transform word Ti: Ti:= Ti+32 N.
7. Increase the counter value: i := i + 1.
8. If i ≠ m, go to Step 2.
9. STOP.

The Decrypt Procedure

The Decrypt (m, T, Q) procedure is the second program of the resident module,
used for decryption of the transformed data. This procedure performs a transfor-
mation that is the reverse of the Encrypt procedure. The procedure is not described,
but an interested reader can form such a procedure on his own, taking into account
the fact that the word transformation sequence is the same as for encryption (see
Figure 5.16).

Speed Parameters and the Cryptographic Security of a Cipher

Since generally, only part of the input data block is transformed in two full rounds,
the encryption speed depends on the size of the input block. If m = 4, it is mini-
mal—about 200 Mbit/s (for a processor of Celeron 500 type, assuming that the
DDP32 command is implemented inside as a special instruction). As the block size
is increased, the speed increases as well, up to 600 Mbit/s, if m ≥ 32.
The SPECTR-SZ cipher possesses a higher encryption speed than the program
algorithms considered in Chapter 2, because of the smaller number of operations
performed, and due to a fewer number of times accessing the memory (from 5 to 3).
The necessary practical security of the algorithm is gained thanks to the fol-
lowing features:
 Designing Fast Ciphers Based on Controlled Operations 257

A long extended key Q (Q ∈ B2051).

Using Ti words of 32 bits at every step for three 32-bit variables N, V, and R,
each of them depending on both the extended key Q and on the already trans-
formed input data.
Meeting the criterion of a strict avalanche effect, both by performing opera-
tions selecting Qj subkeys and by using the input data (data to be transformed)
to form the control vectors for the new DDP32 command.

The second item needs a little explanation. The Encrypt procedure is such that
for two data blocks T and T' that differ in the ith word (Ti ≠ T'i) the values of the R
and R' variables are different in the first round already, during the transformation
of the words Ti and T'i. In the next step, the difference between the R and R' vari-
ables generates a difference between the variables N and N' and between V and V ',
and consequently, between Ti+1 and T'i+1. Accordingly, all subsequent values of the
32-bit words Tj and T'j are different, and such a difference has an avalanche-like
character when moving on to the next words to be transformed. Transformations
of subsequent rounds propagate differences at each 32-bit word of the data being
transformed.
Thanks to the many transformation steps performed in one round, a strong
avalanche effect can be gained by performing only two full encryption rounds.
Reduced encryption rounds are aimed at implementing a strong avalanche
effect when differences occur only in the last word Tm–1.
The DDP32 operation, controlling the vector depending on the data block
being transformed, contributes much to the avalanche effect’s propagation when
the words Ti and variable V are transformed.
According to the estimations for the combinatory probabilistic model consid-
ered in Chapter 2, the security of the SPECTR-SZ cipher is no less than 2190 (295)
operations, on the condition that the attacker has a specially chosen input text with
a volume of no less than 2100 (250) bytes and corresponding ciphertext.
The option of parametrically specifying the transformed data block size en-
hances the range of practical uses of the SPECTR-SZ block cipher and makes its
universality clear.
When speaking about the prospects of the new DDP32 command, we must
mention that it can be used to create high-speed software hashing functions. The
hashing speed becomes much higher than that of the SPECTR-SZ cipher because
the hashing algorithms can be created in such a way that you need only access the
memory once. Using the DDP32 operation, you can provide a hashing speed of 1–2
Gbit/s. Just to compare: there are three memory access operations used for one
32-bit transformed word in SPECTR-SZ:
258 Innovative Cryptography, Second Edition

Reading the current transformed word

Reading one subkey
Recording the transformed word

Since the DDP32 operation is for use in cryptographic applications, there are
objective conditions for the creation of high-speed encryption and hashing algo-
rithms that possess the necessary practical security.

5.4.3 The COBRA-F64a and COBRA-F64b Block Ciphers

Let’s consider the variants of building firmware block ciphers with a small input
data block. Such ciphers can be used, for example, in microcontrollers and intel-
lectual electronic cards, where it is necessary to maximize the ratio of encryption
efficiency to the number of active electronic circuit elements used.
Following is a description of two iterated block ciphers, COBRA-F64a and
COBRA-F64b, with a 64-bit input and a 128-bit secret key, both aimed at firmware
implementation. The algorithms are described according to the designations accepted
for block ciphers.

The General Encryption Scheme

In the COBRA-F64a and COBRA-F64b block ciphers, an encryption scheme is used
that is not universal according to the previously accepted terms. Remember that a
scheme is universal when changing the encryption mode (encryption and decryp-
tion) entails only changing the order of round keys. However, the encryption scheme
of the COBRA-F64a and COBRA-F64b algorithms can be called semi-universal, since
(U , e )
the only difference is the use of a new command— P32 / 32 —which depends on the
e parameter. Using the superscript “(e),” the general encryption scheme can be ex-
pressed by the following formula:

Y = F(e)(X, Q(e)),

where Q(e) = H(K, e) is an extended key, and a function of the 128-bit K key and the
encryption mode e (F(0)—encryption, F(1)—decryption), when in encryption mode
X (X ∈ GF(2)32) is the incoming block of binary data (plaintext), and in decryption
mode it is the transformed block of binary data (ciphertext). In encryption mode,
the resulting value Y (Y ∈ GF(2)32) is a ciphertext, and in decryption mode, it is
plaintext.
Taking into account contemporary principles of developing block ciphers, an
extended key, Q(e) = H(K, e), should be formed using a cryptographically secure
extended key generation procedure. Actually, it is sufficient simply to create a
 Designing Fast Ciphers Based on Controlled Operations 259

pseudorandom sequence S = Q(0) = H(K, 0) with a length that depends on the

number of rounds and the total length of one round key.
The extended key Q(1) is a permutation of the Q(0) extended key’s elements, the
permutation determined by the constructive features of the scheme, including the
initial and final transformations.
A generalized scheme of transformations is shown in Figure 5.17, and a one-
round scheme for the COBRA-F64a and COBRA-F64b algorithms is shown in
Figure 5.18.

FIGURE 5.17 A general encryption scheme in the COBRA-

F64 (a and b algorithms).

The absence of an initial transformation is a feature of the general encryption

scheme. Encryption and decryption, however, are performed using the same algo-
rithm, since the structure of each round is such that the final transformation is one
of its components.

The Schedule for Using Round Keys

In the COBRA-F64a and COBRA-F64b algorithms, both in one round and in the
final transformation, two 32-bit subkeys are used; namely,

Q(j e ) = (Q(j1,e ), Q(j 2,e ) ),

260 Innovative Cryptography, Second Edition

FIGURE 5.18 The Crypt(e) procedure in: a—COBRA-F64a and b—COBRA-F64b.

where 1 ≤ j ≤ r + 1 and r is the number of encryption rounds.

Taking into account where the algorithms will be applied—microcontrollers
and intellectual electronic cards where the occupied memory size is a critical para-
meter—using a secure extended key generation procedure is hardly justified. A
more efficient variant would be to use a key schedule.
For example, let secret key K be represented as a combination of four 32-bit
words—K = K0||K1||K2||K3—where K0, K1, K2, K3 ∈ GF(2)32. Let the extended key
Q(0) = S be represented in Table 5.13.
Then, the values of the round keys Q(j e ) = (Q(j1,e ), Q(j 2,e ) ) , for both encryption
and decryption modes, are determined by Table 5.13 and the following formula:

(Q(j i ,e ) , Qr(+i ,1e−) j ) = P2(×e )32/1 (S(j1), Sr(+21)− j )

where i = 1, 2 and j = 1, 2, …, r.

TABLE 5.13 Schedule for Using Round Keys

 Designing Fast Ciphers Based on Controlled Operations 261

Taking into account the cryptographic properties of the operations performed

and the constructive features of one round, 16 encryption rounds is the optimal
number for the COBRA-F64a algorithm, whereas for COBRA-F64b it is 20. Never-
theless, you can increase the number of encryption rounds if you need to raise the
lower border of cryptographic security of a cipher.

The Encryption Algorithm

The F function (see Figure 5.1) is implemented as a series of the following procedures:

r rounds (loops) of transformations using the Crypt(e) procedure

Final transformation—FT

Initially, the block X is divided into two subblocks of the same length—L0 and
R0; in other words, (L0, R0) = X, where L0, R0 ∈ GF(2)32. Then, r rounds of trans-
formations are performed using the Crypt(e) procedure according to the formulas:

L j = Crypt(R j −1 , L j −1 , Q (j e ) ) ; Rj = Lj–1, (j = 1, 2, …, r).

After the rth round, the final transformation FT is performed over block X =
(Rr, Lr) according to the formula:

Y = FT( X, QFT
(e )
).

The final transformation FT for the algorithm COBRA-F64a looks like this:

Y = (Lr +1 , Rr +1 ) = (Rr −32 Qr(1+,1e ), Lr +32 Qr(+21,e ) ).

And for the COBRA-F64b algorithm, the FT transformation looks like this:

Y = (Lr +1, Rr +1 ) = (Rr ⊕ Qr(1+,1e ), Lr ⊕ Qr(+21,e ) ).

Speed Parameters and the Cryptographic Security of Ciphers

The advantage of the COBRA-F64a and COBRA-F64b algorithms is the small
length of binary code if they are software-implemented, which is very important in
designing cryptosystems integrated into the secure initialization procedure of
a computer. The microprogrammatic implementation of these algorithms using
microcontrollers working at a clock speed of 33 MHz provides for an efficiency
exceeding 20 Mbit/s.
With a software implementation of the COBRA-F64a and COBRA-F64b algo-
rithms (for a processor of Celeron 500 MHz type, assuming that the DDP32 command
262 Innovative Cryptography, Second Edition

is implemented inside it as a special instruction), the estimated speed of encryption will

be approximately 400 and 300 Mbit/s, respectively.
These examples prove that software ciphers, which use controlled permuta-
tions executed depending on data, when compared to the fastest known ciphers,
may potentially increase the speed by several times.
Estimating a cipher’s cryptographic security against all known cryptanalysis
methods is a complex and expensive procedure. Therefore, investigations are also
performed to find the most efficient methods of cryptanalysis. The differential
cryptanalysis method is considered one of these.
In the differential cryptanalysis method (which is considered in detail in Section
5.6), the differences in the pairs of transformed data blocks X and X',—Δ(X, X')—
are studied, and so are the corresponding differences in the transformed blocks
δ(Y, Y'). Usually, a case is chosen when Δ(X, X') = X ⊕ X' = Δ = const. The value
Δ is called the input difference. Nonzero bits of the considered Δ difference are
called active bits. The task of differential cryptanalysis is to find Δ and d values for
which the inequality p(δ/Δ) > 2–n holds, where n is the length of the input block in
bits, and p(δ/Δ) = Pr(δ/Δ) is a conditional probability. Usually, “significant proba-
bilities” p(δ/Δ)—those differing from the average values as much as possible—are
the differences with a small number of active bits for the considered differential
cryptanalysis. In Section 5.6, the differential cryptanalysis of the COBRA-F64a,
COBRA-F64b, DDP-S64, and DDP-S128 ciphers is described in more detail.
As a result of a cryptographic security investigation for the COBRA-F64a and
COBRA-F64b ciphers, it was added to the differential cryptanalysis method that the
most significant probabilities correspond to differential characteristics with differ-
ences containing only one “active bit.” Remember that the term “active bit” is used
in the sense that the Hamming weight of the difference of two considered vectors
is equal to one. So, for the COBRA-F64a algorithm, the best characteristic among
those found is a three-round characteristic, for which a 1-bit output difference δ1
with a probability of pa(3) = 2–21 best corresponds to a 1-bit input difference of Δ1.
Accordingly, for the COBRA-F64b algorithm, the best among the characteristics
found is a two-round one, for which, after two transformation rounds, a 1-bit out-
put difference of δ1 with a probability of pb(2) = 2–12 corresponds to an input dif-
ference of Δ1 with one active bit in the right (or left) data block. However, the
iterative application of these characteristics for 15 rounds in the first case and for 20
rounds in the second does not allow us to form efficient 15- and 20-round charac-
teristics, since the values of the probabilities pa(15) = 2–105 and pb(20) = 2–120 do not
exceed the value of the corresponding probability in an arbitrary 64-bit block
cipher. The development of differential characteristics with a large number of active
bits does not give the desired result of efficient characteristics, which proved the
high cryptographic security of these ciphers against differential cryptanalysis.
 Designing Fast Ciphers Based on Controlled Operations 263

High indices for the speed and cryptographic security of ciphers, where the
DDP32 command is used, allow us to hope that microprocessor developers will in-
clude this command in the set of standard operations of multipurpose processors.
The advantages of program ciphers were already considered in previous chapters.
Therefore, here we will just mention the feasibility of the procedure of program cipher
creation. Indeed, integration of an encryption algorithm (even a generally recognized
one) into a processor on the circuit level actually gives users no choice. Such unifica-
tion additionally stimulates potential violators to develop effective methods of crack-
ing the cipher, since, in case of success, unauthorized access to information stored in
computer systems and secured by this cipher would then be possible on a wide scale.
It is more profitable to analyze one cipher instead of ten or a hundred, right?
A software implementation of a new command (cryptographic primitive) re-
quires only minimal circuit costs and does not lead to a rise in the cost of modern-
ized processors. However, the possibility of creating a whole series of high-speed
algorithms is thus heightened. However, if an algorithm is discredited, it is very easy
to change it for another one, which is impossible with a hardware implementation.
We already mentioned that controlled bit permutations of a general type can be
used for solving other urgent information security tasks, such as developing high-
speed integrity algorithms and hashing functions. Another promising trend in the
area of applied bit permutations is their integration on a microprogramming level,
which provides minimum use of circuit resources, but retains a high speed for the
cryptographic transformations performed both for data integrity control and for
information security (hashing and encryption).

5.4.4 The DDP-S64 and DDP-S128 Algorithms

The COBRA-F64a and COBRA-F64b ciphers considered previously are aimed both
at a software and at a microprogramming implementation, which is achieved using
a simple transformation structure. If the purpose is only software implementation,
it is possible to apply more complex transformations.
Let’s look the at 64-bit and 128-bit program ciphers DDP-S64 and DDP-S128,
where the DDP32 command of controlled permutation is also used.

General Encryption Scheme

Just as the COBRA-F64, a and b block ciphers, the DDP-S64 and DDP-S128 soft-
ware ciphers also use a semi-universal encryption scheme, whose difference from a
(U , e )
universal scheme is in the use of the new P32 / 32 command.
The general encryption scheme can be expressed by the following formula:

Y = F(e)(X, Q(e)),
264 Innovative Cryptography, Second Edition

where Q(e) = H(K, e) is an extended key that is a function of the 256-bit K key and
the encryption mode e (F(0)—encryption, F(1)—decryption). In encryption mode,
X is the incoming block of binary data (plaintext), and in decryption mode, it is the
transformed block of binary data (ciphertext). In encryption mode, the resulting
value Y is ciphertext, and in decryption mode, it is plaintext.
Everything that was said previously relating to the necessity of using a crypto-
graphically secure extended key generation procedure is applicable to the ciphers
considered in this section. We just need to create a pseudorandom sequence
S = Q(0)= H(K, 0) with a length depending on the number of rounds and the total
length of one round key, and the extended key Q(1) will turn out to be a permuta-
tion of the Q(0) extended key elements. This permutation is determined by the con-
structive features of the scheme, including the initial and final transformations.
You can also use the algorithms built based on controlled permutations for the ex-
tended key generation procedure.
When describing the algorithms, a case of using a key schedule that is especially
efficient for the frequent key change mode is considered.

The DDP-S64 64-Bit Cipher

The general encryption scheme is shown in Figure 5.19.
The F(e) function (Figure 5.19b) is implemented with the following procedures:

Initial transformation—IT
r rounds (loops) of transformations using the Crypt(e) procedure
Final transformation—FT

FIGURE 5.19 The general encryption scheme (b) and one transformation round (a) in
the DDP-S64 algorithm.
 Designing Fast Ciphers Based on Controlled Operations 265

Initially, block X is divided into two subblocks of the same length—Xlo and
Xhi; in other words, (Xlo, Xhi) = X, where Xlo, Xhi ∈ GF(2)32, and the IT procedure is
performed:

( A0 , B0 ) = IT ( X, Q0(e ) ) = ( X lo ⊕ Q0(1,e ), X hi ⊕ Q0( 2,e ) ).

Then, r = 10 rounds of transformations are performed using the Crypt(e) pro-

cedure, according to the formulas:

A j = Crypt (e ) (B j −1, A j −1, Q (j e ) ); Bj = Aj–1, (j = 1, 2, …, r).

After the rth round, the final transformation FT is performed over block
X = (Br, Ar) according to the formula:

Y = FT( X , Qr(+e 1) ) = (Br ⊕ Qr(1+,1e ) , Ar ⊕ Qr(+21,e ) ).

One transformation round is shown in Figure 5.19a.

(U , e )
In the Crypt(e) procedure, a controlled permutation operation P32 / 32 is desig-
nated as P(U,e), the algorithm itself having the following appearance:

U := B +32 Qi( 2,e ) .

A := A +32 P(U ,0 ) ( B ).

V := P(U ,e ) ( A).

B := P(V ,e ) (U ).

A := V −32 Qi(1,e ) .

B := B −32 P(V ,0 ) ( A).

(A, B) := (B, A).

STOP.

The schedule of using subkeys in the DDP-S64 cipher is shown in Table 5.14.
266 Innovative Cryptography, Second Edition

TABLE 5.14 Schedule for Using Subkeys in the DDP-S64 Cipher

Estimating the Security of the DDP-S64 Cipher

In differential cryptanalysis for this model, the most efficient characteristics are
those related to the input differences Δ1 (with one active bit in the left data
subblock) in two rounds. After two rounds, these differences transform into the
difference δ1 (where the active bit also belongs to the left subblock) with a
probability of 2–23. At the output of the first round, the δ2' difference is formed
(each of the subblocks containing one active bit), which at the second round turns
into the 1-bit difference δ1. Considering the structure of a round transformation for
DDP-S64, we estimate the probability for the first round as p1(δ2'/Δ1) ≈ 2–9, and for
the second round as p2(δ1/δ2') ≈ 2–14. Accordingly, for two rounds, the probability
is p(2) = p(δ1/Δ1) = p1p2 ≈ 2–23. However, continuing by building six- and eight-
round characteristics will not lead to the desired result, since the probabilities
p(6) = p(δ1/Δ1) ≈ 2–69 and p(8) = p(δ1/Δ1) ≈ 2–92 do not exceed the value of the cor-
responding probability in random 64-bit block cipher. Developing differential
characteristics with a large number of active bits did not give the desired result of
efficient characteristics, which proved the high cryptographic security of the DDP-
S64 block cipher against differential cryptanalysis.

The DDP-S128 128-Bit Cipher

The general encryption scheme is shown in Figure 5.20b.
There are 12 encryption rounds (r = 12) provided in the DDP-S128 128-bit
cipher, and, for a software implementation, the 128-bit data block is split into four
32-bit subblocks—A, B, C, and D—which are subject to further transformation.
The increase in the number of encryption rounds (compared to DDP-S64) is
due to the larger size of data subblocks. One distinctive feature of the DDP-S128
algorithm is that in the Crypt(e) procedure (Figure 5.20, a), two controlled permu-
tations are performed over subblocks A and D, one of such permutations depend-
ing on subblock B, and the other on subblock C. This structure provides for the
implementation of a large number (about 264) of permutations to be performed
 Designing Fast Ciphers Based on Controlled Operations 267

FIGURE 5.20 The general encryption scheme (b) and one transformation round (a)
in the DDP-S128 algorithm.

over the subblocks A and D within one round. The superposition of controlled
( B, e) (C , e)
permutations P32 / 32 and P32 / 32 is a block of maximum order.
The DDP-S128 block cipher algorithm (Figure 5.20b) is implemented using the
following procedures:

Initial transformation—IT
r rounds (loops) of transformations with the use of Crypt(e) procedure
Final transformation—FT
(U , e )
In the Crypt(e) procedure, the controlled permutation operation P32 / 32
is des-
U,e
ignated as P( ).
Initially, block X is divided into four subblocks of the same length—
A, B, C, and D; in other words, (A, B, C, D) = X , where A, B, C D ∈ GF(2)32, and
the IT procedure is performed:

( A0 , B0 , C0 , D0 ) = IT ( A || B || C || D, QIT
(e )
)=
( A ⊕ Q1(1,e ), B ⊕ Q2(1,e ), C ⊕ Q3(1,e ), D ⊕ Q4(1,e ) ).
268 Innovative Cryptography, Second Edition

Then, r = 12 rounds of transformations are performed using the Crypt(e) pro-

cedure, according to the formulas:

( A, B, C , D) = Crypt (e ) ( A j −1 , B j −1 , C j −1 , D j −1 , Q (j1,,e ) , Q(j 2,e ) ) ;

(A j, B j, C j, D j) = (B, A, D, C) (j = 1, 2, …, r).

After the rth round, the final transformation FT is performed over block
X = (Br , Ar) according to the formula:

Y = FT(Br , Ar , Dr , Cr , QFT
(e )
) = (Br ⊕ Qr( 2,e ) , Ar ⊕ Qr(−21,e ) , Dr ⊕ Qr(−2,2e ) , Cr ⊕ Qr(−23,e ) ).

The Crypt (e) procedure is shown in Figure 5.20a:

V := B.

A := P( B ,0) ( A); B := P(C ,1) (B); D := P(C ,0) (D).

C := C −32 Qi( 2,e ) .

A := A ⊕ (B +32 C ).

B := B +32 Qi(1,e ) .

C := P( B ,0 ) (C ).

D := D ⊕ (V +32 C ).

A := P( C ,0 ) ( A); D := P( C ,1) ( D ).

(B, C) := (C, B).

STOP.

As in the previous algorithms, the key use schedule is employed. In the jth
round (1 ≤ j ≤ r) two 32-bit subkeys are used; namely,

Q(j e ) = (Q(j1,e ) , Q(j 2,e ) ).

The extended key Q(0) = S is shown in Table 5.15, where the 32-bit keys K0,
K1, …, K7 are the subsettings of the secret key K (K = K0|| K1||…|| K7), and the values
 Designing Fast Ciphers Based on Controlled Operations 269

of round keys Q j = (Q j , Q j ) for the encryption and decryption modes are de-
(e ) (1, e ) (2, e )

termined according to the following formula:

(Q(j1+e ,e ), Qr(+21−−e ,j e ) ) = P2(×e )32/1 (S(j1), Sr(+21)− j ).

TABLE 5.15 Schedule for Using Subkeys in the DDP-S128 Cipher

In the initial and final transformations of the DDP-S128 algorithm, four 32-bit
subkeys are used in each; namely,
(e )
QIT = (Q1(1,e ), Q2(1,e ), Q3(1,e ), Q4(1,e ) ), QFT
(e )
= (Qr( 2,e ), Qr(−21,e ), Qr(−2,2e ), Qr(−23,e ) ),

where r is the number of encryption rounds.

It is necessary to mention that Crypt(e) is characterized by the following features:

Controlled permutations over each A and D subblock are performed depend-

ing on the B and C subblocks.
The B subblock is transformed using operations that are the reverse of those
performed over subblock C.
The sums of the values of subblocks B and C used in bitwise addition with sub-
blocks A and D are different.
The value exchange operation on subblocks B and C is an element of the
Crypt(e) procedure.

The structure of the DDP-S128 cipher round transformation successfully com-

bines the ideas of building iterative cryptoschemes.

Estimating the Security of the DDP-S128 Cipher

For the DDP-S128 cipher, the best differences in the differential cryptanalysis are
Δ2’s that have two active bits going in turn along the outermost and middle
branches of a cryptoscheme. The unit differences go along the outermost branches
without duplication, with a probability of p1 = 1. Two unit differences may also go
along the middle branches without a difference occurring in the outermost
branches when, at the moment of each sum calculation, (B +32 C) (see the algo-
rithms for the Crypt(e) procedure) unit differences will appear in the same bits of
270 Innovative Cryptography, Second Edition

blocks B and C. In this case, when calculating each sum with a probability of 0.5, the
differences for blocks B and C are mutually eliminated. If the probability of this
event is designated as p2, then justifying the value p2 ≈ 2–32 can be easily done. The
difference indicated passes two rounds with a probability of p(2) = p1p2 ≈ 2–32, and
eight rounds with a probability of p(8) = p1p2 ≈ 2–128.
For 10 and 12 rounds, such probabilities have values of p(10) ≈ 2–160 and
p(12) ≈ 2–192, respectively. Thus, if the number of rounds is r ≥ 8, it is possible to
state that the DDP-S128 block cipher is secure against differential cryptanalysis.

5.5. STATISTICAL PROPERTIES OF ALGORITHMS

To check the statistic properties of block algorithms, it is advised that you test them
according to the method offered by the New European Project for creating base
primitives with the purpose of future standardization (NESSIE, New European
Schemes for Signature, Integrity, and Encryption).

5.5.1 Criteria for Estimating the Properties of the “Avalanche Effect”

For each developed algorithm, it is necessary to analyze the results of statistical
processing according to the following criteria:

The average number of output bits changed when changing input bit—1
The degree of completeness—2
The degree of avalanche effect—3
The degree of strict avalanche criterion—4

Let U(i) = U ⊕ Ei ; in other words, a binary vector obtained by inversion of the

ith bit in vector U. Then, binary vector Y(i) = F(U(i)) ⊕ F(U)) is called an avalanche
vector for the ith component. For a block cipher, U = X||K. Let the dimension of
vector U be equal to n, and vector Y equal to m.
In criteria 2 and 4, a dependency matrix of ||aij||n×m is used; namely,

aij = #{Y ( i ), y (ji ) = 1}.

The ||aij||n×m matrix reflects the dependence of the jth bit of the output vector
on the ith bit of the input vector. The degree of completeness (criterion 2) is esti-
mated by the formula:

#{( i, j ) | aij = 0}
dc = 1 −
nm
 Designing Fast Ciphers Based on Controlled Operations 271

and the degree of strict avalanche criterion (Criterion 4) can be estimated using
the formula:

n m
2 aij
∑ i=1 ∑ j =1 | −1 |
dsa = 1 − N ,
nm
where N = #U = #{U}.
To obtain an accurate estimation, a complete set of samples of all U vector
values is needed. However, taking into account the integral character of these esti-
mations, in order to obtain approximated values, you need just use the Monte
Carlo method; in other words, a rather small set of samples of input values.
Criteria 1 and 3 use the ||bij||n×m distance matrix; namely,

bij = #{Y(i)| w(Y(i)) = j},

which is a marking of the Hamming weight of the avalanche vectors.

The average number of output bits changed when changing 1 input bit (crite-
rion 1) is estimated by the formula:

m
∑ j =1 jbij
d1 = 1 ∑ in=1
n N

and the degree of avalanche effect (criterion 3) can be estimated by the formula:

n 1 m
∑ i=1 | ∑ 2 jb − m |
da = 1 − N j=1 ij .
nm
The next two sections contain the results of testing the SPECTR-128 block cipher.
The results of the rest of the testing algorithms are obtained in a similar manner.

5.5.2 Estimating the Influence of Incoming Text Bits on the Transformed Text
The criteria for estimating the influence of the plaintext text bits on the trans-
formed text are intended for detecting possible weak sides of an algorithm that
might be used in cryptanalysis based on a chosen plaintext, or by using the differ-
ential cryptanalysis method. For the criteria described in Section 5.5.1, we consider
the case when avalanche vector Y(i) is formed by the input vectors U = X||K and
U = X(i)||K, where X(i) = X ⊕ Ei.
272 Innovative Cryptography, Second Edition

The following values are specified as parameters: q for keys, t for incoming
texts. N = qt. The values of q and t depend on the values of n and m and the
computational resources available. The ||aij||n×m dependence matrix and the ||bij||n×m
distance matrix look like this:

aij = #{ X ∈ X, K ∈K | (F( X ( i ), K )) j ≠ (F( X , K )) j },

bij = #{ X ∈ X, K ∈K | w(F( X ( i ), K ) ⊕ F( X , K )) = j}.

Keys and incoming texts are built using a random number monitor.
For the SPECTR-128 algorithm, integral estimates both for a declared number
of rounds and for a reduced number of rounds were obtained. Similar to the test
results of the five finalists of the contest for New American Standard of block
encryption held by the USA National Institute of Standards and Technologies—the
“one key and 10,000 texts” variant was implemented, as well as “100 keys and 100
texts” (Table 5.16).
The results of testing the SPECTR-128 algorithm correspond to the test results
for the contest finalists. They prove that the given transformation algorithm pos-
sesses good scattering properties, even with a small number of rounds, and may be
treated as a good generator of pseudorandom substitutions, even with a small num-
ber of rounds. In particular, the completeness criterion, according to which “each
input bit should influence each output bit,” is implemented already after two en-
cryption rounds. For example, in the DES and GOST algorithms, this criterion is
implemented in no less than four encryption rounds, which is determined only by
the Feistel scheme used.

5.5.3 Estimating the Influence of Key Bits on the Transformed Text

In this case, the avalanche vector Y(i) is formed by the input vectors U = X||K and
U = X||K(i), where K (i) = K ⊕Ei. In the criteria, the ||aij||n×m dependence matrix and
the ||bij||n×m distance matrix look like this:

aij = #{ X ∈ X , K ∈K | (F ( X , K ( i ) )) j ≠ (F ( X , K )) j } ,
bij = #{ X ∈ X, K ∈K | w(F( X , K ( i ) ) ⊕ F( X , K )) = j}.

The test data for the SPECTR-128 algorithm (Table 5.17) prove that a rather
strong diffusion influence of each key bit upon all bits of the transformed text is
provided for, even without a secure procedure for generating an extended key.
We must mention that these criteria are efficient tools for detecting weak sides
in separately developed procedures and transformations, in making up the sched-
ule for using round keys, and when an optimal number of rounds are chosen.
 Designing Fast Ciphers Based on Controlled Operations 273

TABLE 5.16 Values of Influence Criteria 1–4 of the Incoming Text on the Transformed
Text (for Various Numbers of Rounds)

TABLE 5.17 The Values for Criteria 1–4 on the Influence of Key Bits on Transformed
Text (for Various Numbers of Rounds)
274 Innovative Cryptography, Second Edition

With respect to contemporary recommendations, the number of rounds in

block encryption algorithms should be greater than the minimum secure level by
two, which is implemented; for example, in the SPECTR-H64 and SPECTR-128
algorithms.

Main Results
The following can be considered the main results of our discussion on designing
fast ciphers based on controlled operations.

We presented basic schemes for building universal iterated block ciphers based
on controlled operations.
We gave concrete models of block ciphers, both for a hardware and a software
implementation.
We considered the prospects of using controlled permutational and substi-
tutional operations as cryptographic primitives. In particular, we offered a new
command to processor developers, implementing a controlled permutation
operation that can be efficiently used in developing program ciphers if imple-
mented as a special instruction.
We presented specific schemes and constructions of applying one-stage con-
trolled permutation blocks not only for round key selection control, but also in
forming control vectors for inverse transformation implementation in controlled
permutation blocks of a special type.
Since block ciphers might possess only practical security (and not theoretical),
it is necessary to strictly observe their contemporary development principles.
The statistical tests described in this chapter are a well-tested tool, allowing you
to detect obvious weak sides of an algorithm.

5.6 ELEMENTS OF THE CRYPTANALYSIS OF CIPHERS

BASED ON CONTROLLED OPERATIONS

5.6.1 Estimating Flexible Ciphers

As a rule, cryptanalysis is based on the use of algebraic and/or statistical mecha-
nisms of ciphers. If mechanisms are found that enable you to distinguish a deter-
minate transformation implemented by a cipher controlled by a secret key from a
random one, then actual prerequisites for cipher breakability appear. Therefore, the
general task of cryptanalysis is the detection of such mechanisms and the develop-
ment of methods of using them in breaking the whole cipher or its elements.
 Designing Fast Ciphers Based on Controlled Operations 275

The best known universal statistical method of cryptanalysis is frequency crypt-

analysis. It is based on using the irregularity of the occurrence of different alphabetic
symbols or their combinations in the plaintext, which is leveled out (though not
completely) by applying an encryption transformation. For example, if a simple
substitution cipher is used (each alphabetical symbol of the plaintext corresponds to
a unique symbol of the ciphertext alphabet), then the transformed text (ciphertext)
fully retains the structure of the occurrence of the source text symbols. Provided that
a cipher text of a size sufficient for detecting considerable differences in the occur-
rence of various symbols is available, such a mechanism helps to decrypt the cipher
because you have the option of establishing a correspondence between the symbols
of the ciphertext and those of the plaintext.
It is common knowledge that one of the main modes of using block ciphers is
the simple substitution mode (e-code book). Contemporary block ciphers, however,
are practically invulnerable to the frequency cryptanalysis method, due to a very
large number of possible data blocks (264 or 2128). In other words, it is practically
impossible to find the actual frequency of the occurrence of the input data blocks,
and especially to find a significant sampling for the transformed texts. Therefore,
cryptanalysis methods being developed for contemporary block ciphers take into ac-
count the mechanisms for the detection of which you need not only use transformed
texts, but also incoming ones, including those that are specially collated. These ways
of attacking allow you to create more varied statistical methods of analysis.
There are two main tasks of cipher cryptanalysis. The first task is the computa-
tion of the secret key, or finding a way to keylessly read ciphertexts, which is solved
by a violator (decipherer, cryptanalyst) with the purpose of accessing information.
This is the so-called decryption problem. Note that in the process of solving the first
task, in order to determine the prospects of a cipher’s development, a cryptanalyst
should obtain a high level of cipher security for each cryptanalysis method he or she
knows, with respect to conditions of practically applying them, and then choose the
most efficient method of decryption. Therefore, for each particular method, the
cryptanalyst should determine, for example, the maximum number of elementary
operations (if such an estimation is determined by the number of elementary op-
erations) that must be performed to solve a cryptanalysis task.
The cryptanalyst can obtain this estimation with respect to the labor expenditures
needed to differentiate the encryption algorithm from a random transformation, and
the labor spent for computing the key using the detected statistical mechanisms.
When security is estimated, apart from the labor spent to solve a cryptanalysis task,
the memory necessary for implementation of the assault method is often determined
as well. As a rule, when a large amount of memory is used, the number of operations
necessary is considerably reduced. A general requirement for contemporary ciphers
is the high computational complexity of the cryptanalysis (for example, 1040 opera-
tions) when a large amount of memory is used (for example, 1020 bytes).
276 Innovative Cryptography, Second Edition

The second task, cipher security estimation, is usually done by the developer.
As a rule, the conditions for solving the first task are less pleasant than those of the
second task. The latter, however, is no less complicated, since the cipher developer
has to find the lowest security level for the cipher being developed for each crypt-
analysis method he knows, including methods that are currently impossible to im-
plement but that are theoretically justified. The cryptosystem developer tries to
obtain an estimation corresponding to the minimal number of operations needed
to solve a cryptanalysis task using the best cryptanalysis algorithm. Since it is not al-
ways possible to determine the best cryptanalysis algorithm, a minimum estimation
is given to the best of the known cryptanalysis algorithms. The developer can also
estimate the cipher’s security as the labor expenditure needed to determine how it
is different from a random cipher.
Thus, the estimations gained in the course of solving the first task should be
higher than those gained in the course of solving the second task. In practice, how-
ever, this condition is not always observed, since much depends on the subjective
conditions of solving each task.
During cryptanalysis, it is usually assumed that the integrity of the encryption
device is sufficient when the algorithm is not modified during the encryption
process, and the violator has no way to read the key information from any kind of
leakage (feed circuit inducing, side electromagnetic radiations, computation time
measurement, machine errors, etc.). Lately, however, attacks on encryption device
integrity are considered more often. This is due to the expanding application of en-
cryption, in which these devices are used to solve various tasks in various operating
conditions. Be aware that the cryptographic analysis of special purpose ciphers
always used to include the study of the violation of the encryption device’s in-
tegrity. The active study of such forms of attack started when encryption began to
be widely used as an element of information security in computer-aided systems.
Estimating the security of flexible ciphers—those where the use of a concrete
cryptalgorithm is determined by the secret key—is of special interest. Note that in
this type of cipher, the Kerckhoff principle, according to which the only unknown el-
ement is the secret key, can be implemented by using pre-computations that include
a building procedure for the encryption algorithm that depends on the user’s secret
key. In this case, a concrete encryption algorithm is an easily changeable element. It
is automatically changed when the secret key is changed. If the number of possible
modifications of the cryptalgorithm is large (e.g., 1020), then it is rather difficult to
analyze each of them. Therefore, when flexible ciphers are built, a base mechanism
is developed in which certain principles that determine the general properties of all
modifications are fixed. As a rule, the developer estimates the level of security for a
limited set of algorithms by assuming that the cryptanalyst knows the particular
modification. To obtain the lowest security level of a cipher, it is advisable to find the
same estimate for the “weakest” modification. Another important way to analyze
 Designing Fast Ciphers Based on Controlled Operations 277

flexible algorithms assumes that the encryption key is known, with only the cryptal-
gorithm modification remaining unknown. It makes sense to only use flexible ci-
phers with high security against all variants of cryptanalysis mentioned previously.
The confidentiality of the cryptalgorithm modification in flexible ciphers
should not be treated as the main factor of high security, but rather as a mechanism
to determine the additional security reserve. Indeed, if a cryptanalyst does not know
the modification of the cryptalgorithm, the cryptographic task will be considerably
more complex.
The universal method of cryptanalyzing flexible ciphers is by keyless reading and
trying the entire possible key space. These methods do not require knowledge of the
concrete modification of a cryptalgorithm, but the first one is efficient only when de-
crypting relatively weak ciphers, and the second one when using small keys.
For the flexible program ciphers described in Chapter 2, using these universal
methods does not allow you to actually decrypt a cryptoscheme. Using more effi-
cient methods based on the availability of statistical mechanisms in the samplings
gained during studies of certain transformations requires much more labor expen-
diture if the modification of a cryptalgorithm is unknown, compared to the labor
needed to decrypt well known transformation procedures.
To gain the minimal security estimation for ciphers based on the data-dependent
subkey selection, the combinatory-probabilistic model was introduced. This model
and methods of its use were described in Chapter 2 when estimating the security of
some software-oriented 512-byte algorithms. The reason for using this model to get
the minimal security estimation is that one encryption round includes a large num-
ber of operations (128k, where k = 2, 4, 6), where at least half are performed in com-
plex dependence on each bit of the plaintext and each bit of the secret key. The
selected keys are not used directly in the transformation of the current data subblock,
but rather are elements of the procedure for forming accumulating key variables.
These variables are transformed within one round in concatenation mode,
which determines the influence of the current (including the initial) value of each
of these variables upon all its subsequent values. The concatenation method ex-
plains the inclusion of each accumulating variable in the transformation and, con-
sequently, in the transformation of each data subblock—long chains of subkeys
selected pseudorandomly. Trying to compute such chains based on source and
transformed texts using algebraic relationships leads to the formation of a nonlin-
ear boolean equation system with many unknowns, which is very hard to solve.
Generating equations that can be solved using reasonable computing resources
necessitates the inclusion of some pseudorandom values of accumulating variables
in such equations. Assuming some pseudorandom parameters in the relationships
used for cryptanalysis is generally done for many statistical types of attacks, includ-
ing both linear and differential methods recognized as the most general and effi-
cient methods used in block cryptosystem analysis. Currently, except for the
278 Innovative Cryptography, Second Edition

combinatory-probabilistic model, no other methods of 512-byte algorithm security

estimation have been introduced, although they have been discussed for about 10
years in various scientific papers.

5.6.2 Differential Characteristics of Controlled Permutation Boxes

One of the universal methods of block cipher cryptanalysis used for estimating
security is differential cryptanalysis (DC).
Following is a brief explanation of differential cryptanalysis.
Let’s say there is a rather complex one-to-one mapping Y = F(X) depending on
the key, where the cardinal number X is a large number (e.g., 264). As a rule, it is im-
possible to predict the value of Y for a randomly chosen X. Let’s say there is already
a rather large number of nonrecurrent pairs (X1, Y1), (X2, Y2), ..., (Xr, Yr). If, for any
X not belonging to a set {X1, X2, ..., Xr}, it is impossible to predict Y with a proba-
bility exceeding (2n – r)–1; in other words, if values of Y that have not yet occurred
are equiprobable, this proves the pseudorandom character of this mapping. Other-
wise, the mapping is not pseudorandom.
Now let’s consider two vectors simultaneously—X1 and X2. Using a binary op-
eration, a third vector can be made to correspond to each pair of binary vectors,
and this vector will be called the difference. Usually, an XOR (X1 ⊕ X2) operation is
used as such a binary operation, and the difference is commonly designated with
the symbol ΔX . Thus, the incoming difference ΔX looks like ΔX = X1 ⊕ X2. Accord-
ingly, the difference in the values of the F function, called the output difference,
looks like ΔY = Y1 ⊕ Y2. Usually, the same binary operation is used when input and
output differences are determined, although such a coincidence is not mandatory.
In the considered example, even with the absence of a statistical dependence be-
tween the samplings of the transformed texts and those being transformed, a sta-
tistical dependence may exist between the sampling differences of the transformed
texts and those being transformed. That is, there may be an irregularity of output
difference ΔY values as a result of the transformation of a set of binary vector pairs
interconnected by a certain difference.
The idea of differential cryptanalysis lies in the task of finding a difference that,
after the entire encryption transformation, would generate a difference with a fre-
quency of occurrence that considerably differs from the average value. Finding
such input and output differences is the main task of DC. If such differences are
found, this means that the conditions under which an encryption transformation is
recognized as a nonrandom one have been found. After this, a way of using this
circumstance to compute a secret key must be found. Since DC deals with the
encryption of specially selected pairs of texts, this type of cryptanalysis is related to
attacks based on specially chosen texts.
 Designing Fast Ciphers Based on Controlled Operations 279

Thus, in using the DC method, we consider the propagation of differences of

certain type through separate operations, a round, or the entire encryption trans-
formation. When it is implemented, the encryption of a large number of data block
pairs is required, with the fixed difference.
In other words, the DC method searches for an efficient differential character-
istic that can be used to decrypt a cipher. Remember that the differential charac-
teristic is a triad of values (ΔX, ΔY, p(ΔX→ΔY)), where p(ΔX→ΔY) = p(ΔY⁄ΔX)
—the probability of the occurrence of the ΔY difference if the input difference ΔX is
available. That characteristic for which the probability value p(ΔX→ΔY) for a full
number of encryption rounds considerably exceeds 2–n, where n is the length of
vectors X and Y, is known as efficient.
Let’s say that an efficient characteristic (ΔX, ΔY, p(ΔX→ΔY)) is found, where
–n+20
2 ≈ p(ΔY⁄ΔX) >> 2–n. For key computation, however, the encryption of a very
large number of data block pairs is required. As a rule, for such a number N, the in-
equality N ≥ 1/p2(ΔY⁄ΔX) exists. In the example considered, to prove that the en-
cryption transformation is not pseudorandom—it is indistinguishable from a
random one—it is sufficient to encrypt about 2n–20 pairs of data blocks. To compute
the key, however, 22n –40 incoming data blocks will be required, which is problem-
atic at n = 64, and practically unrealizable at n = 128.
Thus, it is possible to show that some block ciphers implement an encryption
transformation that is different from a random one, but that the key computation
is a very difficult task. If such a situation is revealed at the stage of a cipher design,
the developer needs to modernize the current version of the cipher in such a way to
make it a pseudorandom substitution (keeping in mind that every block cipher is a
substitution). The DC performed by the developer may not include the key com-
putation stage or an estimation of the labor expenditures needed to implement its
variants. It is sufficient to build a cipher that is undistinguishable from a random
transformation for all possible differential characteristics.
Important differential characteristics are iterative characteristics with identical
input and output differences. For ciphers based on permutations that depend on
the data being transformed, differential characteristics with input and output dif-
ferences that belong to the same class and have the same (usually small) Hamming
weight are also important.
At first, operations of controlled permutations seem too complicated for DC.
However, with a gradual transition from the analysis of the differential character-
istics of an elementary switch to more complicated blocks of controlled permuta-
tions, it is possible to find rather simple general dependencies connected with the
most important cases of DC. Such cases are related to determining the probability
of the propagation of differences with a small number of active bits. It is these
differences that have the greatest probabilities for cryptoschemes based on using
controlled permutation blocks. Indeed, it was shown in the description of specific
280 Innovative Cryptography, Second Edition

ciphers in this chapter that two permutation operations are normally used in one
encryption round, these operations depending on the data being transformed and
their superposition forming a permutation of the maximal order. The active then
bits become arbitrary. This is the reason why increasing the number of active bits
leads to a considerable reduction in the probability of obtaining the expected dif-
ference at the outcome of one round. This is shown in the DC of specific ciphers
earlier in this chapter.
It is rather easy to establish the main differential characteristics of an elemen-
tary box P2/1, which have nonzero probabilities. These characteristics are shown in
Figure 5.21, where the superscript of a difference Δ indicates its correspondence to
input (x), output (y), or control input (v), and the subscript indicates the number
of nonzero bits in the difference. Using these properties of an elementary switch
that is the base element of more complex boxes of controlled permutations, and
taking into account the bit distribution of the control data subblock, it is easy to
compute the probabilities of differential characteristics for the most important
types of controlled permutation boxes.

FIGURE 5.21 Probabilities of passing differences through elementary switch P2/1.

Let’s consider a case of using expansion box E, which provides for the influence
of each bit of control data subblock L on q (q = 2, 3) different bits at output E, and
the strictly one-time influence of each control bit on all input bits of the controlled
permutations box.
The general scheme shown in Figure 5.22 can contain boxes P16/32 (q = 2), P32/96
(q = 3), or P64/192 (q = 3) as box Pn/m. Designate the number of nonzero bits of the
 Designing Fast Ciphers Based on Controlled Operations 281

difference going through the control data subblock L as z, and the number of ele-
mentary events related to the generation of a pair of active bits in an elementary box
P2/1, whose control input is fed with a nonzero difference (Figure 5.22c), as w.
These P2/1 boxes will be called active.

FIGURE 5.22 The general scheme of the passing of differences through

a controlled permutations box (a), zero difference passing through the
P2/1 active boxes without active bit generation (b), and with active bit
generation (c).
282 Innovative Cryptography, Second Edition

If the input of an expansion box is fed with the difference Δ1L with one active
bit, then the difference ΔVq with q active bits appears at the control input of the
controlled permutations box. If a zero difference Δ0X is fed to the input of the
controlled permutations box, then—depending on the specific bit values entering
the inputs of the elementary switches corresponding to active bits of difference ΔVq
—a zero difference ΔY0 or a nonzero difference ΔY2w (w ≤ q) with an even number
of active bits may occur at the output of the controlled permutations box. Taking
into account the probability of a zero difference transformation while passing
through an active elementary switch P2/1, it is easy to get the following formula:

p( Δ0X → ΔY2 w / Δ zL ) ≈ 2− qz Cqzw

If z = 1, then this formula is exact, and if z ≥ 2, it provides a good approxima-

tion. When q = 3, 4, 5, the formula provides a rather exact probability value. You
can also use it at higher q values, but differences with a large number of active bits
do not contribute much to differential characteristics with maximum probabilities.
Another important case is related to the passing of difference Δ1X with one
active bit through the controlled permutations box in the presence of a nonzero
difference Δ zL , where z ≠ 0 at the control input. The active bit of the input difference
may pass all active elementary switches with the probability p' ≈ (n – 2qz)/n, and
pass through one of the last active elementary switches P2/1 with the probability
p'' ≈ 2qz/n. Then, for z = 1, the indicated expressions of the probabilities are exact,
and for z = 2, 3, 4, they provide a rather good approximation. Taking into account
the fact that each active elementary switch P2/1 can generate two active bits of output
difference with a probability of 0.5, it is easy to derive the following approximation
for the probability value of the considered event:

( n − 2qz ) 1−qz w 2qz

p( Δ1X → Δ1Y+2 w / Δ zL ) ≈ 2− qz Cqzw + 2 Cqz −1
n n
When a difference with two or more active bits passes through the controlled
permutations box, there is the possibility of the “annihilation” of the even number
of active bits. The maximum probability corresponds to the zeroing of two active
bits. Consider how this happens for the differences Δ 2X and Δ zL . With a probabil-
ity close to 2qz/n, one of the active bits of the Δ 2X difference goes to the input of one
of the active elementary switches. With a probability of 1/(n – 1), the second active
bit moves to the input of the same box P2/1. With a probability of 0.5, these active
bits are simultaneously zeroed. The remaining qz – 1 of the P2/1 active elementary
switches with a probability of 2–qz+1 will not generate new pairs of active bits in the
output difference.
 Designing Fast Ciphers Based on Controlled Operations 283

After multiplying the probabilities of all these independent events, we derive:

qz
p( Δ 2X → ΔY0 / Δ zL ) ≈ 21−qz
n( n − 1)

This formula is derived for the case of averaging all possible values of the
number of active bits i and j of the input difference Δ 2|X i , j (assuming that both
i and j are random equiprobable values). The considered mechanism of active bit
“annihilation” proves that the simultaneous zeroing of two and more pairs of active
bits has a considerably smaller probability. Some values of the probability
p( Δ X → ΔY / Δ zL ) are shown in Tables 5.18 and 5.19.

X Y L
TABLE 5.18 Probability Values p( Δ → Δ / Δ1 ) for the P64/192 Box

TABLE 5.19 Probability Values p( Δ X → ΔY / Δ 2L ) for the P64/192 Box

It is worth mentioning that the preceding formulas for computing the proba-
bility for events related to either class of differences and that are characterized
mainly by different Hamming weights provide integral estimations within a rather
large class of differences. If additional active bits are generated, then there is no
binding of active bits to specific numbers of bits. However “annihilation” includes
the binding of the second bit to a specific position because it is the fact of two ac-
tive bits going to the input of the same active elementary switch that is considered.
Assuming that the previous estimations are correct for both direct and inverse layered
284 Innovative Cryptography, Second Edition

boxes of controlled permutations, the “annihilation” events can be examined by

changing the bit movement from output to input, which leads to a case similar to
active bit generation in a reverse box of controlled permutations. Therefore, it
is easy to understand why “annihilation” probabilities have considerably smaller
values. It is because the generation of an active bit pair does not require that two
specific bits move to the input of the same active elementary switch—such a case
deals with much more numerous classes of events. The “annihilation” event has
probability values that correspond to a case of active bit generation in the specified
output classes. We will encounter this circumstance later on, during the DC of spe-
cific ciphers that use controlled permutations as a base cryptographic primitive.
Studying the differential properties of cryptosystems based on controlled op-
erations also includes the preliminary consideration of the probabilities of passing
various differences through a G operation. Probability values can be easily derived
from formulas describing the boolean functions corresponding to this operation.
Since different operations of such type are used in different ciphers, their proper-
ties will be considered directly during the DC of the specific cryptosystems.

5.6.3 Analysis of the SPECTR-H64 Cryptosystem

Using multilayer boxes of controlled permutations in the SPECTR-H64 block
cipher leads to the fact that the largest probabilities have differential characteristics
with a small number of active bits.
In the considered scheme, the difference with one active bit in the right branch
(with a zero difference in the left branch) passes through one transformation round
with a probability equal to 1. In the same scheme, if one active bit is available in the
left branch and a zero difference is available in the right branch, there is a rather
large probability of obtaining a zero difference in the right branch. That is, in this
case, the general output difference will be the same as the input difference. Let’s
consider this case in more detail, which, with respect to the previous one, will allow
us to form 2-, 4-, and 2k-round characteristics.
However, in the considered case, the difference in the right arm is equal to the
difference at the output of one round, and within the round, the active bit passing
through the left branch of the cryptoscheme considerably influences the generation
of new active bits in the right branch. In the controlled permutations box, active
bits are generated at random, and during the performance of the G operation, by
both the probability law and the deterministic one. If there is one active bit at the
input of the G operation, there are from two to six active bits generated at its out-
put (two active bits are generated according to the deterministic law). Generation
of an even number of active bits (0, 2, 4, 6) is also implemented in each P' or P''
box. After the XOR operation is performed (before the P32−1/ 80 controlled permuta-
 Designing Fast Ciphers Based on Controlled Operations 285

tion is implemented), the total number of active bits can increase (up to 18), and
can decrease (to 0).
Because we are interested in a situation where a zero difference (the absence of
the active bits’ “propagation”) is implemented at the output of box P32−1/ 80 , a case in
which the number of such active bits after the XOR operation is performed is equal
either to zero or two is of the greatest interest for us. It is for these probability val-
−1
ues that the probabilities of obtaining a zero difference at the output of box P32 / 80
are especially important.
These arguments enable us to form the two-round differential characteristic
shown in Figure 5.23 with the use of the following designations:

ΔL and ΔR—the difference in the left (L) and right (R) subblock
ΔF and Δ(F)—the input and output differences that correspond to the F operation
Δ(2G|i ,)i+1 —the difference with a subscript indicating: the total number of active
bits first and, after the vertical line, the numbers of active bits

With such a designation, the Δ2|i,j and Δ2 entries have the following meaning:
the first one designates a specific difference with two active bits, and the second
indicates only one of the differences with two active bits.
Taking into account the design philosophy of the P32/80 box, used in one round
of the SPECTR-H64 cipher, the li active bits of data subblock L control a different
number of P2/1 boxes, depending on the i ordinal number and on the L data sub-
block’s cycle shift value before the expansion procedure is performed. The number
of P2/1 boxes controlled by one bit li will be designated as q.
Figure 5.23 shows the main variants of one active bit passing in the ith order of
the left arm without generating active bits at the output of box P''.

Event A1
1. The difference Δ(2G|i ,)i+1 is formed at the output of operation G with a proba-
bility of p2(i ).
2. The difference Δ(2P|i ,')i+1 is formed at the output of box P' with a probability of
p3( i , i+1) .
3. The difference Δ(0P′′ ) is formed at the output of box P'' with a probability of
p1( i ) = 2− q .
4. After two XOR operations are performed, a zero difference is formed at the
input of box P , passing through this box with a probability of p4( i ) = 2− q.
–1

Event A2
(G)
1. The difference Δ 2|i ,i+1 is formed at the output of operation G with a proba-
bility of p2(i ) .
286 Innovative Cryptography, Second Edition

2. The difference Δ(0P ') is formed at the output of box P' with a probability of
p3( i ) = 2− q .
′′
3. The difference Δ(2P|i ,i+) 1 is formed at the output of box P'' with a probability
( i , i+1)
of p1 .
4. After two XOR operations are performed, a zero difference is formed at the
input of box P–1, passing through this box with a probability of p4( i ) = 2− q .

Event A3
1. The difference Δ(2G|i ,)i+1 is formed at the output of operation G with a proba-
bility of p2(i ).
2. The difference Δ(0P ') is formed at the output of box P' with a probability of
p3(i ) .
3. The difference Δ(0P ') is formed at the output of box P'' with a probability of
p1( i ) .
4. After two XOR operations are performed, the D2|i,i+1 difference is formed
at the input of box P–1 that is zeroed in this box with a probability of p4( i , i+1).

FIGURE 5.23 A two-round characteristic formation

scheme in the SPECTR-H64 cipher for event A1.
 Designing Fast Ciphers Based on Controlled Operations 287

Following is a brief explanation of the computation of the probability p2(i ) . In

it, we will write a general formula for bit computation in the ith order at the out-
put of the G function specifying the Y = G(X, A, B) transformation, where A and B
are subkeys used during the implementation of this transformation:

yi = .xi ⊕ xi–1 ⊕ xi–2ai ⊕ xi–2xi–5bi ⊕ xi–3xi–5 ⊕ xi–4bi,

where ai and bi are subkey bits. From this last relationship, it is easy to derive the
following formulas that characterize the changes in the yi, yi+1, yi+2, yi+3, yi+4, yi+5
output bits, stipulated by changing the single input bit xi (Δxi = 1); namely,

Δyi = Δxi ; Δyi + 1 = Δxi ;

Δyi + 2 = Δxi(ai+2); Δyi + 3 = Δxi(xi–2);
Δyi + 4 = Δxi(bi+4); Δyi + 5 = Δxi(xi+2 ⊕ xi+3 ⊕ bi+5).

Based on these formulas, it is easy to compute the following probability values:

p(Δyi = 1/Δxi = 1) = p(Δyi+1 = 1/Δxi = 1) = 1.

and for k = 2, 3, 4, 5:

p(Δyi+k = 0/Δxi = 1) = 1/2.

Then, assuming that subkeys A and B are random equiprobable values, the
value of p2(i ) is determined by the formula:

pi2 = p(Δyi = 1/Δxi = 1) p(Δyi+1 = 1/Δxi = 1) p(Δyi+2 = 0/Δxi = 1) ... p(Δyi+5 = 0/Δxi = 1).

In the formula, you must take into account the limits on the maximum possible val-
ues of the indices i and i + k of the co-factors with Δyi+k, which should not exceed 32.

The p2(i ) probabilities for various values of the i index are set forth here:

p2( i ) = 0 for i = 1, 2 because in these cases no less than three active bits are
formed in the output difference.
p2( i ) = 2−4 for 3 ≤ i ≤ 27; this value, derived by the multiplication of all six
co-factors, is present in the preceding formula.
288 Innovative Cryptography, Second Edition

With respect to the remark for values i ≥ 28, we have:

i = 28— p2( i ) = 2−3

i = 29— p2( i ) = 2−2
i = 30— p2( i ) = 2−1
i = 31— p2( i ) = 1
i = 32— p2( i ) = 0

To compute the probability of event A1, we can use the table of the influence
distribution of the L subblock’s bits on the elementary switches of box P'. Such a
table can be easily created from the description of the SPECTR-H64 algorithm
(Table 5.20), where cells mean P2/1 boxes, and the numbers in them (i) mean the
numbers of the corresponding bits in subblock L.

TABLE 5.20 The Distribution of the Influence of Control Subblock L Bits in the P' Box

Using this table, you can determine all values of i for which the difference
Δ(2P|i ,′i+
)
1
can appear at the output of box P', and also determine the value of the prob-
ability of this event; namely,

p( Δ0P ' → Δ(2P| i ,')i+1 / Δ1L| i ) = p3( i ,i+1)

For example, at i = 28, the elementary boxes P2(1/1) , P2(/321 ) , and P2(/441 ) are active,
and at the output of each of them with a probability of 0.5 a pair of active bits can
appear (the superscript in designation P2(/j1) corresponds to the elementary box
number). Only for box P2(1/1) can an output pair of active bits simultaneously enter
into orders i and i + 1.
We are interested in the case of active bits appearing at the output of P2(1/1) , with
the simultaneous absence of active bits at the outputs of P2(/321 ) and P2(/441 ) . The prob-
ability of this event is equal to p3( i , i+1) = 2−32−4 2−4 = 2−11, since the left and the right
output bits of box P2(1/1) will fall at the 28th and 29th bits, respectively, at the output
of box P' with a probability of 2–4.
 Designing Fast Ciphers Based on Controlled Operations 289

Altogether, four bits of the left subblock (numbers 4, 8, 18, and 28) satisfy the
situation described previously. For i = 4, 8, and 28, we have the probabilities
p3( 4, 5) = p3(8, 9 ) = p3( 28, 29 ) = 2−11 , and for i = 18, we have a probability of p3(18,19 ) = 2−4 .
Note that the order i = 18 contributes the most in forming the value of the proba-
bility of the A1 event.
The probability of the difference Δ1R falling at the specified ith bit at the output
of the first round is equal to p(i) = 2–5. The probability that no active bits in digits
i + 2, i + 3, i + 4, i + 5 will be formed at the output of the G function (for 3 ≤ i ≤ 27
and averaging by random round keys) is equal to p2( i ) = 2−4. Accordingly, for i = 28,
p2( 28,29 ) = 2−3.Thus, we have the following integrated probability for the A1 event:

i=32
P ' = ∑ p ( i ) p1( i ) p2( i ) p3( i ,i+1) p4( i ) = ∑ p ( i ) p1( i ) p2( i ) p3( i ,i+1) p4( i ) ≈ 2−17.
i=1 i = 4 ,8,18,28

The predominant contribution to the value of P' is made by the 18th bit in the
left subblock, for which the probability values are higher— p1(18) , p4(18), and p3(18, 19 )
( p1(18) = p4(18) = 2−2 , and p3(18, 19 ) = 2−4).
In the A1 event, for all values of i, we have p1( i ) = 2−3, and for events A1 and A2,
we have p ( i ) = 2−5 and p4( i ) = 2−3.
–1
With respect to the full symmetry of the direct (P') and inverse (P ) controlled
permutations transforming the right data subblock in one round of the SPECTR-
H64 cipher, the probabilities of the A1 and A3 events are the same; that is:

P'''=P' ≈ 2–17.
Assuming that the key element at the input of box P'' is an equiprobable ran-
dom value, it is easy to compute the probability of the A2 event using the following
formula, which is similar to the previous one:
i =32
P′′ = ∑ p ( i ) p1( i ,i+1) p2( i ) p3( i ) p4( i ) = ∑ p ( i ) p1( i ,i+1) p2( i ) p3( i ) p4( i ) ≈ 2−15.
i =1 i= 4 ,8,12 ,16 ,21

In the A2 event, for all values of i, we have p3(i) = 2–3. However, when p1( i , i+1) val-
ues are computed, Table 6.4 should be used instead of Table 5.21. Because before
the left subblock enters the E expansion box, it is subject to transformation by a
cycle shift operation not by 11, but by 17 bits. The predominant contribution to the
value of the probability of P'' is made by the 21st order, for which p1( 21,22 ) = 2−2 and
p3( 21) = p4( 21) = 2−2 .
Thus, the probability of the difference (0, Δ1R) passing through two rounds is
equal to P(2) ≈ P' + P'' + P''' ≈ 1.5 ⋅ 2–15.
290 Innovative Cryptography, Second Edition

TABLE 5.21 The Distribution of the Influence of Control Subblock L Bits in the P" Box

In this value of P(2), the contribution of the events corresponding to the ap-
pearance of four or six active bits in the output difference of the G function is not
taken into account, nor are the events with two active bits leading to the simultane-
′
ous formation of three differences Δ(2G|i ,)i+1 , Δ(2|Pi , )z , and Δ(2P|i+''1), z that meet the condition:

Δ(2G|i ,)i+1 ⊕ Δ(2P|i ,')z ⊕ Δ(2P|i+'')1,z = 0.

These events may be neglected, since their integral probability is considerably

less than 1.5 × 2–15.
With respect to the mechanisms revealed during the computation of the prob-
abilities of the events being considered (A1 and A2), we can conclude that a cipher’s
security against differential cryptanalysis depends considerably on the distribution
of control bits in expansion box E. In addition, the value of the probability of a two-
round differential characteristic can be reduced if expansion box E is optimized.
For example, if you swap the numbers 21 and 20 in the lower line of Table 5.20, and
swap 18 and 19 in Table 5.21, this permutation enables you to reduce the proba-
bility values; namely, P' ≈ 2–23, P'' ≈ 2–21, and P(2) ≈ 1.5 × 2–21. That is, this permu-
tation leads to the reduction of the probability of the two-round characteristic by
approximately 26 times.
After such a change, the most efficient differential characteristic is a three-
round one, considered here.
Indeed, there is another differential characteristic available for the SPECTR-
H64 cipher that corresponds to differences with a small number of active bits. This
characteristic corresponds to the difference (0, Δ1R ) passing through three rounds. Its
formation is described by the following mechanism. After the first round, the active
bit enters the 32nd order with a probability of 2–5. In the second round, the active bit
passing through the G operation with a probability of 1 generates an active bit in the
difference going through the right branch that, with a probability of 2–5, turns out to
be in the 32nd bit at the output of the right branch of the second round. The proba-
bility that no additional active bits will appear in the right branch during the per-
formance of three controlled permutation operations is equal to (2–3)3 = 2–9. The
L
differences Δ132 Δ R| are distributed through the third round. With a probabil-
| and 132
ity of 2–5, the active bit of the right difference turns out to be in the 32nd order, after
the P' operation is performed, and is zeroed after the XOR operation with an output
 Designing Fast Ciphers Based on Controlled Operations 291

difference of Δ132G
|
is performed. In the third round, also with a probability of 2–9,
three controlled permutation operations will not generate new active bits. Taking
into account the given scheme of the ( Δ0L , Δ1R ) difference’s distribution in three
rounds, we have the following probability value for it: P(3) ≈ 2–28 (the “approxi-
mately equal” symbol takes into account the fact that we neglect the contribution of
events where intermediary differences with several active bits in the right subblock
are formed). Accordingly, for six rounds, the probability of the ( Δ0L , Δ1R ) difference
passing with the given three-round characteristic is equal to P''(6) ≈ (2–28)2 = 2–56,
and with the two-round characteristic, it is P'(6) ≈ (1.5 × 2–15)3 ≈ 1.7 × 2–44 >> P''(6).
Thus, when a six-round characteristic with one active bit is formed, a two-round
characteristic is more efficient for analyzing the SPECTR-H64 encryption algorithm.
It is possible to derive the following probability values using a two-round char-
acteristic for building differential characteristics with an even number of rounds:

P(8) ≈ (1.5 × 2–15)4 ≈ 5 × 2–60 > 2–64

P(10) ≈ (1.5 × 2–15)5 ≈ 2–72 << 2–64
P(12) ≈ (1.5 × 2–15)6 ≈ 2–87 << 2–64

These last relationships prove that if 10 or 12 encryption rounds are used by

SPECTR-H64 encryption algorithms, the use of corresponding characteristics
based on a two-round characteristic with one active bit is not applicable for cipher
decryption, since these characteristics do not allow us to distinguish the SPECTR-
H64 cipher from a random cipher. That is, we can say that the SPECTR-H64 algo-
rithm is secure against the considered variant of differential analysis.
Basically, a variant with eight encryption rounds can be decrypted after about
260 pairs of specially selected 64-bit input data blocks are encrypted, although such
an attack most likely cannot be practically implemented.
As we mentioned previously, the corresponding probability for a two-round
characteristic of the SPECTR-H64 cipher can be considerably reduced by optimizing
an E expansion box E. For a three-round characteristic, however, the analogous
probability is weakly dependent on the type of control bit distribution specified by
the E expansion. Therefore, after the SPECTR-H64 cipher is modernized, its security
against differential cryptanalysis will be determined by the three-round characteristic.
To reduce the probability in the three-round characteristic, it is additionally required
that you change the boolean functions specifying a specific type of G operation.

5.6.4 Differential Cryptanalysis of the SPECTR-128 Cipher

The structure of the SPECTR-128 iterative cryptosystem is analogous to that of the
SPECTR-H64 algorithm, which determines the similarity of the differential prop-
erties of both ciphers. For SPECTR-128 algorithms, differential characteristics with
292 Innovative Cryptography, Second Edition

a small number of active bits also have the largest probabilities. The largest proba-
bility has a characteristic corresponding to the difference ( Δ0L , Δ1R ) passing through
two rounds. The mechanism of its distribution is analogous to that of SPECTR-
H64. However, due to the peculiarities of the G operation and the bigger size of the
subblocks being transformed, computations are more intricate. When differential
cryptanalysis is performed, you must take account of the fact that, if only one input
bit of the G operation is changed, one bit will be surely changed at its output, cor-
responding to the same order as the changed input bit. Besides which, six more bits
can be changed with a probability of 0.5. The main variants of a two-round char-
acteristic formation are connected with the appearance of the differences Δ(2G|i ,)i+1,
Δ(2G|i ,)i+3 , Δ(2G|i ,)i+6 , Δ(2G|i ,)i+7 , Δ(2G|i ,)i+8 , and Δ(2G|i ,)i+9 at the output of the G operation. Each of
these differences contributes to the value of the probability of the two-round char-
acteristic. This contribution is computed in a manner similar to that used in the
SPECTR-H64 algorithm for the specified i, and when an output difference Δ(2G|i ,)i+1
with two active bits is considered. The possibility of the appearance of different dif-
ferences at the output of the G operation can be taken into account in events A1,
A2, and A3, which is done here. Using the dependence of the output bits values ex-
pressed as a boolean function, it is easy to derive formulas expressing the changes
in the output bits having numbers i + k, where k = 0, 1, 2, … , 9 (Table 5.22).
Let’s consider events A1, A2, and A3 (Figure 5.24) for SPECTR-128.

TABLE 5.22 The Probability of Active Bit Generation at the Output of the G Operation in
the (i + k)th Order, When the ith Input Bit Is Changed
 Designing Fast Ciphers Based on Controlled Operations 293

FIGURE 5.24 The two-round characteristic formation

scheme in the SPECTR-128 cipher for event A1.

Event A1
1. The difference Δ(2|Gi ,)i+ k is formed at the output of operation G with a prob-
ability of p2(i ,i+ k ) , where k∈{1, 3, 6, 7, 8, 9}.
2. The difference Δ(2|Pi ,′i)+ k is formed at the output of box P' with a probability
of p3(i , i+ k ) .
3. The difference Δ(0P'' ) is formed at the output of box P'' with a probability of
p1( i ) = 2−3 .
4. After two XOR operations are performed, a zero difference is formed at the
input of box P64−1/192 , passing through this box with a probability of
p4( i ) = 2−3.

Event A2
1. The difference Δ(2|Gi ,)i+ k is formed at the output of operation G with a prob-
ability of p2(i ,i+ k ) .
2. The difference Δ(0P' ) is formed at the output of box P' with a probability of
p3( i ) = 2−3 .
3. The difference Δ(2|P''i ,i+) k is formed at the output of box P'' with a probability
of p1( i , i+ k ) .
294 Innovative Cryptography, Second Edition

4. After two XOR operations are performed, a zero difference is formed at the
−1
input of box P64 /192 , passing through this box with a probability of
(i) −3
p4 = 2 .

Event A3
1. The difference Δ(2|Gi ,)i+ k is formed at the output of operation G with a prob-
ability of p2(i ,i+ k ) .
2. The difference Δ(0P' ) is formed at the output of box P' with a probability of
p3( i ) = 2−3.
3. The difference Δ(0P'' ) is formed at the output of box P'' with a probability of
p1( i ) = 2−3.
4. After two XOR operations are performed, the Δ2|i,i+k difference is formed at
the input of box P–1, which is zeroed in this box with a probability of p4(i , i+ k ).

As in the case with the SPECTR-H64 algorithm, due to the symmetry of events
A1 and A3, they have the same probabilities. Therefore, it will suffice to determine
probabilities of events A1 and A2.
Using the description of the SPECTR-128 algorithm to compute events A1 and
A2, we will compile the tables of the distribution of the left subblock bits in control
of the elementary switches of boxes P' and P'' (Tables 5.23 and 5.24).

TABLE 5.23 Distribution of Subblock L Bits in the P' Box of the SPECTR-128 Cipher
 Designing Fast Ciphers Based on Controlled Operations 295

TABLE 5.24 Distribution of Subblock L Bits in the P'' Box of the SPECTR-128 Cipher

The probability of event A1 is computed by the formula:

64 9
P' = ∑∑ p (i)
p1( i ) p2(i ,i+ k ) p3(i ,i+ k ) p4(i ) ≈ 1.5 × 2−21,
i=1 k =1

where p(i) = 2–6 is the probability of the transition of the active bit of the difference
into the ith order after the first round. Using the structure of box P64−1/192 and Tables
5.23 and 5.24, it is easy to determine the probability values included in this sum. In
addition, the variant corresponding to the active bit in the 43rd order of the left
subblock, for which the probability is p3( 43,44 ) = 2−3 (about 70 percent of the value of
P') contributes the most to the probability value. About 15 percent fall on numbers
i = 33 and 34, for which p3( 33,39 ) = p3( 33,40 ) . The remaining share falls on values where
i = 3, 7, 8, 11, 12, 15, 16, 20, and 54.
The probability of event A2 is computed by the formula:
64 9
P′′ = ∑∑ p (i)
p1( i ,i+ k ) p2( i ,i+ k ) p3( i ) p4( i ) ≈ 1.3 ⋅ 2−21.
i=1 k =1

The cases where i = 54 and 57 ( p1(54,55) = p1(57 ,60 ) = 2−5 ), and i = 9, 10, 11, 44
= p1( 9,16 ) = p1(10,13) = p1(10,16 ) = p1(11,14 ) = p1( 44,45) = p1( 44,47 ) = 2−7 ), are the main
( p1( 9,15)
contributors to the probability of P". The probability of the difference ( Δ0L , Δ1R )
passing through two rounds is P(2) ≈ P' + P'' + P''' ≈ 1.1 × 2–19.
296 Innovative Cryptography, Second Edition

We should mention that, as with the differential property analysis of the

SPECTR-H64 cipher, certain features of the distribution of the influence of the left
subblock bits exert a considerable influence upon controlled permutation opera-
tions. It is possible to easily reduce the probability of P(2) by introducing insignif-
icant changes in expansion box E.
There is also a three-round characteristic available for the SPECTR-128 cipher
that corresponds to the difference ( Δ0L , Δ1R ) passing through three rounds. Unlike
the SPECTR-H64 algorithm, the passing of the ( Δ0L , Δ1R ) difference is not related to
the active bit of the left subblock’s number i = 32. Each bit makes its contribution,
since, due to the use of a G operation that is different from the one used in the
SPECTR-H64 cipher, the availability of the active bit in the L subblock changes only
one bit at the output of this operation in a predefined manner. The scheme of a
three-round characteristic formation is shown in Figure 5.25.

FIGURE 5.25 Three-round characteristic

formation scheme in the SPECTR-128 cipher.

When computing the probability of a three-round characteristic, P(3), you need

to be able to tell the difference between the cases of the left subblock’s active bit dis-
tribution in various orders. Indeed, the probability of obtaining the difference Δ1|(Gi )
for different i values at the output of the G operation is equal to:
 Designing Fast Ciphers Based on Controlled Operations 297

p = 2–6 for i = 1, 2, …, 55
p = 2–5 for i = 56
p = 2–4 for i = 57
p = 2–3 for i = 58
p = 2–2 for i = 59, 60, 61
p = 2–1 for i = 62, 63
p = 1 for i = 64

If i is a uniformly distributed random variable, it is easy to derive the average

probability of the occurrence of difference Δ1(G ) with one active bit at the output of
the G operation; namely,

p( Δ1( G ) ) = 0.97 ⋅ 2−4 ≈ 2−4

In the second and third rounds, one active bit is distributed in the left arm. In
each of these rounds, the probability of nongeneration of the active bit pairs at the
outputs of three controlled permutation boxes is 2–9. In addition, in the second
round, an active bit in the right subblock is generated because of the G operation.
In the third round, the active bit of the right branch is zeroed by the active bit of the
difference Δ1|(Gh ) with a probability of 2–6 (this is the probability of shifting the right
subblock’s active bit to the specified hth order by the operation P64/192). With re-
spect to these remarks, it easy to have P(3) ≈ 2–32.
The contribution of the three-round characteristic to the probability of the dif-
ference ( Δ0L , Δ1R ) passing through six rounds is P''(6) < (2–32)2 = 2–64. The two-
round characteristic contribution is P'(6) ≈ (1.1⋅2–19)3 ≈ 1.3⋅2–57 >> P''(6). Thus,
when the security of the SPECTR-128 cipher is determined, a two-round charac-
teristic is more efficient.
It is possible to derive the following probabilities using the value of the proba-
bility P(2):

P(8) ≈ (1.1 × 2–19)4 ≈ 1.5 × 2–76

P(10) ≈ (1.1 × 2–19)5 ≈ 1.7 × 2–95
P(12) ≈ (1.1 × 2–19)6 ≈ 2–113

If you compare the probabilities of the two-round characteristics of SPECTR-

H64 and SPECTR-128, you are likely to notice that the value of P(2) for SPECTR-
H64 is higher than the value of P(2) for SPECTR-128. The first one, however, is
undistinguishable from a random cipher with the help of differential cryptanalysis,
and the second is distinguishable due to the large size of the input block.
Indeed, for a random 128-bit cipher, the probability of the occurrence of a
random output difference is 2–128, whereas for SPECTR-128, the probability P(12)
298 Innovative Cryptography, Second Edition

of the ( Δ0L , Δ1R ) output difference is approximately equal to 2–113. Therefore, with
the use of the ( Δ0L , Δ1R ) difference considered here, it is possible to distinguish the
SPECTR-128 cipher from a random one. However, you will have to perform an un-
realizable number of encryption operations with 128-bit data blocks. For example,
for the 10-round variant of the SPECTR-128 cipher, it would be necessary to per-
form more than 294 encryption operations with 128-bit data blocks.
This cipher can be reinforced either by adding two supplementary encryption
rounds, or by optimizing the E expansion box and the G operation. The second
variant enables you to reduce the value of P(2) down to a value of 2–25.
Differential cryptanalysis of the SPECTR-H64 and SPECTR-128 ciphers is one
of the steps in designing ciphers based on controlled operations. Depending on the
differential characteristic values obtained and the peculiarities of difference distri-
bution revealed, this step requires amendments aimed at improving the considered
characteristics, after which a differential cryptanalysis should be performed again.

The Security of the SPECTR-128 Cryptosystem with a Modified Expansion Box

We mentioned in the previous section that the probability of a two-round charac-
teristic of SPECTR-128 considerably depends on the bit distribution of the control
data subblock along the elementary switches of the controlled permutation box.
Such a distribution for the P' box is additionally determined by a rotation operation
by 21 bits, and for box P'' by 43 bits, and by extension box E.
Leaving the rotation values unchanged, you can reduce the probability of the
two-round characteristic by modifying the table that describes extension box E.
When such a modification is performed, it is best to follow the criterion according
to which, with any value of the control subblock, each bit of a controlled permuta-
tion box is only influenced by a arbitrary control bit once.
Table 5.25 is a modified expansion box E with amendments that reduce the
probabilities of events A1, A2, and A3 to zero.
The last circumstance leads to the fact that other events, which before modifi-
cation contributed much less to the probability of the two-round characteristic
and could be neglected, are now deciding factors. Let’s consider these events and
their contribution.

Event B. This event includes the following events:

(G)
1. The difference Δ 2|i ,i+ k is formed at the output of the G operation with a
probability of p2(i ,i+ k ) .
2. The difference Δ(2|P'i ,t) is formed at the output of box P' with a probability of
p3(i , t ) and the difference Δ(2|P''i+ k) , t is formed at the output of box P'' with a
probability of p1( i+ k , t ), or, the difference Δ(2|P'i+)k , t is formed at the output of
box P' with a probability of p3(i+ k , t ) and the difference Δ(2|P''i , t) is formed at the
output of box P'' with a probability of p1( i , t ) .
 Designing Fast Ciphers Based on Controlled Operations 299

TABLE 5.25 Bit Distribution at the Output of the Expansion Box (the Numbers of Bits
and of the Binary Vector Entering Expansion Box E’s Input Are Indicated)

3. A zero difference that appears as a result of Events B1 and B2, as well as

after the performance of two XOR operations, passes through the con-
–1
trolled permutation box P with a probability of 2–3.

The probability of Event B2 is equal to p1(,i3, i+ k ) = p3( i ,t ) p1( i+ k ,t ) + p3( i+ k ,t ) p1( i ,t ) . On

the whole, the contribution of Event B to the probability of the two-round charac-
teristic is P' ≈ 1.5 × 2–30.

Event C. This event includes the following events:

1. The difference Δ(2|Gi ,)i+ k is formed at the output of the G operation with a
probability of p2(i ,i+ k ) .
2. The difference Δ(0P' ) is formed at the output of box P' with a probability of
p3( i ) = 2−3 .
( P'' )
3. The difference Δ 2|i+ k , t is formed at the output of box P" with a probability
of p1 ( i+ k , t )
, or difference Δ(2|P''i , t) is formed with a probability of p1( i , t ) .
4. After two XOR operations are performed, the differences Δ′2|i , t = Δ(0P' ) ⊕
Δ(2G|i ,)i+ k ⊕ Δ(2P'' )
|i+ k , t and
Δ′2|i+ k , t = Δ0( P' ) ⊕ Δ(2G|i ,)i+ k ⊕ Δ(2P|i '', t) are “transformed” by
box P into a zero difference with probabilities of p4(i , t ) and p4(i+ k , t ) ,
–1

respectively.

Event C includes the occurrence of two active bits with numbers i and t (or i + k
–1
and t) at the input of box P , and the “annihilation” of this pair of active bits in one
–1
of three active elementary P2/1 boxes within box P .
300 Innovative Cryptography, Second Edition

Since Event C is “symmetric” to Event B, then P' = P(C) = P(B) = P''. That is,
the contribution of Events B and C to the probability of the two-round character-
istic P(2) is the same.

Event D. This event includes the following events:

1. The difference Δ(2|Gi ,)i+ k is formed at the output of the G operation with a
probability of p2(i ,i+ k ).
2. The difference Δ(0P'' ) is formed at the output of box P" with a probability of
p1( i ) = 2−3.
( P' )
3. The difference Δ 2|i+ k , t is formed at the output of box P' with a probability
of p3(i+ k , t ), or the difference Δ(2|P'i , t) is formed with a probability of p3(i , t ).
4. After two XOR operations are performed, the differences Δ′2|i , t = Δ(0P'' ) ⊕
Δ(2G|i ,)i+ k ⊕ Δ(2P'|i+)k , t and Δ′2|i+ k , t = Δ0( P'' ) ⊕ Δ(2G|i ,)i+ k ⊕ Δ(2P|i ', t) are “transformed” by
box P–1 into a zero difference with probabilities of p4(i , t ) and p4(i+ k , t ),
respectively.

Event D is analogous to Event C. One feature of Event D is that two controlled

permutation boxes with symmetric structure are considered, and the active ele-
mentary switches positioned symmetrically are as well. The contribution of Event
D to the probability P(2), computed assuming that round subkeys are uniformly
distributed random variables, is P''' ≈ 1.1 × 2–28.
Taking into account the contribution of Events B, C, and D to the probability
P(2), the value of the probability P(2) for the two-round characteristic, after ex-
pansion box E is modified, looks like this:

P(2) = P' + P'' + P''' ≈ 1.85⋅2–28 ≈ 2–27.

Thus, modification of expansion box E enables us to reduce the probability of

the two-round characteristic by approximately 28 times. Correspondingly, the
security of the modified SPECTR-128 cipher against differential cryptanalysis is
now determined by a three-round characteristic, for which such a modification of
the E expansion box is not crucial.
That is, using the three-round characteristic probability value P(3) ≈ 2–32 for
the source model of the SPECTR-128 cipher, the probability P(12) of difference
(ΔL0,ΔR1) passing through all twelve rounds is the following:

P(12) ≈ (2–32)4 = 2–128.

The derived value does not exceed the probability value of the specified occur-
rence of the difference for a random cipher, and so the application of the consid-
 Designing Fast Ciphers Based on Controlled Operations 301

ered differential characteristics does not allow us to use differential cryptanalysis to

decrypt the modified variant of SPECTR-128.
The considered example, which includes the initial and modified version of the
SPECTR-128 algorithm, demonstrates a certain step in cipher design based on con-
trolled permutations, where the structure of expansion box E is of crucial impor-
tance. The structure of expansion box E is initially selected with respect to a general
criterion, after which the probabilities are computed for the most significant dif-
ferential characteristics. Then, based on the revealed features of the control data
subblock bit distribution, a modification of expansion box E is performed, which
leads to the reduction of the probabilities of the indicated characteristics, after
which differential cryptanalysis should be performed once again.

5.6.5 Main Differential Characteristics of the DDP-S64 and DDP-S128 Ciphers

The DDP-S64 and DDP-S128 ciphers have a structure of round transformation
that is different from that of the SPECTR-H64 and SPECTR-128 cryptosystems.
( L ,e )
However, due to use of the controlled permutation box P32 / 32
as a base primitive for
all four ciphers, when variants of differential characteristics are considered, it is
possible to establish that characteristics with a small number of bits have the great-
est probability. The mechanism for forming such characteristics for the first pair of
ciphers differs from that of the second pair, because no G operations with two ac-
tive bit differences formed at the output are used in DDP-S64 and DDP-S128.
These ciphers also differ in the mechanism of passing differences through two
rounds, although in both ciphers the most efficient characteristics are connected
with the permutation of one of the active bits in the necessary digit after the differ-
ence has passed the controlled permutation box.

Analysis of the DDP-S64 Cipher

This cipher has a one-round characteristic with a difference ( Δ0A , Δ1B ), where Δ0A
and Δ1B are the left and right subblocks of input difference. This difference passes
through one round in the following way (Figure 5.26). The right subblock that
passed through one of the controlled permutation operations is superposed over
the left subblock using a modulo 232 addition operation, introducing at least one ac-
tive bit into it.
We are interested in the case of the formation of one active bit in the left sub-
block. Before the round is completed, the left subblock Δ1A that passed through op-
( A,0 )
eration P32 / 32 participates in the transformation of the right subblock using a
32
modulo 2 subtraction operation. Thanks to the controlled permutation operation
over both subblocks, the active bits turn out to have the same number with a prob-
ability of 2–5. As a result, after the subtraction operation is completed, the active bit
in the right subblock is zeroed with an averaged probability close to 0.5. The round
302 Innovative Cryptography, Second Edition

FIGURE 5.26 A one-round characteristic

formation scheme in the DDP-S64 cipher.

is completed with the permutation of subblocks Δ1A and Δ1B that form an output
difference that coincides with the input one.
In this mechanism, one of the active bits is subjected to arithmetic operations
four times. The active bit passes through each of these operations without forming
a carry bit with a probability ≈ 2–1. When four controlled permutation operations
are performed, the control input of the corresponding controlled permutation box
is fed with one active bit. The probability that no active bits are generated during
the performance of one controlled permutation operation is approximately equal
to 2–3 (the fact that a nonzero difference passes through the controlled permutation
box is considered). In addition, taking into account the probabilities of all these
events related to passing the difference through one round, we compute the prob-
ability of the one-round characteristic:

P(1) ≈ (2–1)4⋅(2–3)4⋅2–5 = 2–21.

The two-round characteristic ( Δ1A , Δ0B ) is more efficient, and this should be
remembered when the number of encryption rounds is selected in order to obtain
a pseudorandom transformation. The scheme of this difference passing through
two rounds is shown in Figure 5.27.
 Designing Fast Ciphers Based on Controlled Operations 303

FIGURE 5.27 The scheme for

forming a two-round characteristic
in the DDP-S64 cipher.

The algorithm of this difference passing through two rounds goes like this:

1. An active bit of the left subblock generates an active bit in the right one in the
end of the first round when a modulo 232 subtraction operation is performed.
2. Then, the difference ( Δ1A , Δ1B ) enters the input of the second round.
3. At the start of the second round, the active bit of the left subblock is zeroed
after the modulo 232 addition operation is performed.
4. A zero difference is distributed around the left branch of the second round.

In the first round, the active bit is subjected to three arithmetic operations, and
influences the performance of two controlled permutation operations, which de-
termines the formation of the probability of the difference ( Δ1A , Δ1B ) at the output
of the first round as equal to P' ≈ (2–1)3⋅(2–3)2 = 2–9. In the second round, three
arithmetic operations are performed with the participation of the active bits. In ad-
dition, two controlled permutation operations are performed with one active bit
available at the control input. This determines the probability P'' of the formation
of difference ( Δ1A , Δ0B ) at the output of the second round:
304 Innovative Cryptography, Second Edition

P'' ≈ (2–1)3⋅(2–3)2⋅2–5 = 2–14.

Thus, the probability of the two-round characteristic is equal to

P(2) ≈ P'⋅P'' ≈ 2–9⋅2–14 = 2–23.

The contribution of the one-round characteristic may be neglected, since it is

2
equal to (P(1)) ≈ 2–42 << 2–23. The number of rounds r for which the DDP-S64 ci-
pher is indistinguishable from a random transformation can be determined during
r/2
a differential analysis from the relationship 2–64 ≥ P (2) ≈ 2–23r/2, from which it is
easy to obtain that r ≥ 6. To have a certain margin of security, it is possible to add
another two rounds and recommend values of r ≥ 8.

Analysis of the DDP-S128 Cipher

For this cipher, the two-round characteristic with the difference ( Δ1A , Δ0B , Δ0C , Δ1D ) is
the most efficient. This difference passes through two rounds according to Figure 5.28.

FIGURE 5.28 The two-round

characteristic formation mechanism
in the DDP-S128 cipher.
 Designing Fast Ciphers Based on Controlled Operations 305

With a probability equal to 1, the differences Δ1A and Δ1D pass through the first
round and, after the subblocks are permuted, turn to the differences Δ1B and Δ1C ,
respectively. Thus, the input difference of the first round, ( Δ1A , Δ0B , Δ0C , Δ1D ), with a
probability equal to 1 is transformed into the input difference ( Δ0A , Δ1B , Δ1C , Δ0D ) of
the second round. In the second round, two internal subblocks with one active bit
are summed up twice by module 2–32 at different stages in the transformation of
subblocks B and C.
When each addition operation is performed, an output difference with a prob-
ability of 2–6 will not contain active bits, since with a probability of 2–5, the active
bits in different subblocks turn out to have the same number, and no carry bit is
generated with a probability of 2–1. In this case, XOR operations performed over
A D
subblocks A and D do not add active bits in the differences Δ and Δ .
In addition, each of the active bits participates in the performance of three dif-
ferent controlled permutation operations. In other words, you must consider six
independent events, each consisting of the fact that no pair of active bits with an
approximate probability of 2–3 is generated in the corresponding controlled per-
mutation boxes. It is also necessary to take into account the fact that each of two
operations of summing the internal sub boxes with round subkeys with a proba-
bility close to 2–1 generates no additional active bit (due to the carry bit).
Taking into account all these elementary events related to the mechanism of two-
round characteristic formation, we can derive the following value for its probability:

P(2) ≈ (2–6)2⋅(2–3)6⋅(2–1)2 = 2–32.

Determine the number of rounds for which the DDP-S128 cipher is indistin-
guishable from a random transformation during differential analysis. To do this,
r/2
use the relationship 2–128 ≥ P (2) ≈ 2–16r, from which it follows that r ≥ 8.
Summing up the results of the differential cryptanalysis of several ciphers based
on controlled permutation, the following common property becomes evident. An ac-
tive bit entering the input of the controlled permutation operation does not con-
tribute to the avalanche effect. The property of the avalanche effect being introduced
by a controlled permutation operation is related to the availability of active bits in the
subblocks used for forming control vectors. At the same time, if you consider not the
bits of the differences, but rather the data bits, it is easy to see that each bit at the input
of controlled permutation box influences all the input bits of this operation.

5.6.6 Estimating the Security of the COBRA-F64a and COBRA-F64b Ciphers

As in all previously considered ciphers, in COBRA-F64a and COBRA-F64b, the active
bits make the biggest contribution to the avalanche effect when they appear at the con-
trol input of the controlled permutation box. This leads to the phenomenon that dif-
ferential characteristics with a small number of active bits have the greatest probability.
306 Innovative Cryptography, Second Edition

It is necessary to find such characteristics when intermediary differences also have the
minimal number of active bits in their formation schemes. Indeed, the availability of
one active bit at the control input of a controlled permutation box gives a multiplier
of 2–3 in an expression for the probability, while the availability of one active bit at the
input of the controlled permutation box gives a multiplier of 2–5 when an event related
to its transition into the specified digit is expected (this is needed to zero a pair of ac-
tive bits when addition operations are performed; otherwise, the number of active bits
will be increased avalanche-like). You can build characteristics for the COBRA-F64a
and COBRA-F64b algorithms in which all intermediary differences contain no more
than one active bit in the left and right subblock. Obviously, such characteristics pos-
sess a maximum probability.
The formation schemes for the differential characteristics of the COBRA-F64a
and COBRA-F64b ciphers are shown in Figure 5.29. In both ciphers, the most effi-
cient characteristics are related to the difference ( Δ0L , Δ1R ) passing through two or
three rounds. In one round of the COBRA-F64a cipher, the active bit of difference
is carried once from the right branch into the left one when the XOR operation is
performed. Therefore, to return to the initial difference in the COBRA-F64a cryp-
toscheme, you must perform three rounds, where the second round is related to the
event of the right and left subblocks’ active bits entering into the same digit.

FIGURE 5.29 A three-round characteristic formation scheme in the COBRA-

F64a cipher (a) and a two-round characteristic in COBRA-F64b (b).
 Designing Fast Ciphers Based on Controlled Operations 307

The feature distinguishing the COBRA-F64b cipher from COBRA-F64a is that

in one round, the active bit of difference Δ1R is carried from the right branch into
the left one twice, which provides for the retention of the difference ( Δ0L , Δ1R ) at the
output of the first round. A permutation, however, takes place after the first round,
transforming difference ( Δ0L , Δ1R ) into difference ( Δ1L , Δ0R ), and so the second
round is included in the differential characteristic formation scheme, where with a
probability of 2–3, difference Δ1L passes through the left arm without generating ad-
ditional active bits in the right and left subblocks. The permutation of subblocks
after the second round leads to the formation of the initial difference ( Δ0L , Δ1R ).
Considering the probabilities of the events related to the three-round charac-
teristic formation for COBRA-F64a for the input difference ( Δ0L , Δ1R ), it is easy to
say that the probability of the formation of difference ( Δ1L , Δ1R ) at the output of the
second round is equal to P ' = P{( Δ0L , Δ1R ) → ( Δ1L , Δ1R )} = 2−4 .
This probability is determined by the event of the active bit passing through a sub-
traction operation in the right branch, generation of an active bit in the left subblock
after an XOR operation, and the performance of one controlled permutation opera-
tion with the active bit available at the control input. The difference ( Δ1L , Δ1R ) after the
second round (and permutation operation) is carried into the difference ( Δ1L , Δ0R ),
with a probability of P′′ = P{( Δ1L , Δ1R ) → ( Δ1L , Δ0R )} = 2−1 ⋅ 2−1 ⋅ 2−3 ⋅ 2−5 = 2−10.
After the third round is performed, including modulo 232 addition and two
controlled permutation operations, the difference ( Δ1L , Δ0R ) is transformed into the
difference ( Δ0L , Δ1R ), with a probability of P''' = P{( Δ1L , Δ0R ) → ( Δ0L , Δ1R )} = 2−1 ⋅ 2−3 ⋅
2−3 = 2−7.
Now for the three-round characteristic’s probability, we have P(3) = P'P''P''' = 2–21.
Using this value, it is possible to establish that, with a round number r ≥ 10, the
COBRA-F64a cipher is indistinguishable from a random transformation with dif-
ferential cryptanalysis using the preceding characteristic. Thus, the 16-round
COBRA-F64a algorithm provides a sufficient security margin against differential
analysis. Note that a three-round characteristic for this cryptosystem may also use
( Δ1L , Δ1R ) and ( Δ1L , Δ0R ) as input differences. These variants of the three-round char-
acteristic have the same probability as the characteristic considered previously. The
use of three variants, however, is not fully equivalent. For example, with a round
number not divisible by 3, the difference passing through the last or the last and
next to last rounds correspond to it passing through an incomplete scheme of dif-
ferential characteristic formation. Depending on the input difference variant, from
the latter is excluded one or two of the last rounds, characterized by different prob-
ability values. If one round is excluded, it may relate to a probability of 2–7, 2–10,
or 2–4. If two rounds are excluded, then pairs corresponding to probabilities of
p1 = 2–7⋅2–10, p2 = 2–10⋅2–4, or p3 = 2–4⋅2–7 can be excluded.
308 Innovative Cryptography, Second Edition

These examples demonstrate that, for different variants, the ratio of the resul-
tant probability values for the whole cipher may be 26. This circumstance is worth
noting when the minimal number of rounds is selected with the purpose of accel-
erating the encryption procedure.
From the COBRA-F64b two-round characteristic formation scheme where the
input difference ( Δ0L , Δ1R ) is used, it is easy to see that probability of the formation
of the difference ( Δ1L , Δ0R ) at the second round input is equal to:

P' = P{( Δ0L , Δ1R ) → ( Δ1L , Δ0R )} = 2−7

This probability is determined by the active bit passing through the subtraction
operation of the first round and the generation of one active bit in the left branch
(co-factor ≈ 2–1), the coincidence of the order numbers corresponding to the active
bits of the right and left subblocks (co-factor 2–5), and the active bits passing
through the addition operation in the left branch leading to the zeroing of the active
bit in the left subblock (co-factor 2–1).
L R
When the difference ( Δ1 , Δ0 ) passes through the second round (including the
swapping data subblocks), it is transformed into the difference ( Δ0L , Δ1R ) , with a
probability of P'' = P{( Δ1L , Δ0R ) → ( Δ0L , Δ1R )} = 2−5 . The probability of the two-
round characteristic is equal to:

P(2) = P'P'' = 2–12.

Another variant of the two-round characteristic is connected with the differ-

ence ( Δ1L , Δ0R ) passing through two rounds. In reality, both variants employ the
same mechanisms within separate rounds. A certain discrepancy in the selection of
the input difference matters for the case of an odd number of encryption rounds. The
ratio of the probability values obtained for an odd number of encryption rounds,
depending on the selection of one of these two difference variants, is 22. A similar
remark can also be made for the SPECTR-H64 and SPECTR-128 ciphers, and others.
For some ciphers, the probability of viewing a certain expected difference at the
output of an encryption algorithm can be enhanced by selecting a certain input dif-
ference that differs from those corresponding to the most efficient characteristics.
Enhancing the probability is done by forced specification of the necessary differ-
ence with active bits in the specified digits when the first round is performed. For
example, this can be implemented in the case of the COBRA-F64b cipher, where
L R
the input difference ( Δ132|
, Δ132
|
) at the output of the first round is transformed into
L R
the difference ( Δ1 , Δ0 ), with a probability equal to 1. Its further passing is consid-
ered in accordance with a two-round characteristic.
It is easy to derive the following formulas for the probability of the occurrence
of the difference ( Δ1L , Δ0R ) at the output of the algorithm:
 Designing Fast Ciphers Based on Controlled Operations 309

L R
P( r ) = P{( Δ132
|
, Δ132
|
) → ( Δ1L , Δ0R )} = 2−6 r +5 for an even r
L R
P( r ) = P{( Δ132
|
, Δ132
|
) → ( Δ1L , Δ0R )} = 2−6( r −1) for an odd r

From the condition P(r) ≤ 2–64, the minimal recommended number of encryp-
tion rounds for the COBRA-F64b algorithm is: rmin = 12. If r ≥ rmin, the transfor-
mation specified by this algorithm is indistinguishable from a random one.
Table 5.26 is the summary table of the differential properties of the considered
algorithms.
The differential cryptanalysis performed is part of the complex investigations
carried out during cipher design with the purpose of optimizing certain primitives,
and substantiating its cryptographic security.

TABLE 5.26 Comparative Data for Differential Characteristics of Block Ciphers Based on
Controlled Operations

* Modified variant.
** Contribution of the characteristic to the probability of the difference passing through r rounds.

In particular, it was demonstrated that the E control bits distribution table is

critical, and is compiled in several steps:

1. First, the general criteria for the table’s compilation are formulated.
2. The differential characteristics are computed, and as a result, the numbers
of the most contributing bits are determined.
310 Innovative Cryptography, Second Edition

3. The table is modified by changing the position of the appearing bits.

4. Differential cryptanalysis is repeated.
5. Experiments are performed to determine the probabilities of differential
characteristics that correspond to one or more encryption rounds.
6. The theoretical results are compared with the experimental data.
7. If theory and experiment agree, a conclusion is drawn to the effect that the
main mechanisms of difference formation are taken into account in the
theoretical model, and the resulting estimates of cryptanalysis are trust-
worthy.

Thus, to complete the differential analysis of the considered ciphers, the last
three items should be performed. It may turn out, however, that the experimental
probability values considerably exceed the theoretical values. This would mean that
certain mechanisms that make a considerable contribution are not taken into ac-
count in the characteristic formation models.
There is no doubt that an enterprising reader will be able to complete on his
own the differential analysis cycle and find the necessary refinements of the previ-
ous models used to estimate the security of the SPECTR-H64, SPECTR-128,
COBRA-F64a, COBRA-F64, DDP-S64, and DDP-S128 ciphers.

5.6.7 Attacks Based on Hardware Faults

When various encryption algorithms are compared in order to select a crypto-
system for a particular application, it is interesting to consider the attacks that pro-
vide the cryptanalyst with more options than just pure knowledge of the encryption
algorithm and a large number of ciphertext and plaintext pairs corresponding to
each other, including specially selected texts.
One type of attack that provides the cryptanalyst with additional options is
based on the encryption device (or microprocessor, in the case of program ciphers)
generating errors caused by some external action. This type of assault features a
high efficiency against many known and used cryptosystems.
The type of attacks related to the expectation or purposeful generation of hard-
ware errors of an encryption device is rather specific, but, due to the mass use of in-
telligent electronic cards, their study has taken on important practical significance.
It is evident that the expectation of errors differs from their generation only in the
fact that spontaneous errors are extremely rare, and those that occur during the
cryptographic transformation of the specified input blocks are even rarer. We will
dwell on the case in which the cryptanalyst is able to purposefully generate random
errors in the encryption device during the transformation of the selected data blocks.
Thus, we will consider a model in which the cryptanalyst is provided with the
additional option of externally acting on the encryption device with the entered key
 Designing Fast Ciphers Based on Controlled Operations 311

in order to cause hardware faults, and compare the resulting output data with those
we obtained without faults. The cryptanalyst may feed the input specially selected
texts. It is assumed that access to the memory area containing the key parameters
and the encryption algorithm cannot be realized without their being erased. This
assumption is based on the fact that modern technology enables us to produce mi-
croelectronic devices with a secure memory. Thus, the cryptanalyst may have an en-
cryption device with the entered secret key, but cannot decrypt it. Neither can he
make intentional amendments to the encryption algorithm.
The intensity level of the external action (e.g., heating, high frequency, or ion-
izing radiation) the cryptanalyst uses with the encryption device is such that it
causes one or more individual errors in the microprocessor registers during the en-
cryption of one data block. It is impossible to specify the place where the error will
be generated beforehand, but after many experiments, errors of specified types will
occur in some of them; for example, the inversion of one of the register’s binary
digits after the ith encryption round is completed and before the (i + 1)th one.
Therefore, an expected error is characterized by both spatial and physical localiza-
tion. For many known ciphers, there is the option of recognizing the experiments
where the expected event occurred, which consists of trying input blocks with a spe-
cial structure and analyzing the differences in the output block structure caused by
errors. The computational complexity of this recognition may vary within a wide
range, and depends on the specific encryption mechanism. In some ciphers, many
errors are recognized trivially.
Hardware faults during encryption may be divided into two main types:

Data area errors

Command area errors

Actually, errors of the second type may lead to the formation of the encryption
key at the encryption device output, but the probability of events occurring in which
the executable code after a random modification corresponds to an application use-
ful for the cryptanalyst is very low. We will consider cases of error generation in the
data area. (The results of the experiments in which error generation of the second
type took place may be neglected.) For example, random errors in the 8-bit areas of
registers containing values of 32-bit subblocks being transformed may be used, and
the errors are expected during a certain stage of the encryption procedure (usually
during the execution of one or more commands of the microprocessor).
Let’s assume that experiments have helped you choose an external action in-
tensity in which, on average, one error is generated for the full encryption time of
one block. Make an approximate estimate of the average number of experiments
necessary to generate one expected error; in other words, the one occurring in the
specified register containing a data subblock, in the specified transformation stage.
312 Innovative Cryptography, Second Edition

Let’s also assume that the probability of error generation is proportional to the time
of exposure of the corresponding registers that are in a state favorable for error
occurrence and have the number of binary digits within the range of which
the error is expected. With such an assumption, it is easy to estimate the probabil-
ity of the expected error generation p within one experiment; in other words, dur-
ing the encryption of one block —p512 ≈ pd/RZ—where pd is the probability of error
generation in the data area during one data block encryption procedure, R is the
number of transformation rounds, and Z is the number of elementary transforma-
tion steps within one round. Because an error is expected during the time it takes
to perform an encryption step, the probability of the occurrence of the necessary
error is inversely proportional to the total number of encryption steps. (That is
why, for 512-bit ciphers, the value of p is considerably lower than with 64- and 128-
bit ciphers.) The cryptanalyst can use pulse radiation synchronized with the en-
cryption procedure. In this case, it is possible to use a higher radiation intensity and
a length of pulse excitation equal to the time for which the transformed data sub-
blocks are in a state favorable to the cryptanalyst.
When impulse excitation and synchronization with the encryption process are
used, the indicated probabilities may be enhanced significantly. The expected labor
expenditure employed to form a sufficient number of necessary errors does not
seem high in any of the cases. There is no basic difference among cases in which im-
pulse and stationary action are used upon the encryption device. The main thing is
that the possibility of the purposeful generation of random hardware errors in the
data registers is real. From now on, we will assume that stationary action is used on
the encryption device.
For a software implementation of a cipher as a set of standard cycle repetitions,
you must use the encryption rounds counter. This requires taking into account the
possibility of the generation of an error in the register containing the current num-
ber of performed cycles. To prevent the completion of encryption after a small
number of encryption rounds is performed (e.g., one round), the condition of ex-
iting from the cycle should be properly arranged for. The most reliable method of
preventing the pre-term completion of the encryption procedure is the repetition
of round encryption R times, even if this increases the size of the encryption appli-
cation. Let’s consider the security of some fast ciphers against this type of assault.

Cryptanalysis of the RC5 Cipher

The RC5 cipher provides a high rate of data encryption, and if 12 or more rounds
are used, is secure against known methods of cryptanalysis, on the condition that
the integrity of the encryption algorithm is provided for. However, when the crypt-
analyst has the option of forming random hardware errors, the RC5 cryptosystem
turns out to be sensitive. Let’s look at the security of the RC5 cipher against this
type of assault.
 Designing Fast Ciphers Based on Controlled Operations 313

Provided in the RC5 cipher is the option of selecting the input block length
(2n) and a different number of encryption rounds (R). There are precomputations
used in this cryptosystem that provide for the formation of an extended key by the
secret key as a series of n-bit subkeys S0, S1, S2, ..., S2r+1.
The RC5 cipher is described by the following pseudocode:

A := A + S0 (mod 2n),
B := B + S1 (mod 2n),

for i = 1 to R do

A := (A ⊕ B)<B< + S2i (mod 2n)

B := [(B ⊕ A)<A<] + S2i+1 (mod 2n)

where A and B are the left and the right n-bit data subblocks, and “W<b<“ indi-
cates a cycle shift to the left of word W by b bits. Assume that an external action’s
intensity is experimentally selected, which generates one error on average for the
full time of one data block’s encryption. After a comparatively small number of
experiments, it is possible to generate an error in the register containing subblock
A after performing the transformation using A := (A ⊕ B)<B< + S2i (mod 2n)at
i = R. The fact that an error occurred on this step is easily recognized by the block
structure of the ciphertext obtained from the given input block without entering
errors (C = A||B) and with entering errors ( C = A || B ).
It is very easy to derive the following relationship from B := [(B ⊕ A)<A<] + S2i+1
(mod 2n):

A ⊕ A = {( B − S2 R+1 )> A> ⊕ ( B − S2 R+1 )> A> }mod 2 n



In the latter formula, the only unknown quantity is S2R+1. With a high proba-
bility, it is possible to derive A mod 25 = A mod 25. In this case, expression
A ⊕ A = {( B − S2 R+1 )> A> ⊕ ( B − S2 R+1 )> A> }mod 2 n is transformed to have the fol-


lowing appearance:

( A ⊕ A )< A< = {( B − S2 R+1 ) ⊕ ( B − S2 R+1 )}mod 2 n

It is easy to compute the part of the subkey S2R+1 using the last relationship. You
can determine the full value of the S2R+1 subkey by forming various errors. Then, by
forming the errors in subblock B, it is possible to compute the S2R subkey after the
transformations specified by B := [(B ⊕ A)<A<] + S2i+1 (mod 2n) and corresponding
to round i = R – 1 are performed. The formation of these errors is easily recognized
with the known subkey S2R+1, which provides the cryptanalyst with the option of
314 Innovative Cryptography, Second Edition

restoring the value of subblock B after the (R – 1)th round. If you act sequentially,
this is a very good method for easily computing subkeys S2R–1, S2R–2, ..., S0. For
R = 10 ÷ 30, the labor expenditure for the computation of all subkeys does not
exceed 108 operations. Also of interest is that an attack based on the generation of
hardware errors is rather efficient for the decryption of flexible ciphers in which an
encryption algorithm is formed depending on the secret key—in other words, it is
unknown to the cryptanalyst.

Cryptanalysis of Flexible Ciphers

A flexible R-round 64-bit algorithm is described where, depending on the encryption
key, about 1016R nonequivalent modifications of the cryptalgorithm are formed. Each
potentially implemented modification of the cryptalgorithm uses the selection of a
data-dependent subkey. To reflect this fact, we will call this algorithm DDSS-1. This ci-
pher includes precomputations used to transform the initial secret key into the ex-
panded encryption key, represented as a set of 32-bit subkeys Qi, where i = 0, 1, …, 255.
Figure 5.30 shows the structure of one encryption round in the DDSS-1 cryptosystem.

FIGURE 5.30 One round in the DDSS-1 cipher.

The following designations are used in the illustration:

“>ci>”—the operation of a cycle shift to the right by ci bits

“*j”—one of three possible operations:
 Designing Fast Ciphers Based on Controlled Operations 315

XOR
Modulo 232 addition
Modulo 232 subtraction
In the precomputations stage, depending on the secret key in various encryp-
tion rounds, the independent values ci and “*j” are specified in identical positions,
which creates a large number of various modifications of the cryptalgorithm. The
abbreviation SS denotes the subkey selection procedure. The output of the SS func-
tion is the value of the 32-bit subkey that is currently selected.
Designate the intermediate values of the data subblocks being transformed as Xi,
Yj. Assume that an external action on the encryption device is selected where, on av-
erage, a single error is generated during the time of one data block encryption. To ob-
tain an error in subblocks Xi and Yj at the specified steps of transformation, the
encryption of a certain number of input blocks will be needed. Some of these blocks
may be the same. First, encrypt plaintext P1 and obtain ciphertext C10. Then, provid-
ing that there is an external action forming single errors, perform a multiple encryp-
tion of block P1. In these experiments, ciphertexts will be recorded in which, with
permanent values of subblocks ( x37 , x27 , x17 ), the value in subblock x47 is erroneous.
Designate as C11, C12, ..., C1n the ciphertexts corresponding to the first plaintext P1 and
the occurrence of a single error only in subblock x47 . Now, subkey differences can be
computed δ x7 x 7 = Qx7 *8 Qx 7 , where x47 is a subblock without errors, x47 are subblocks
4 4 4 4
containing errors (subblocks x47 are part of ciphertexts C11, C12, ..., C1n, subblock x47 is
a part of C10), and *8 is a group operation that is the reverse of operation *8 ).
According to our attack scheme, all the x47 and x47 subblocks correspond to the
same plaintext P1.
7
Designate differences where i = x47 and j = x4 as δij. If i is a fixed value, the total
number of such differences is equal to n = 255. There is no need to expect the oc-
currence of all possible values of j for a given i. To determine all the possible subkey
differences, you can use other plaintexts P2, P3, ..., Pn, and observe the ciphertexts
C20, C30, ..., Cn0 that correspond to them. Since the encryption algorithm specifies
pseudorandom values of x47 in these ciphertexts, we should take on average 256(1 +
1 1 1
2 + 3 + ... + 256 ) ≈ 1618 plaintexts to obtain all the possible values (there are 256 of
them) for subblock x 74 . Now, designate the plaintexts corresponding to various val-
ues of x47 as P1, P2, ..., P256. Encrypt each plaintext P1, P2, ..., P256 under the conditions
of the generation of n hardware errors, and obtain the sets of ciphertexts C11, C12, ...,
C1n, where l = 2, 3, ..., 256, that contain errors only in subblock x47 .
The computed differences δ i , j = Qx47 *8 Qx47 that correspond to plaintexts P2,
P3, ..., P256 will contain arbitrary pairs of index values. This enables you to use a group
property of operation “*8” and compute 256 various differences corresponding to
the same value of index i. For this purpose, use the formula δij = δik*8δkj.
It is easy to see that with a full set of values of subblock x47 , the δij = δik*8δkj re-
lationship enables us to find an i0 that provides a full set of differences δ i j , j = 0, 1,
0
316 Innovative Cryptography, Second Edition

2, ..., 255. This gives us the option of computing all subkeys by trying the values of
the Qi subkey. There are only 232 variants, which can be quickly tried. However,
0

directly trying variants by known values of the plaintext and ciphertext is impeded
by the fact that the “*1” ... “*8” and “> c1 >” ...“> c12 >” operations are unknown,
and it is necessary to find them first. This can be done in parts, using the fact that,
while guessing the correct combination of operations, the differences of the com-
puted δij subkey will depend only on the indices (i, j), and not on the incoming text.
There are 93 various combinations of operations “*8” and “> c12 >,” and so it is easy
to find the correct values of both operations that meet the previous condition.
After operations “*8” and “> c12 >” are determined, we can move on to deter-
mining the extended key. Select a value Qi . This specifies all subkeys (Q0, Q1, ...,
0

Q255), since the differences δ i j , j = 0, 1, 2, ..., 255 are already determined. When the
0
extended key is computed, and the operations “*8” and “> c12 >” are known, it is
possible to compute Y 4 (as well as subblock y44 ) for any given plaintext P, and de-
termine subkey Q y4 . Then, encrypt plaintext P for conditions of hardware error
generation, and observe ciphertext ( X 7 || Y 6 ). If the Qi subkey has been guessed
4

correctly, we will find a single error in subblock y44 , with a rather high probability.
0

If the current value Qi is false, there is a low probability of a single error occurrence
0
in subblock Y 4, since the latter will be computed using a false value of subkey Qx47 .
This fact may be used as a criterion for selecting the correct Qi value.
0
Knowing the true extended key, it is easy to determine the rest of the unknown
operations. To determine operation “*7,” generate an error in subblock y44 under the
condition of error-free ( y34 , y24 , y14 ). Such an event can be selected, since subblock Y4
can be computed with a known Y6. If “*7” is guessed correctly, then the value X6
computed with a known X7 and Q y4 is the same both with error availability, and the
4
absence of it for the same plaintext P. This is the criterion for recognizing the true
‘‘ “*7” operation independently of the value of the operations in the previous steps of
encryption. Using an analogous method, we can sequentially determine operations
“*6, ” “*5”, and so forth, until all operations in all rounds have been determined (for
a multiround DDSS-1 cryptoscheme, the attack described is connected with the last
round). Note that we do not need to perform an encryption operation with simulta-
neous error generation, since the required cases can already be found in the available
set of experimental data. These are cases that were unnecessary for the previous steps
of assault. Now they can be used because we have the option of computing previous
values of subblocks Xi and Yj. It is easily noticed that the most difficult computational
step of the attack is finding the right value of the Qi subkey, which requires, on
0
average, consideration of 231 variants. This step requires the implementation of about
≈ 232l0 operations, where l0 is the number of attempts necessary to obtain an error in
the required place. Considerably enhancing the security (e.g., up to 1030 times) against
this type of assault by increasing the value l0, means a special implementation of the
DDSS-1 algorithm. Therefore, this cipher cannot be treated as secure against an as-
sault based on the generation of hardware errors.
 Designing Fast Ciphers Based on Controlled Operations 317

Security of the GOST 28147-89 Algorithm

The GOST 28147-89 Russian encryption standard is an example of a widely used
block cryptosystem with its security determined by both key secrecy and substitution
tables. In its structure, this cryptosystem is similar to DES, and uses a 256-bit secret
key and 4×4 secret substitution boxes. The full transformation includes 32 encryp-
tion rounds. An assault on the GOST 28147-89 algorithm using hardware error gen-
eration presumes the computation of 32-bit keys in every round, and that of secret
substitution tables in the last round. The total number of substitution table variants
is (16!)8, but they are easily computed, despite the large number of them. The weak-
ness of this algorithm against assaults based on hardware errors lies in using an op-
eration of addition by modulo 232, and in the small size of the substitution boxes.
This makes an assault based on using the avalanche effect stipulated by a carry bit
rather efficient. To perform such an assault, you just need to have two encrypted
messages (one with errors, and the other without) worked out from the same initial
message with a size of about 105 bytes. The initial message may be unknown to the
violator. The work effort for such an assault does not exceed 1010 operations.

Cipher Security Based on Pseudorandom Subkey Selection

The option of generating random errors enables the violator to make use of the fol-
lowing method. Instead of studying complicated encryption procedures with many
unknown subkeys, the difference in the transformation results of some unknown
intermediary subblock, obtained both before and after the error was introduced, is
studied. This error is introduced into another data subblock, influencing the trans-
formation procedure of the first one. Comparing the transformation results before
and after the error was introduced enables the violator to create the necessary
statistics that he can use to identify all unknown transformation parameters of the
selected step of encryption. Since the number of various values of unknown para-
meters in separate transformation steps is rather small, they can be computed by
simply trial and error, and this can be done both for numerical values of subkeys
and to determine unknown operations and procedures.
In this scheme, cryptanalysis starts from the last encryption step. The errors in-
troduced before the second to last and the last encryption steps were performed are
dispersed in great degree by the time the encryption is completed, so they cannot be
directly used to determine the key parameters corresponding to these steps. Taking
this circumstance into account, it is possible to offer an easy method of reinforcing
the encryption algorithm against the considered types of assault, which consists of
using additional transformation algorithms in the last step; for example, substitu-
tion operations on large subblocks (8, 16, or 32 bit) performed using secret tables
(i.e., by those formed at the precomputations step, depending on the secret key).
The examples of the cryptanalysis of the RC5, DDSS-1, and GOST ciphers show
that the use of secret substitution tables, key-dependent and data-dependent opera-
318 Innovative Cryptography, Second Edition

tions, cannot in itself provide high security against an attack based on the generation
of random hardware errors. To provide high security against such an attack, you
must use algorithms with a special transformation structure. Taking into account the
peculiarities of such an assault, we can assume that the 512-byte algorithms described
in Chapter 2 that use a more efficient mechanism of the data-dependent subkey se-
lection has a high security against assaults based on random hardware error genera-
tion. This is connected with the following features of the transformation mechanism:

The indices of the selected subkeys are not specified directly by the data sub-
blocks being transformed.
The subkeys are not directly used during the transformation of the data sub-
blocks, but serve only to modify accumulating variables.
Nondeterministic 512-byte algorithms do not allow you to perform computa-
tion of the components of individual unknown operations used in one en-
cryption round.

Therefore, high security against assaults based on hardware errors is obtained by

using a special structure of the round transformation function, and not due to the use
of additional encryption rounds. One of the methods for providing security against
assaults based on hardware error generation is the use of probabilistic encryption, but
this leads to an increase in the size of the encrypted data. Using algorithms that are
themselves secure against assaults based on error generation is preferable.

5.7. FAST CIPHERS WITH SIMPLE KEY SCHEDULE

This section covers a range of ciphers based on controlled operations, including

variable substitutions and permutations. The main advantages of these cryptosys-
tems are high security and encryption speed. At the same time, the complexity of
their hardware implementation is relatively low. Materials provided in further sec-
tions include differential analysis of fast ciphers with simple key schedule. Also
covered are some other types of cryptanalytic attacks.

5.7.1 Cryptoschemes and Ciphers Based on Controlled and Switched Operations

One specific feature of the development of block ciphers based on controlled oper-
ations is that all bits of the data subgroup being transformed are used when execut-
ing a single operation. At the same time, the nature of their use depends on the type
of the data subgroup they relate; namely, to the controlling subgroup or to the data
subgroup being transformed. When using this type of cryptographic primitives, the
specific features of the development of block ciphers are closely related to this issue.
 Designing Fast Ciphers Based on Controlled Operations 319

Variants of Ciphers Implementation based on Variable Permutations

For the moment, the use of data-dependent permutations as the main primitive of
the entire range of block ciphers has been well tried. The SPECTR-H64 block cryp-
tosystem is an example of the efficient use of permutations networks as a crypto-
graphic primitive. The structure of the round transformation can be considered an
improved Feistel cryptoscheme, where the right data subgroup is transformed using
P32/80 controlled permutations block executed simultaneously with the computa-
tion of the round function by the left subgroup. In this case, the following trans-
formation takes place:

L ← L;
R ← F(L) ⊕ P(V)32/80(R),

where “←” stands for the assignment operation, R and L are right and left data
subgroups, F is the round function, and V is the controlling vector formed de-
pending on the left subgroup.
The advantage of the improved cryptographic scheme is increase of the paral-
lelism level of the encrypting transformations. To preserve the possibility of de-
crypting a block of ciphertext using the same algorithm that carries out the
encryption (the universality property), it is necessary to carry out an inverse con-
trolled permutation P–132/80 after superimposing the round function over the trans-
formed right block. Both aforementioned operations, P32/80 and P–132/80, are carried
out in dependence of the left data subgroup, which determines its participation in
each operation carried out within the encryption round. Despite active use of the
left data subgroup, this subgroup as such is not subject to transformation in the
course of the execution of the encryption round. Because of this, there arises the
problem of forming different values of controlling vectors for the P32/80 and P–132/80
operations. This problem consists in that in case of equality of controlling vectors,
the execution of two P32/80 and one P–132/80 operations is reduced to the execution
of one P–132/80 operation carried out over the computed value of the round function.
In the SPECTR-H64 cipher, this problem is solved by using different subkeys in ad-
dition to L when forming controlling vectors for P32/80 and P–132/80. The complete
round of the transformation appears as follows:

L ← L;
R ← F(L) ⊕ P(V)32/80(R);
R ← (P–1)(V' )32/80(R).

The cryptoscheme considered here is of general interest when designing ciphers

based on variable operations. Because of this, it is necessary to detect the drawbacks,
320 Innovative Cryptography, Second Edition

if there are any, and consider the possibility of their elimination. The use of relatively
large number of subkeys—six 32-bit ones—is a certain drawback of the SPECTR-
H64 cryptosystem. This implies the requirement of using key extension procedures
or relatively long secret keys—for example, the SPECTR-H64 algorithm uses 256-bit
secret key. Thus, when building ciphers based on mutually inverse blocks of con-
trolled permutations, the developer must face the specific problem of implementing
an efficient mechanism of forming various control vectors corresponding to mutu-
ally inverse blocks of controlled permutations. At the same time, it is necessary to en-
sure the properties of universality and high transformation parallelism.
To solve this problem, a method was suggested that doesn’t require the use of aux-
iliary subkeys. This method consists of the use of fixed permutations carried out over
the left and/or the right subgroup of the data. The perseverance of the universality
property of the encryption algorithm is achieved because two identical round functions
are used for such a transformation. In addition to this, the following elements are used:

Permutation involutions (over the left and/or the right subgroup)

Switched fixed permutations (over the left and/or the right subgroup)
Transformation of the left subgroup by superimposing the subkey over it

Consider several variants of cryptoschemes implemented according to this

method of solving the problem of forming controlling vectors for executing mutu-
ally inverse variable operations. The use of a switched operation over the right sub-
group is shown in Figure 5.31, where G denotes some operation built the same way
as the similar operation in the SPECTR-H64 cipher, and Crypt(e) designates the
round transformation procedure as a whole.

FIGURE 5.31 General scheme of the Crypt(e)

procedure with a switched operation.
 Designing Fast Ciphers Based on Controlled Operations 321

This mechanism is based on that the transformation of the right branch is the
P(V)n/m • Π (e) • (P–1n/m)(V) superposition, which actually is an operating block con-
trolled by vector V and carrying out variable permutations having the structure of
the cyclic permutation Π(e).
Obviously, in this superposition intended for implementing only permutations
with the cyclic structure Π(e), the natural requirement is the equality of controlling
vectors corresponding to direct Pn/m block or to inverse block P–1n/m. In the general
case, for different values of the left subgroup (different values of the controlling data
subgroup L), different modifications of permutations with the specified cyclic struc-
ture are implemented. The advantage of this variant of the cryptoscheme design is
the possibility of using the extension block, which is implemented as a simple
branching of conductors. This allows us to economize on the hardware resources. In
addition, there is no need to use additional keys for forming various controlling vec-
tors. The possibilities of encryption and decryption using the same algorithm is en-
sured because both operations G are identical, and for the inverted fixed
–1
permutation the following condition is satisfied: Π(e=1)=(Π(e=0)) . Both in the course
of encryption and decryption, the aforementioned superposition implements per-
mutations with the specified cycle structure; for example, one-cycle permutations.
In the particular case of one-cycle permutation Π(e), the mechanism of opti-
mization consists in that the bit from the j-th position at the input of the Pn/m block
with approximately the same probability falls into all positions at the output of the
P–1n/m block, except for the j-th bit, into which it won’t fall with any value of the
controlling vector. The similar property is ensured by any permutation that does-
n’t contain loops of the length 1. To ensure approximately uniform influence of
each input bit of the P32/96 operational block to the values of all output bits of
block P–132/96, it is possible to use the invertible permutation containing only one
cycle of length 1.
For example, an invertible permutation can be implemented using a single-
layered controlled permutations block containing 32 elementary switches. The
same bit e is supplied to the controlling input of all elementary switches. The struc-
ture of permutation Π(e), implementing the classical cyclic right (e = 1) or left
(e = 0) shift is shown in Figure 5.32. The delay time corresponding to the execution
of this operation is determined by the time required to the signal to pass through
one active layer. This time is approximately equal to the delay time of the operation
of modulo-2 bit-by-bit summation (t⊕). The delay time corresponding to the op-
erations of bit permutations provided that P32/96 and P–132/96 controlled permuta-
tions blocks are used, makes 6t⊕. The execution time of one round then makes 15t⊕.
This variant of solving the problem of forming control vectors can be applied
for controlled permutations, and for the pairs of mutually inverse variable opera-
tions of other types built on the basis of controlled SP-networks (that is, for the case
of using Fn/m and F–1n/m blocks).
322 Innovative Cryptography, Second Edition

FIGURE 5.32 The structure of invertible

one-cycle permutation.

Specific Features of Using Two G operations of the Same Type

The advantage of controlled permutations is that the influence of one input bit on
all output bits is ensured with the minimum delay time. However, this transfor-
mation preserves the value of the Hamming weight. For this reason, when building
ciphers, it is expedient to use transformations of other types that change the weight
and parity of the binary vectors being transformed in addition to permutations. To
achieve this goal, it seems expedient to use an operation similar to the controlled bi-
nary operation G, which was tried as a cryptographic primitive in the SPECTR-H64
cipher and made a good show of it. This operation can also be applied in case of use
of the pairs of mutually inverse operations of other types (built on the basis of con-
trolled SP-networks) for the transformation of the right subgroup.
The previously considered scheme of the round transformation when using two
similar G operations is characterized by the following specific feature: in contrast to the
SPECTR-H64 cipher, it uses two similar G operations instead of one in the round
transformation shown in Figure 5.31. Each of these operations “mixes” the left data
subgroup with different pairs of subkeys. From the description of the structure of this
operation provided here, it can be easily seen that changing the i-th bit of L results in
the deterministic change of the i-th bit and in the probabilistic change of several bits
following it at the output of the G operation. In the case of direct addition of the out-
put values of two G operations, the avalanche effect is weakened. The use of the sub-
stitution operation (in particular, cyclic shift by the number of bytes exceeding the
value d), carried out over the output value of one of the G operations allows us to
weaken such a suppression of the avalanche effect. For this purpose, it is possible to use
one-cycle permutation Π(e), which corresponds to a cyclic shift by, say, 17 bits (right
 Designing Fast Ciphers Based on Controlled Operations 323

shift if e = 0, and left shift if e = 1). In the cryptoscheme shown in Figure 5.31 the ex-
tinguishing of the avalanche effect is eliminated by means of executing a fixed permu-
tation operation over the right data subgroup after executing the first G operation, but
before executing the second one. Thus, the fixed permutation used for the right branch
of the cryptoscheme plays the double role. It coordinates the two similar G operations
in a certain way, and ensures optimization of the mechanism of forming controlling
vectors for the controlled permutations block.
Nevertheless, there is another important feature related to the mechanism rep-
resented in Figure 5.31 and including two identical operations G. This feature con-
sists in that each bit of the left subgroup both in the first and in the second G
operations influences the output bits belonging to the same positions. These bits
are divided by the fixed bit permutation in the right branch; however, the proba-
bilities of generation of the active difference bits in identical positions of both G
operations are dependent, because the keys are fixed elements. This feature results
in a certain increase of the probability of encryption according to the scheme of en-
crypting differences with a small weight. To eliminate this drawback, it is possible
to execute the fixed permutation involution I over the left data subgroup. The use
of such an operation also implements the second goal—improvement of the mech-
anism of forming controlling vectors.
Permutation involution I is chosen with the account of the structure of opera-
tion G. Let this operation have such a property that the i-th input bit xi influences
four output bits yi, yi+1, yi+2, and yi+3. This means that the i-th output bit is influ-
enced by input bits with the numbers i–1, i–2, i–3 (for G operational with initial
conditions the values i = 1, 2, and 3 are exceptions). For such operation G, it is nat-
ural to choose such a permutation involution, which for each i would shift bits
li - 1, li – 2, li – 3 of the left data subgroup to the distance no less than four steps from
the shifted bit li. This criterion ensures the dependency of the pair of output bits of
the upper and lower operation G, belonging to the same predefined bit; for example,
to the j-th bit, on seven different bits of the left data subgroup for the maximum
number of different values j (in case of operations G without initial conditions, this
is true for all values of j). For the case of 32-bit subgroups, this condition is satis-
fied, for example, by the following permutation:

I = (1,17)(2,21)(3,25)(4,29)(5,18)(6,22)(7,26)(8,30)(9,19)
(10,23)(11,27)(12,31)(13,20)(14,24)(15,28)(16,32).

If general-type permutation instead of involution I is used in the left branch of

the cryptoscheme, this will simplify the development of the required permutation.
However, to ensure the possibility of using the same algorithm for encryption and
324 Innovative Cryptography, Second Edition

decryption it will be necessary to use the operational block implementing an in-

vertible fixed permutation similar to Π(e). In the right branch of the cryptoscheme,
instead of invertible permutation Π(e) it is possible to use the respective permuta-
tion involution I', different from I. Note that the use of fixed permutations in the
left and in the right branches of the cryptoscheme requires their coordination.

Other Mechanisms of Coordinating Control Vectors

Consider other variants of building round transformations assuming they are used as
a basis for building an iterative cipher with the structure shown in Figure 5.33. To
avoid using additional active elements in the circuit implementation as intermediate
fixed permutation, it is possible to use permutation involution containing only loops
of length 2. In this case, as in the case of single-loop permutation, for all values of j in
one round, the influence or the j-th input bit on the j-th output bit isn’t ensured
within one round. This nonuniformity is equalized in the next round, which allows
us to abandon superposition of different round subkeys when forming control vec-
tors corresponding to direct and inverse blocks of controlled permutations. This sim-
plifies hardware implementation of cryptosystems with the round structure similar to
the encryption round used in the SPECTR-H64 cryptosystem. Thus, adding a fixed
permutation between Pn/m and P–1n/m blocks is an efficient method of optimizing a
mechanism of controlling mutually inverse data-dependent permutations.
In the round transformation shown in Figure 5.34, the transformation of the
left subgroup is used, at the expense of which different control vectors are built for
controlling mutually inverse substitution blocks.

FIGURE 5.33 The generalized scheme

of an iterative cipher.
 Designing Fast Ciphers Based on Controlled Operations 325

FIGURE 5.34A Encryption round using FIGURE 5.34B Encryption round using
transformation of the left data subgroup left and right data subgroups using fixed
using fixed permutation involutions. permutation involutions.

Statistical studies of the influence of the input bits of the Fn/m block on the out-
put bits of the F–1n/m lock has shown that even for the simple mechanism shown in
Figure 5.34a, it is possible to find a permutation involution simple enough to en-
sure the uniform influence.
Similar investigations of the scheme shown in Figure 5.34b have demonstrated
that the simultaneous use of permutation involutions carried out over the left and
the right subgroups also can be used, because the effects introduced by these two
mechanisms do not neutralize one another.
A similar mechanism is shown in Figure 5.35, where in the left branch a switched
permutation is used instead of the fixed one, which allows for using general-type
permutations. At the same time, this switched operation doesn’t introduce any
time delays, because after execution of the upper G operation the XOR operation
is executed, thanks to which the output value of the lower G operation is formed
simultaneously with the forming of the output value of permutation I.
To decrease the amount of key material used within a round, it is possible to
apply the scheme shown in Figure 5.36, where two controlled operations S32/32 are
used for forming the round function. Instead of S32/32 blocks, in this scheme it is
possible to use S32/96 blocks, which, when implementing programmable LICs, will
be coordinated by the delay time with the R32/96 block that carries out transforma-
tion of the right data subgroup. Such a structure of the round transformation
allows for easy evaluation of differential characteristics with differences of small
326 Innovative Cryptography, Second Edition

FIGURE 5.35 Structure of the Crypt(e) FIGURE 5.36 The structure of the Crypt(e)
procedure with switched permutation procedure with the transformation of the
in the left branch of the cryptoscheme. cryptoscheme by means of superposition
of the subkey over it.

weight, which are the most efficient when implementing a differential attack. This
variant demonstrates the possibility of using minimal key material within a single
encryption round.
In the previously considered examples of internal optimization of the distrib-
ution of control bits over elementary controlled units of controlled operational
blocks Fn/m and F–1n/m, an intermediate reversible transformation was carried out
over the left subgroup, which either didn’t introduce any delay at all, or introduced
the delay approximately equal to the time required to execute a XOR operation.
Principally, it was possible to apply more complicated transformations of the left
subgroup. However, such transformations result in the increase of the critical path
of the combinational scheme carrying out the round transformation. In addition to
increased hardware requirements for manufacturing the encrypting devices, this
also reduces the encryption speed. Obviously, more sophisticated transformations
carried out over the left subgroup allow for efficient elimination of the problem of
forming control vectors, and provide the possibility of reducing the number of
rounds. Potentially, this might result in the performance gain and reduction of the
implementation cost. The possibility of reducing the number of rounds is due to
the fact that two subgroups will be transformed within the same round (in other
words, the entire data block is going to be transformed). However, to implement
this idea, it is necessary to develop other building procedures with high parallelism
of transformations execution.
 Designing Fast Ciphers Based on Controlled Operations 327

Because of the nature of data-dependent operations as such, transformations

parallelism is included automatically. Therefore, it is possible to apply two schemes
of building round transformations, which are shown in Figures 5.37a and 5.37b.
The first scheme uses controlled 2-bit operations and requires a considerable
amount of the key material within one encryption round. Specific feature of the
second scheme is coordination between direct and inverse operations Rn/m and
R–1n/m executed in parallel before execution of the first (top) XOR operation. One
of these operations is carried out over the right subgroup, which then is exchanged
with the left subgroup. Coordination is necessary here, because operations are car-
ried out using the same values of control vectors. Two sequentially executed Rn/m
operations, between which the second XOR operation is carried out are also coor-
dinated. A specific feature of employing two internal Rn/m operations is that they are
carried out over round subkeys (one of these operations is executed simultaneously
with the transformation of the right subgroup). The problem of coordination is
eliminated if different extension blocks are used for operations executed over sub-
keys and over the right subgroup. In addition, this problem is eliminated by apply-
ing operations of different types, carried out over the right subgroup and over
subkeys. Note that in the scheme presented in Figure 5.37b, it isn’t expedient to re-
place two Rn/m operations carried out over subkeys by R–1n/m operations.

FIGURE 5.37A The round encryption FIGURE 5.37B The round encryption
mechanism with transformation of both mechanism with transformation of both
data subgroups using two identical data subgroups using three identical
operations G. operations Rn/m.
328 Innovative Cryptography, Second Edition

Although these two apparently elegant schemes ensure building strong ciphers
with the number of rounds from 6 to 12 for different variants of operational blocks,
their critical path is approximately 1.5 times longer than critical paths of earlier
considered cryptoschemes, because the first of the two sequentially executed oper-
ations cannot be executed simultaneously with the pair of operations executed in
parallel. As a result, the execution time of the encryption round is approximately
equal to 6mt⊕/n + 2. In the previously considered cryptoschemes, the parallelism
level can be evaluated by the value 2 (on average, two operations are executed in
parallel—first, three operations are executed in parallel, after which the fourth op-
eration is executed), and in the latter two cryptoschemes the parallelism is evalu-
ated by the value 4/3 (two operations are executed in parallel, then the third and the
fourth operations are executed sequentially). In the next section, more efficiently
designed schemes of the round transformation will be covered. They transform
both data subgroups and are characterized by the parallelism level 2.
It should be mentioned that after building efficient mechanisms of forming
control vectors that do not require using round subkeys, it is possible to return to
using rounds subkeys, as it becomes necessary due to some design considerations.
In this case, some statistical nonuniformities of the influence of the bits from the
right subgroup can be eliminated. Such nonuniformities might take place when ex-
ecuting one round of the SPECTR-H64 encryption algorithm even when using dif-
ferent subkeys for forming P32/80 and P–132/80 controlled operations. Note that for the
previously considered mechanisms, such nonuniformities are smoothed even with-
out using different subkeys for forming control vectors.

Cryptoschemes Combining Transformation of Both Subblocks

with High Parallelism Level
To implement the transformation of the entire data block within the same round,
while preserving high enough parallelism level, the cryptoscheme shown in Figure
5.38 was developed.
This cryptoscheme is based on the following ideas:

Two identical data-dependent transformation operations are used, which de-

pend on the left subgroup and are placed in bilaterally symmetric positions in
the structure of the encryption round. Output values of these operations are
added to the right data subgroup as in the Feistel cryptoscheme.
One of the aforementioned operations is computed simultaneously with the
transformation of the left data subgroup, and the right operation is carried out
simultaneously with the transformation of the right data subgroup using the
operation depending on the left data subgroup. Thus, this scheme has paral-
lelism level equal to 2.
 Designing Fast Ciphers Based on Controlled Operations 329

FIGURE 5.38 The structure of round

encryption with transformation of both data
subgroups while preserving high parallelism
level of the computations.

To ensure the universality of the cryptoscheme, the left data subgroup is trans-
formed using an operation representing an involution or switched controlled
operation. For the same purpose, the control vector used when executing the
controlled operation over the right data subgroup is formed by the initial value
of the left data subgroup in the course of encryption, and by the transformed
value of the left data subgroup in the course of decryption.

In this cryptoscheme, there are two pairs of operations Sn/m and Rn/m. Opera-
tions of the first pair are executed over the left data subgroup (Sn/m) and subkey Gr
(Rn/m), and operations of the second pair are carried out over the right data sub-
group (Sn/m) and subkey Tr (Rn/m). At the same time, only the operation carried out
over the left subgroup is fixed after establishing the key. All the other controlled op-
erations are variable, because they depend on the left data subgroup. In this cryp-
toscheme, it is assumed that the extension blocks are built so that no bit of the left
data subgroup influences any bit of the binary vector being transformed (subkey or
data subgroup) more than once. Operations depending on the left data subgroup
specify nonlinear transformation, and the operation executed over the left sub-
group is linear, if operation Sn/m is built using controlled elements of the F2/1 type
(when using controlled elements with the size F3/1 or more, this operation also
becomes nonlinear). Operation Sn/m ensures good avalanche effect, and three
330 Innovative Cryptography, Second Edition

nonlinear operations ensure a high degree of the round transformation nonlinear-

ity (algebraic degree of nonlinearity is 7). Further on, different variants of nonlin-
ear transformation of the left subgroup will be considered, which are built on the
basis of minimal controlled elements and ensure algebraic nonlinearity degree of
the round transformation over 20. The variant of the left subgroup transformation
using 4 × 4 S-boxes executing in parallel also appears a good solution.
It is necessary to mention that to ensure universality of such a cryptoscheme, it
is necessary to imply certain limitations on the controlled operations used for trans-
forming left and right data subgroups. Two types of such operations are possible:

Controlled involutions
Switched controlled operations of the general type

Thanks to modification of the bit specifying a direct operation or its correspond-

ing inverse operation, it is possible to ensure the possibility of executing encryption
and decryption using the same algorithm. Economic variants of building controlled
operations make their use within the framework of the cryptoscheme considered here
very promising for developing fast and easily implemented block ciphers.
Building controlled involutions based on a controlled substitution-permutation
network is easily implemented in comparison to controlled permutation involu-
tions. To achieve this, it is possible to use the following variants: sequential (Figure
5.39a) and parallel (Figure 5.39b). The advantage of the first scheme is that it spec-
ifies the transformation of the input vector as a single whole; however, it is neces-
sary to execute two mutually inverse operations Fn/m and F–1n/m. The advantage of
the second variant is the parallelism of the operations being executed, which re-
duces the delay time. However, in the second case, the binary input vector is split
and transformed as two independent values. In the first case, the resulting block
Fn/2m is formed, and in the second case, the F2n/m block. Despite the difference in the
way of specifying involutions, both schemes ensure approximately equal design
possibilities for synthesizing ciphers for the given number of active layers.
It can be easily shown that these schemes result in building controlled involu-
tions. Actually, transform the output vector Y using the Fn/2m operation while pre-
serving the value of the control vector. For a sequential scheme, this transformation
appears as follows:

Y' = Fn/2m(Y) = (F–1n/m)(V)(I(F(V)n/m(Y))) = (Y)F(V)n/m • I • (F–1n/m)(V) =

= ((X)F(V)n/m • I • (F–1n/m)(V))F(V)n/m • I • (F–1n/m)(V) =
= (X)F(V)n/m • I • (F–1n/m)(V) • F(V)n/m • I • (F–1n/m)(V) =
= (X)F(V)n/m • I • I • (F–1n/m)(V) = (X)F(V)n/m • (F–1n/m)(V) = X.
 Designing Fast Ciphers Based on Controlled Operations 331

FIGURE 5.39 Sequential (a) and parallel (b) scheme of

building a controlled involutions block implemented based
on a controlled substitution-permutation network.

Thus, the first scheme implements the controlled operation that represents an
involution. For the second scheme, the transformation appears as follows:

Y' = F2n/m(Y) = F2n/m(Y1, Y2) = (F–1n/m)(V)(Y2), F(V)n/m(Y1)) =

= ((F–1n/m)(V)(F(V)n/m(X1)), F(V)n/m((F–1n/m)(V)(X2))) = (X1, X2).

This means that in the second case, we also are dealing with controlled involu-
tion having an arbitrary Fn/m block.
Another variant of cryptoscheme with high parallelism level is obtained by
means of replacing operations used for round keys transformation by G operations.
Modification of the operation carried out over the left subgroup also presents a
great interest. For this operation, it is possible to enforce the nonlinearity property
by means of using the transformation shown in Figure 5.40 instead of using larger
controlled elements. This transformation consists of splitting the left subgroup L
into two subgroups L1 and L2, of the half size, and sequential transformation of
these subgroups using mutually inverse controlled operations followed by permu-
tation of subgroups L1 and L2. Since the control vector is formed based on one of
the data subgroups when executing each controlled operation, each specifies non-
linear transformation. Consequently, the resulting transformation as a whole also
is nonlinear. In addition, this Hn/m transformation is an involution, which can be
shown by transforming the output value L'=(L'1, L'2):
332 Innovative Cryptography, Second Edition

L'' = Hn/m(L'1, L'2) = Hn/m(Hn/m(L1, L2)) = Hn/m(F(V')n'/m'(L2), (F–1)(V)n'/m'(L1)) =

= (F(V'')n'/m'((F–1)(V)n'/m'(L1)), (F-1)(V')n'/m'(F(V')n'/m'(L2))) = (X1, X2),

because V'' = V. Concatenation of the input and output values of the Fn'/m' opera-
tion in the course of the transformation of block L is L* = (L'2, L2), and when trans-
forming block L' the same concatenation is equal to L** = (L2, L'2). Thus, the
resulting nonlinear operational block based on two variable operations also forms
the binary vector, where components L2 and L'2 are transposed in the course of re-
peated transformation of the same output value using the same block.

FIGURE 5.40 The structure of nonlinear

controlled operation for transformation of the
left data subgroup (the Hn/m operation).

As was shown in Chapter 4, in an economic variant of the switched operation

implementation, these functions are carried out by a single-layer block carrying out
transposition of two halves of the control vector. Thus, using the just designed op-
erational block and using vector L* = (L'2, L2) as the control value for executing
switched operation S(e)n/m, carried out in economic variant, it is possible to avoid
using the transposition block of the control vector, because its functions are auto-
matically implemented by the previously considered operational block in relation
to vector L*. This allows for further economy on the hardware resources when
using switched operation S(e)n/m.
 Designing Fast Ciphers Based on Controlled Operations 333

As the result of the provided analysis, it is possible to suggest another variant of

the encryption round implementation shown in Figure 5.41. When developing a
specific cipher and aiming at achieving the greatest performance, it is necessary to
coordinate the delay time of the operations executed in parallel. This is due to the
limitation of the number of active layers that can be used in Fn'/m' and F–1n'/m' oper-
ations on the basis of which the Hn/m block is formed. This demonstrates that non-
linearity is achieved at the expense of reducing the number of active layers, because
both direct and inverse operations are carried out sequentially over subgroups L1
and L2. Depending on specific type of the Fn'/m' operation, this might result in re-
duction of the contribution of the operation carried out over subgroup L into the
avalanche effect. Consequently, when choosing the transformation operation to be
carried out over the left data subgroup, it is necessary to account for the compro-
mise between nonlinearity and avalanche effect.

FIGURE 5.41 Encryption round with nonlinear

transformation of the left subgroup and
economic switched operation in the right
branch of the cryptoscheme.

5.7.2 The COBRA-H64 Cryptoscheme

The COBRA-H64 block cipher is designed with the account of the results of linear
and differential cryptanalysis of the SPECTR-H64 cipher. The latter turned out
strong enough against suggested variants of attacks. However, from the investiga-
tion of its strength, it follows that by improving the extension block that forms con-
trol vectors used for executing variable permutations and by using nonlinear
334 Innovative Cryptography, Second Edition

operation G, the number of rounds can be reduced. This allows for increasing the
encryption speed in case of iterative implementation or reducing the implementa-
tion complexity in case of the pipelined implementation. Another task that had to
be solved when designing the COBRA-H64 system was simplification of the key use
schedule and reduction of the key length.

The General Encryption Scheme

Main features of this cipher are as follows:

The round transformation of the COBRA-H64 cipher uses two second-order

−1
P32/96 and P 32 / 96 controlled permutations blocks, while SPECTR-H64 uses three
−1
first-order controlled permutations blocks: two P32/80 blocks and one P 32 / 80
block. This allows for achieving more uniform distribution of the influence of
the control data subgroup on the execution of variable bit permutations over
the data subgroup being transformed.
Round transformation of COBRA-H64 uses two identical nonlinear G opera-
tions, while SPECTR-H64 uses only one such operation.
Thanks to the previous feature, it is possible to execute permutation involution
over the controlling data subgroup in the COBRA-H64 round transformation.
This allowed for abandoning the use of keys when forming control vectors cor-
responding to mutually inverse controlled permutations blocks.
COBRA-H64 uses a new cryptographic primitive—switched operation—
although in its simplest variant. The use of switched operations allowed for
eliminating weak and semi-weak keys.

The general scheme of encryption and decryption in the COBRA-H64 cipher is

defined by the following transformations:

Y = T(0)(X, K) and X = T(1)(Y, K),

where X ∈{0, 1}64 – is the plaintext (input block), Y ∈{0, 1}64 is the ciphertext (out-
put block); K ∈{0, 1}128 is the secret key; T(e) is the data block transformation func-
tion; e∈{0, 1} is the parameter defining the modes of encryption (e = 0) and
decryption (e = 1).
The secret key is considered as the concatenation of four subkeys K = (K1, K2,
K3, K4), where Ki ∈{0, 1}32 for all i = 1, 2, 3, 4. The general scheme of encryption
represents the 10-round iterative structure with easy initial and final transforma-
tions (see Figure 5.42). When executing each j-th round (j = 1, 2, …, 10), the round
key Qj(e) is used. This key is formed on the basis of direct use of all four subkeys K1,
K2, K3, K4 without using any special transformations (extension) of the secret key.
 Designing Fast Ciphers Based on Controlled Operations 335

This means that each Qj(e) key is formed as a sequence of secret keys Ki, used ac-
cording to the order specified by relatively simple key schedule.

FIGURE 5.42 The general scheme

of encryption in COBRA-H64 (r = 10)
and COBRA-H128 (r = 12).

The encryption procedure starts with relatively simple IT transformation. Then

10 rounds of encryption are carried out according to the Crypt(e) procedure, followed
by the final transformation FT. Formally, encrypting transformations are written in
the form of the following algorithm.

1. The input block X is split into two 32-bit subgroups of equal size, L and R:
X = (L, R).
2. Initial transformation IT is carried out according to the following formulae:
L0 = L ⊕ O3 and R0 = R ⊕ O4.
3. For j = 1, 2, …, 9, the following procedure is executed sequentially:
{ (Lj, Rj) := Crypt(e)(Lj – 1, Rj – 1, Qj(e)), M := Rj, Rj := Lj, Lj := M; }.
4. The last encryption round is executed:
( e)
(L10, R10) := Crypt(e)(L9, R9, Q 10 ) .
5. The final transformation FT is carried out according to the following
formulae:
L' = Lr ⊕ O1 and R' = Rr ⊕ O2.

The output block of ciphertext appears as follows Y = (L', R').

336 Innovative Cryptography, Second Edition

The scheme of the Crypt(e) procedure of the COBRA-H64 block cipher is

shown in Figure 5.43.

FIGURE 5.43 The Crypt(e) procedure

of the COBRA-H64 block cipher.

Forming the Key Use Schedule

Each round key Qj(e) is made up of four round subkeys depending on the e para-
meter: A(i) ∈{0, 1}32, where i = 1, 2, 3, 4. These round keys are written in the form
Qj(e) = (A(1), A(2), A(3), A(4))j(e), where j = 1, …, 10. Specification of the round keys of
the COBRA-H64 cipher is defined by Table 5.27 and Figure 5.44.

TABLE 5.27 Key Schedule in the COBRA-H64 Cipher

 Designing Fast Ciphers Based on Controlled Operations 337

FIGURE 5.44 Implementation scheme of the

key transposition when switching from
encryption (e = 0) to decryption (e = 1).

Switching between encryption and decryption modes is carried out by simple

modification of the parameter e, which controls a single-layer controlled permuta-
( e)
tion block P 128/1 , carrying out an appropriate permutation of subkeys K1, K2, K3,
( e) ( e)
K4. The P 128 /1 block is a cascade of two P 64 /1 blocks shown in Figure 5.44. At the
( e)
output of the first P 64 /1 block the pair of subkeys O1 and O3 is formed, while the
pair O2 and O4 appears at the output of the second block. For e = 0 the condition
Oi = Ki for all i = 1, 2, 3, 4 is satisfied, and for e = 1 we have O1 = K3, O3 = K1,
O2 = K4 and O4 = K2.
Subkeys O1, O2, O3, O4, which are dependent on bit e, are used in each encryp-
tion round according to Table 5.27 instead of formal subkeys A(1), A(2), A(3), A(4).
Encryption universality (the possibility of using the same algorithm for encryption
and for decryption) is ensured because the fixed permutation π(0) is replaced by the
inverse one provided that bit e is inverted: π(1) = (π(0))− 1, and by means of appro-
priate modification of the K1, K2, K3, K4 subkeys schedule. Encryption round is not
an involution; however, in case of inversion of bit e and permutation of subkeys A(1)
to A(3) and A(2) to A(4), the round transformation is inverted:
(0) (1)
Crypt A(1) , A( 2 ) , A( 3) , A( 4 ) = (Crypt A( 3) , A( 4 ) , A(1) , A( 2 ) )– 1.

In the course of encryption, round keys Qj(0) = (A(1), A(2), A(3), A(4))j(0) are
used, where j = 1, …, 10, and in the case of decryption, the keys in use are
Qj(1) = (A(1), A(2), A(3), A(4))j(1). For correct encryption for j = 1, …, 10 the following
conditions must be satisfied:
338 Innovative Cryptography, Second Edition

(0) (0)
(A(1))j(1) = (A(3)) 11− j , (A(2))j(1) = (A(4)) 11− j ,
(0) (0)
(A(3))j(1) = (A(1)) 11− j , (A(4))j(1) = (A(2)) 11−j.

Using Figure 5.44 and Table 5.27, it is easy to write the schedule of keys K1, K2,
K3, K4 in explicit form for the cases of encryption (Table. 5.28) and decryption
(Table 5.29). It can be easily seen that the provided conditions have been satisfied.

TABLE 5.28 Schedule of Subkeys K1, K2, K3, K4 in Case of Encryption (e = 0)

j 1 2 3 4 5 6 7 8 9 10

Aj(1) K1 K4 K3 K2 K1 K1 K2 K3 K4 K1

Aj(2) K2 K1 K4 K3 K4 K4 K3 K4 K1 K2

Aj(3) K3 K2 K1 K4 K3 K3 K4 K1 K2 K3

Aj(4) K4 K3 K2 K1 K2 K2 K1 K2 K3 K4

TABLE 5.29 Schedule of Subkeys K1, K2, K3, K4 in Case of Decryption (e = 1)

j 1 2 3 4 5 6 7 8 9 10

Aj(1) K3 K2 K1 K4 K3 K3 K4 K1 K2 K3

Aj(2) K4 K3 K2 K1 K2 K2 K1 K2 K3 K4

Aj(3) K1 K4 K3 K2 K1 K1 K2 K3 K4 K1

Aj(4) K2 K1 K4 K3 K4 K4 K3 K4 K1 K2

Variable Permutations
Data-dependent permutations are carried out using blocks of controlled permuta-
−1
tions P32/96 and P 32 / 96 . The current permutation carried out over the right 32-bit
data subgroup depends on the 96-bit control vector V∈{0, 1}96. Vector V is formed
on the basis of the left data subgroup using extension block E, representing a sim-
ple circuit branching. The control vector can be represented as V = (V1, V2, V3, V4,
V5, V6), where each component controls one of the six active layers of controlled
permutations blocks. Transformation in block E is carried out according to the fol-
lowing formulae:

V1 = Llo V2 = Llo>>>6, V3 = Llo>>>12, V4 = Lhi V5 = Lhi>>>6,

V6 = Lhi>>>12,
 Designing Fast Ciphers Based on Controlled Operations 339

where Llo = (l1, l2, …, l16)∈{0, 1}16, Lhi = (l17, ln/2+2, …, l32)∈{0, 1}16 and “>>> k”
stands for the cyclic shift by k bits (for the bit representation of binary vectors being
used this is the left shift). This rule of forming control vectors corresponds to
criteria of forming control vectors, and permutation of each input bit in the P32/96
controlled permutation depends on six different bits from L. At the same time,
under any conditions none of the bits of the controlling subgroup influences any
bit of the data being transformed more than once.

Switched Permutation π(e)

The π(e) operation is a fixed switched permutation. Its use eliminates weak and
semi-weak keys. Depending on the value of bit e this switched operation imple-
ments either direct fixed bit permutation π(0), or inverse bit permutation π(1). Fixed
permutations π(0) and π(1) have the following representation:

π(0)(x1, x2, …, x32) = ((x1, x2, …, x31)>>>5, x32)

π(1)(x1, x2, …, x32) = ((x1, x2, …, x31) >>>26, x32).

Switching between these permutations is carried out using a single-layer con-

trolled permutations block P(e)64/1 according to the scheme shown in Figure 5.45.

FIGURE 5.45 Switched permutation π(e) .

Switched permutation π(e) ensures the influence of each input bit of the P32/96
−1
controlled permutations block on each output bit of the P 32 / 96 controlled permu-
tations block even in case when there is no permutation involution I in the left
branch; that is, even when the values of control vectors corresponding to blocks
−1
P32/96 and P 32 / 96 of the same round are equal. Thus, the goal of switched permuta-
tion consists of:
340 Innovative Cryptography, Second Edition

Elimination of weak and semi-weak keys

Elimination of the need in using subkeys when forming control vectors.

Fixed Permutation I
Bit permutation I, executed over the left data subgroup, is an involution. It is in-
tended for increasing the avalanche effect propagating the modifications of the bits
of the data subgroup L while simultaneously executing two nonlinear transforma-
tions G(1) and G(2). Permutation I has the following cyclic structure:

I = (1, 17)(2, 21)(3, 25)(4, 29)(5, 18)(6, 22)(7, 26)(8, 30)(9, 19)
(10, 23)(11, 27)(12, 31)(13, 20)(14, 24)(15, 28)(16, 32).

Criteria for building involution I are related to specific structure of the G op-
eration. Assume that the output bits yk and yl of the I operation correspond to
input bits xi and xj. When choosing the permutation involution I the following
principles were used:

For each i and j from condition ⏐j − i⏐ ≤ 3, it follows that ⏐l − k⏐ ≥ 4.

For each i, the following condition is satisfied: ⏐i − k⏐ ≥ 6.

Applying involution I and inversion of one bit in subgroup L results in the in-
version of several bits (from 2 to 8) at the output of the block R after the output
blocks G(1)(L) and G(2)(I(L)) are summed with the initial block R using the “⊕”
operation.

Nonlinear Operation G
Nonlinear operations G(1) and G(2) have the same structure and are defined
according to the following formula:

GAB(X) = X ⊕ A ⊕ X3X2 ⊕ X2X1 ⊕ X3X1 ⊕ B1X2 ⊕ A1X3 ⊕ BX2X1,

where:

X, A, B∈{0, 1}32
AX denotes bit-by-bit modulo-2 multiplication of vectors A and X
For all i = 1, 2, 3 vector Xi is defined as Xi = X →i⊕X(0) ←(3 − i), where X(0) = (1, 1,
1, 0, …, 0)∈{0, 1}32 is a fixed block of initial conditions, “→k” and “←k” are
logical shifts of the vector operand by k positions left or right (the released
positions are filled with zeros)
 Designing Fast Ciphers Based on Controlled Operations 341

A1 = A→1 ⊕ A(0), where A(0) = (1, 0, …, 0)∈{0, 1}32 is a fixed block of initial
conditions
B1 = B→1⊕B(0), where B(0) = (1, 0, …, 0)∈{0, 1}32 is a fixed block of initial
conditions

Operations G(1) and G(2) are intended for increasing the nonlinearity of the
Crypt(e) procedure and strengthening the avalanche effect propagating modifica-
tions of the input data bits at the output of the procedure. When considering the in-
fluence of one bit of the input vector X of the operation G on the bits of its output
vector Y = G(X), the following formula describing the influence of individual out-
put bits on the input bits is useful:

yi = xi ⊕ ai ⊕ xi − 3xi − 2 ⊕ xi − 2xi − 1 ⊕ xi − 3xi − 1

⊕ bi − 1xi − 2 ⊕ ai − 1xi − 3 ⊕ bixi − 2xi − 1,

where (x − 2, x − 1, x0) = (1, 1, 1); a0 = b0 = 1.

5.7.3 The COBRA-H128 Block Cipher

The COBRA-H128 block cipher that has a 128-bit variant of input is in many re-
spects similar to the CIKS-128 cryptosystem. The difference between them consists
of a minor modification of the operation G, which contributes to the avalanche ef-
fect that takes place within on encryption round the same for all bits of the left data
subgroup. In this section, only a brief description of the COBRA-H128 cipher will
be provided. More detailed description of this cipher and substantiation of the
primitives used when designing it can be found in publications listed in the Refer-
ences section of this book. Nevertheless, the description provided here is complete
enough to understand the differential cryptanalysis of this system that will be pro-
vided further in this chapter.
The general encryption scheme of the COBRA-H128 algorithm corresponds to
the scheme presented in Figure 5.42, except that 12 transformation rounds take
place instead of 10. The secret key K is 256 bits in length, and is split into four sub-
keys Ki∈{0, 1}64: K = (K1, K2, K3, K4). Round subkeys Qj(e), where j = 1, 2, …, 12 are
formed as concatenations of secret subkeys without using any special procedures
for transforming the secret key. Initial transformation IT corresponds to formulae
L0 = L ⊕ O3 and R0 = R ⊕ O4, and the final transformation (FT) is carried out ac-
cording to the following formulae: L' = L12 ⊕ O1 and R' = R12 ⊕ O2. The scheme of
the Crypt(e) procedure of the COBRA-H128 algorithm is presented in Figure 5.46.
342 Innovative Cryptography, Second Edition

FIGURE 5.46 The Crypt(e) procedure

of the COBRA-H128 block cipher.

Forming the Round Key

Each round key used in the Crypt(e) procedure is made up of four subkeys (A(i))j(e),
which depend on parameter e and the round number j = 1, …, 12. They can be
written as Qj(e) = (A(1), A(2), A(3), A(4))j(e). Specification of round keys Qj(e) is pre-
sented in Tables 5.30 and 5.31.

TABLE 5.30 Schedule of the Round Keys of the COBRA-H128 Cipher in Encryption
Mode (e = 0)

TABLE 5.31 Schedule of the R Keys of the COBRA-H128 Cipher in Decryption Mode
 Designing Fast Ciphers Based on Controlled Operations 343

Controlled Permutations
Variable permutations in COBRA-H128 are implemented using first-order P64/192
and P–164/192 blocks, shown in Figure 5.47.

FIGURE 5.47 Operational blocks of variable

permutations controlled by vector V = (V1, V2, V3,
V4, V5, V6): a) P64/192 and b) P–164/192.

Formation of control vectors V and V' is described by Table 5.32, which

demonstrates that (see Figure 5.47) in case of vector V (V'), the rows correspond-
ing to vectors V1 and V6 (V1' and V6') contain numbers of bits of vector L (L); rows
corresponding to vectors V2 and V5 (V2' and V5' ) contain numbers of bits of vector
L(1) (L(3)); and rows corresponding to vectors V3 and V4 (V3' and V4') contain num-
bers of bits of vector L(4) (L(2)).

Fixed Permutations
Permutation I is an involution described by the following formula:

Y = (Y1, Y2, …, Y8) = I(X1, X2, …, X8),

where Xi, Yi ∈{0, 1}8; Y1 = X6>>>4; Y2 = X5>>>4; Y3 = X4>>>4; Y4 = X3>>>4; Y5 = X2>>>4;

Y6 = X1>>>4; Y7 = X8>>>4; and Y8 = X7>>>4.
Permutation Π is intended for strengthening the avalanche effect due to exe-
cution of two identical nonlinear operations G(1) and G(2). It includes for cycles of
length 16:
344 Innovative Cryptography, Second Edition

(1, 50, 9, 42, 17, 34, 25, 26, 33, 18, 41, 10, 49, 2, 57, 58)
(3, 32, 11, 56, 51, 16, 27, 40)
(4, 7, 28, 47, 52, 23, 12, 63, 36, 39, 60, 15, 20, 55, 44, 31)
(5, 14, 13, 6, 21, 62, 29, 54, 37, 46, 45, 38, 53, 30, 61, 22).

Permutation π distributes the influence of bits of the control subgroup L spec-

ified in Table 5.32.

TABLE 5.32 Distribution of the Influence of the Bits of Control Subgroup L in the P64/192
Block

V1 31 32 3 4 5 6 7 8 9 10 11 12 13 14 15 16
V2 10 24 25 26 29 13 27 16 1 2 31 32 3 4 19 6
V3 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
V4 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
V5 55 56 57 58 59 60 61 62 63 64 33 34 35 36 37 38
V6 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

17 18 19 20 21 22 23 24 25 26 27 28 29 30 1 2 V1
7 8 9 23 11 12 28 15 14 30 17 18 5 20 21 22 V2
29 30 31 32 1 2 3 4 5 6 7 8 12 10 11 9 V3
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 V4
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 V5
61 62 63 64 33 34 35 36 37 38 39 40 41 42 43 44 V6

Switched Transposition Block

( e)
Block P 128/1 implements transposition of vectors L and Π(L) having e = 1, which
ensures correctness of the decryption.

Nonlinear Operation G
Nonlinear operations G(1) and G(2) have the same structure and are defined ac-
cording to the following formula:
 Designing Fast Ciphers Based on Controlled Operations 345

GAB(X) = X ⊕ A ⊕ BX1 ⊕ X2X5 ⊕ A1X6 ⊕ B1A2 ⊕ X4X3 ⊕ X1X6X4 ⊕ B1X2X6 ⊕

B1X1X2X4, where:

X, A, B∈{0, 1}64
AB denotes bit-by-bit modulo-e multiplication of vectors A, B
For i = 1, 2, 3, 4, 5, 60, we have Xi = X>>>64 − i.
For i = 1, 2, we have Ai = A→i ⊕A(0)←(2 − i), where A(0) = (1, 1, 0, …, 0)∈{0, 1}64
is a fixed block of initial conditions, “→k” and “←k” are logical shifts of the
vector by k positions right or left (the released positions are filled with zeros) .
B1 = B→1⊕B(0), where B(0) = (1, 0, …, 0)∈{0, 1}64 is a fixed block of initial con-
ditions.

In the differential analysis of CIKS-128, which will be described later in this

chapter, the following expression is used for computing the i-th output bit:

yi = xi ⊕ ai ⊕ bixi − 1 ⊕ xi − 2 xi − 5 ⊕ ai − 1 xi − 6 ⊕ ai − 2bi − 1 ⊕ xi − 3 xi − 4 ⊕ xi − 1 xi − 4 xi
− 6 ⊕ bi − 1 xi − 2 xi − 6 ⊕ bi − 1 xi − 1 xi − 2 xi − 4,

where (x −5, x −4, x −3, x −2, x −1, x0) = (x59, x60, x61, x62, x63, x64); a0 = a −1 = b0 = 1.
Investigation of statistical properties of the COBRA-H128 cipher was carried
out according to the standard tests earlier used for evaluation of the influence of the
bits of the source text of the AES contest finalists and bits of the key on the cipher-
text in such ciphers as SPECTR-H64 and SPECTR-128. The obtained results have
shown that COBRA-H128 has statistical properties similar to AES candidates,
SPECTR-H64, and SPECTR-128. Experimental results are provided in Tables 5.33
and 5.34, where the “*” sign denotes the “1 key and 40,000 texts” experiment, the
“**” sign stands for “200 keys and 200 texts” experiment, and the «+» sign corre-
sponds to the case «4,000 keys and one text». From the results of experiments it is
clearly seen that after six rounds of the COBRA–H128 algorithm, statistical criteria
are satisfied completely both for the influence of the bits of the source text, and for
the influence of the key bits. Investigation of statistical properties of the influence
of the key bits for this cipher is of high importance, because this cipher uses very
simple key schedule.

5.7.4 Block Ciphers based on Controlled Substitution-Permutation Networks

In this section, the variants of algorithms for encrypting 128-bit data blocks will be
covered. The general structure of these algorithms is a combination of the classes of
balanced Feistel networks and substitution-permutation networks (Figure 5.48).
346 Innovative Cryptography, Second Edition

TABLE 5.33 The Influence of the Source Text Bits

TABLE 5.34 The Influence of the Key Bits

 Designing Fast Ciphers Based on Controlled Operations 347

FIGURE 5.48 The general scheme of the

encryption algorithm.

The encryption is carried out on the basis of sequential transformation of two

64-bit subblocks A and B:

1. Assign i:=1 and carry out the initial transformation: A := A ⊕ Z4, B : = B ⊕ Z3.
2. Execute the round transformation and, if i < R, transpose A and B sub-
blocks.
3. Assign i := i + 1 and, if i ≤ R, go to step 2.
4. Execute the final transformation: A := A ⊕ Z2, B := B ⊕ Z1.

The basis of these algorithms is formed by blocks of controlled substitution-

permutation networks F64/192 and F–164/192, where blocks shown in Table 5.35 are
used as elementary F2/1 blocks. In particular, in the course of the strength analysis,
F2/1 blocks are used, which are synthesized on the basis of boolean functions of the
following form: f1 = x2x3 ⊕ x1, f2 = x1x3 ⊕ x1 ⊕ x2, (the first row in Table 5.35).

5.7.5 Analysis of Cryptographic Strength and Statistical Testing of Ciphers

Built on the Basis of Controlled and Switched Operations
Evaluation of the efficiency of the use of any cryptographic primitives is necessary
when determining the achieved level of performance or complexity of the hardware
348 Innovative Cryptography, Second Edition

TABLE 5.35 Pairs of Boolean functions Used as Elementary F2/1 Blocks for Building
Algorithms Intended for Encrypting 128-bit Data Blocks

f1(x1, x2, x3) f2(x1, x2, x3)

x2x3⊕x1 x1x3⊕x1⊕x2
x2x3⊕x1⊕x2 x1x3⊕x2
x2x3⊕x1⊕x3 x1x3⊕x1⊕x2
x2x3⊕x1⊕x2⊕x3⊕1 x1x3⊕x2
x2x3⊕x1⊕x2 x1x3⊕x2⊕x3
x2x3⊕x1 x1x3⊕x1⊕x2⊕x3⊕1
x2x3⊕x1⊕x3 x1x3⊕x1⊕x2⊕x3⊕1
x2x3⊕x1⊕x2⊕x3⊕1 x1x3⊕x2⊕x3

implementation, and for evaluation of the cryptographic strength. At the same

time, cryptanalysis is the most resource- and labor-intensive stage of development
new cryptographic algorithms and bringing them into operation.
One of the main methods of the cryptanalysis of the block iterative encryption
algorithms is the differential method. It is based on the nonuniformity of the
distribution of the output differences and consists of searching for some specially
chosen metric, for which the probability of the output difference is the highest.
The differential method is applicable for cryptanalysis of Markovian cryptoal-
gorithms. Cryptographic algorithms are called Markovian if the round encryption
equation satisfies the following condition: the probability of the occurrence of the
difference does not depend on the choice of plaintext messages. In this case, the
sequence of differences on each round makes up a Markovian chain, in which the
next state depends only on the previous one. The probabilistic characteristics of
the encryption algorithm form the basis of this method.
Let some pair (X, X') of plaintexts correspond to the input difference
ΔX = X - X' = X ⊕ X' and generate the following sequence of output differences in
the course of sequential execution of the Y = Fkr Fkr −1 … Fk1 ( X ) transformation:

ΔY(1) = Y(1) ⊕ Y'(1), ΔY(2) = Y(2) ⊕ Y'(2), …, ΔY(r) = Y(r) ⊕ Y'(r),

where Y(i), Y'(i) are the results of execution of i transformation rounds over X and
X', respectively. For the sequence of s differences, consider the probability of the
s-round characteristic

Pr{ΔY(1) = β (1), …, ΔY(s) = β (s) | ΔX = α},

 Designing Fast Ciphers Based on Controlled Operations 349

1 ≤ s ≤ r, assuming that X, X' are random elements with even distribution over the
entire set of plaintexts, and k1, k2, …, kr are random round keys uniformly distrib-
uted over the entire set of keys. For Markovian encryption algorithms, the proba-
bility of s-round differential is determined by the following equality:

Pr {ΔY ( s) = β ( s) | ΔX = α } =
s
∑ ∑ ∑ ∏ Pr {ΔY (i) = β(i) | ΔY (i − 1) = β(i − 1)}
β(1) β( 2 ) β( s−1) i=1

The goal of attack is reconstruction of the round key kr . Before doing this, it is
necessary to discover (r-1) – round characteristic (α, β (r-1)) with the maximum
probability p. Then, by carrying out N experiments, the cryptanalyst generates ran-
 Xj, computes Xj' = Xj ≈ α and determines Yj, Yj', where j = 1, …, N. The
dom plaintexts
k
assessment of the unknown round key kr is chosen to be equal to the following
value:
 N
k = arg max ∑ I
k ∈K j =1
{ F (Y ) ⊕ F (Y ) = β(r − 1) }
k
−1
j k
−1 '
j

where I{•} is the indicator of a random event. I{Θ} = 1, if event Θ takes place; oth-
erwise, I{Θ} = 0. The preceding operations are repeated the required number of
times, until the actual round key is discovered as the most probable one.
The computational complexity of the attack using differential analysis is no less
1
than Wmin ≥≥ p of Y = Fk Fk … Fk ( X ) transformation operations.
r r −1 1

Analysis of the Cryptographic Strength of the DDP-64 Cipher

Against Differential and Linear Cryptanalysis
The DDP-64 cipher is an example of block cipher based only on data-dependent
permutations (that is, data-dependent permutations are the only nonlinear cryp-
tographic primitive used). Variable permutations are used for solving the following
problems:

Transformation of the right data subblock using P32/96, P–132/96 operational

blocks ensuring the possibility of inverse transformation
Execution of nonlinear transformation using F blocks, which doesn’t allow for
unambiguous inverse transformation
Transposition of the corresponding pairs of subkeys when switching from en-
cryption to decryption
Implementation of a switched permutation Π(e')
350 Innovative Cryptography, Second Edition

Similarly to SPECTR-H64, the DDP-64 cryptoscheme is characterized by high

performance in case of frequent change of keys, because it doesn’t use key precom-
putations. Another common feature is that for variable permutations carried out by
operational blocks F, P32/96 ,and P–132/96, it is possible to easily compute differential
characteristics corresponding to the differences with small number of active bits;
with all that being so, such characteristics have the highest probabilities. In com-
parison to SPECTR-H64, the DDP-64 has the following specific features:

DDP-64 uses the entire secret key in each round.

DDP-64 uses two F-boxes carried out simultaneously with the P32/96 opera-
tion. Each of the two F-boxes represents a controlled permutations block of a
special type.
Round transformation includes special permutation involutions carried out
over the left and over the right data subgroups.
The avalanche effect propagates because the bits being changed are used as
control bits. When transforming binary vectors containing modified bits, the
number of modified bits remains unchanged; this means there is no avalanche
effect. (A certain exception takes place in case of an F-block, where 8 input bits
are used as an internal control vector earlier designated as W6).

When considering the strength of the DDP-64 cipher against differential crypt-
analysis the result was obtained, which is typical for ciphers based on data-dependent
permutations. This result is that the differential characteristics with the differences
having the smallest weight have the highest probabilities. Let’s use the following
notation. Let ΔWh be the difference containing h active (that is, nonzero) bits and
corresponding to vector W. Let Δh|i1,…in be the difference with active bits in positions
i1, …, in. In contrast to the previous designation, the second one fixes the positions,
to which active bits belong. In the first case the sets of differences with specified num-
ber of active bits are considered (in individual variants of differences ΔWh active bits
belong to different positions in the general case). Let p(Δ → Δ'/P) be the probability
of the case when the input difference Δ, having passed through operation P, is trans-
formed into the output difference Δ'.
The avalanche effect corresponding to operations P32/96 and P–132/96 is due to the
use of the data subgroup L for specifying values V and V'. Each bit of the left data
subgroup influences three bits of each of these control vectors. Each control bit in-
fluences two bits of the right data subgroup. Thus, thanks to controlled permuta-
tions carried out over the right data subgroup R using P32/96 and P–132/96 blocks, one
bit of L influences approximately 12 bits of R. In the case when a certain difference
with one active bit Δ'' = Δ1/i passes through the left branch of the cryptoscheme, it
influences three elementary switching elements that transpose six different bits of
the right data subgroup. For example, if the input difference of the P32/96 block
 Designing Fast Ciphers Based on Controlled Operations 351

controlled permutations block doesn’t contain active bits (this is the case of zero
difference), then the difference ΔL1/i can cause the following events depending on
the right data subgroup:

Active bits in controlled permutation block are not formed (that is, the output
difference Δ'0 is formed) with the probability equal to 2–3.
The output difference Δ'2 is formed at the output of the controlled permuta-
tions block with the probability of 3⋅2–3.
The output difference Δ'4 is formed with the probability of 3⋅2–3.
The output difference Δ'6 is formed with the probability of 2–3.

Average probabilities p(Δq → Δ'g /P32/96) corresponding to input and output

differences of block P32/96 with several active bits (q = 0, 1, 2 and g = q + a, where
a = −2,0,2,4 passing through the left branch of the encryption round. Probabilities
p(Δq|i1,…iq → Δ'g) are computed assuming that the values of numbers i1, …, iq, cor-
responding to the positions of active bits are equiprobable. In this case, the com-
putation is carried out because the positions of active bits considered in Table 5.36
are not fixed. It can be easily shown that for the arbitrary input difference Δq and its
corresponding output difference Δ'g the sum q + g is always even.

TABLE 5.36 Probability Values of Certain Characteristics of the P32/96 Controlled

Permutations Block
352 Innovative Cryptography, Second Edition

The contribution of the F operation into the avalanche effect is determined

mainly thanks to the use of the left subgroup for specifying control vectors W and
W'. Additional contribution is introduced at the expense of the dependence of the
output vector W6, formed by the “Ext” extension block (see Figure 3.6 in Chapter 3)
on L. Consider vector L = (Ll , Lh) before the “<<< 16” operation. Each bit li from Ll,
where 1 ≤ i ≤ 16, influences three elementary P2/1 blocks of the P32/48 block in the bot-
tom F block, and two P2/1 blocks of the P–132/48 block in the top F-block (after execu-
tion of the “<<< 16” operation, bit li moves to the most significant half of the bits of
block L). In addition, with the probability of 2–2 (this is the probability of the case
when li will be moved to one of the positions corresponding to vector H5), bit li in-
fluences two P2/1 blocks belonging to the first active layer of the P–132/48 controlled
permutation block in the top F-block, and with the same probability li influences
two similar P2/1 blocks in the bottom F-block. All bits of Lh have the same properties,
because after the “<<<16" operation components of the input vector Ll and vector
Lh exchange positions, and the transformations in the top and bottom F blocks are
symmetric.
Consider the mechanism that forms the iterative two-round characteristic
function with the difference (ΔL1, ΔR0). The difference with one active bit ΔL1, pass-
ing through the left branch of the cryptoscheme, can generate zero difference at the
output of both F blocks. This might happen in two most probable cases described
here. Case 1 corresponds to implementation of all elementary events listed here:

In both F blocks, the active bit is moved into one of the eight bits of vector
H5 at the output of permutation Π' (the probability of this event is
p1 = 2–2 ⋅ 2–2 = 2–4).
In both F blocks, the active bit doesn’t generate any pairs of active bits in
the P32/48 and P–132/48 operational blocks (the probability of this event is
p2 = 2–2 ⋅ 2–3 ⋅ (2–2)2 = 2–9).
In the P32/96 block, the active bit of the left data subgroup doesn’t generate any
additional active bits in the right data subgroup (the probability of this event is
p3 = 2–3).
In the P–132/96 block, the active bit doesn’t generate active bits (the probability
of this event is p4 = 2–3).

In Case 2, we have the following events:

In both F blocks, the active bit is moved at the output of the permutation Π'
into one of the 32 bits of vector (H1, H2, H3, H4) (the probability of this event
is p'1 = (1 − 2–2)2 ≈ 1.12⋅2–1).
In both F blocks, the active bit of the left branch doesn’t result in generation of
the pairs of active bits in blocks P32/48 and P–132/48 (the probability of this event
is p'2 = 2–2 ⋅ 2–3 = 2–5).
 Designing Fast Ciphers Based on Controlled Operations 353

In block P32/96, the active bit of the left data subgroup doesn’t generate addi-
tional active bits in the right subgroup (the probability of this event is p'3 = 2–3).
In block P–132/96 , the active bit of the left data subgroup doesn’t generate active
bits (the probability of this event is p'4 = 2–3).
At the output of the top and bottom F blocks, the difference Δ'1|i and
Δ'1|j, respectively, are generated, where i = I2(j) (the probability of this event is
p'5 = 2–5).

Designate the probabilities of Cases 1 and 2 as P' and P'', respectively. By

considering the probabilities of elementary events, it is easy to obtain the following
result:

P' = p1 p2 p3 p4 = 2–4 ⋅ 2–9 ⋅ 2–3 ⋅ 2–3 = 2–19 ?

P'' = p'1p'2p'3p'4p'5 = 2–1 ⋅ 2–5 ⋅ 2–3 ⋅ 2–3 ⋅ 2–5 = 1.12 ⋅ 2–17.

There are several other possible mechanisms of obtaining zero difference at the
output of the right branch of the cryptoscheme; however, their contribution into
the probability of iterative two-round characteristics is considerably smaller than
that of Cases 1 and 2—therefore, this contribution can be neglected. Thus, the
most significant cases produce the probability P(2) = P' + P'' = 1.37 ⋅ 2–17. The dif-
ference (ΔL1, ΔR0) passes one round with the probability P(2) = 1.37 ⋅ 2–17 . After
transposition of the data blocks at the input of the second round, we’ll have the
difference (ΔL0, ΔR1), which passes it with the probability 1 and after transposition
of the data subgroups produces the initial difference (ΔL1, ΔR0). As the result, for
the two-round characteristic function the following probability is obtained:
P(2) ≈ P = 1.37 ⋅ 2–17.
Characteristics with differences (ΔL0, ΔR1) and (ΔL1, ΔR0) appear to be the best.
Consideration of other differential characteristics with different numbers of active
bits in corresponding differences allows us to discover that adding active bits con-
siderably reduces the probability of characteristics. The difference (ΔL1, ΔR0) passes
eight or ten rounds of the DDP-64 cipher with the following probability:

P(8) = P 4(2) ≈ 1.76 ⋅ 2–67 ? P(10) = P5(2) ≈ 1.2 ⋅ 2–83.

For random ciphers, we have P((ΔL1, ΔR0) → (ΔL1, ΔR0)') = 2–64 ⋅ 25 =

–59
= 2 > P(8) > P(10). Thus, the DDP-64 cipher with eight and ten rounds is undis-
tinguishable from the random cipher in the case of a differential attack using the
most efficient iterative characteristics.
354 Innovative Cryptography, Second Edition

The use of linear cryptanalysis for detecting the difference of the DDP-64
cipher from a random one is less efficient in comparison to differential attack. In-
vestigations have shown that linear characteristics with small number of active bits
have the greatest offset, and maximum offset is typical for linear characteristics
with two active bits, which are built with the account of events that take into ac-
count the facts of replacement of the bits of data being transformed by the bits of
the C = (10101010) constant. Let A = (AL, AR) and B = (BL, BR) be the input and
output masks, respectively. The L and R superscripts designate the left and right
parts of the mask, respectively. Because of the idea implemented when designing
the DDP-64 cipher, linear characteristics with masks A = B = (111…1) have very
low offset, because F-blocks implement the transformation with high nonlinearity.
Using the formulae for computing linear characteristics provided in “Cryptog-
raphy: Fast Ciphers” by A. A. Moldovyan, N. A. Moldovyan, N. D. Goots, and B. V.
Izotov, it is easy to compute that the offset of the linear characteristic with the
number of active bits z ≤ 31 has the value b ≤ 2–6 for each of the blocks P32/96,
P–132/96, and F. Maximum value b = 2–6 corresponds to the case z = 1. Computation
of linear characteristics of controlled permutations blocks can be conveniently car-
ried out by means of considering “physical” movement of data by the permutations
network. Because the DDP-64 cipher is mainly built based on permutation opera-
tions, this approach also can be applied for its analysis. Let’s introduce subscript in-
dices in designation of masks, which, by analogy with designation of differential
characteristics, will specify the number of active (nonzero) bits and positions to
which active bits belong. For example, A2 and A2|5,7 designate an arbitrary mask
with two active bits, and the mask with two active bits located in the fifth and sev-
enth positions counted from left to right, respectively.
Consider a single-round linear characteristic with masks A = (AL1|i, AR1|j) and B
= (BL1|i', BR1|g), where the value i' is determined by the value i (i' is the number of the
position into which the i-th bit of the left subgroup is moved at the input of the first
round). The offset of the aforementioned linear characteristic is determined by the
fact that there exists the probability of the event when the active bit of the left sub-
group will be used twice with the active bit of the right subgroup when carrying out
the XOR operation. For this to occur, this bit must be moved by the top F-block
into the same position, into which the active bit of the right data subgroup falls at
the output of the P32/96 operation (the probability of this event is p1 = 2–5). The
active bit of the left subgroup also must be moved by the bottom F-block into the
position, into which the active bit of the right subgroup falls at the output of the op-
eration I (the probability of this event is p2 ≈ 0.75 ⋅ 2–5). After that, the active bit in
the right branch must fall into position g at the output of the P–132/96 block (proba-
bility of this elementary event is p3 = 2–5). Thus, two bits separated at the input of
the first round fall into the known positions at the output with the probability
 Designing Fast Ciphers Based on Controlled Operations 355

P(1) = p1p2p3 ≈ 0.75 ⋅ 2–15. Knowing this probability, it is easy to compute the offset
b(1) of the single-round characteristic ((AL1|i, AR1|j); (BL1|i', BR1|g); b(1)):

b(1) = 0.5(1 − P(1)) + P(1) = 0.5P(1) = 0.75 ⋅ 2 –16.

For r-round characteristic ((AL1|i, AR1|j); (BL1|i', BR1|g); b(r)), proceeding in a sim-
ilar way, it is possible to obtain the following evaluation:

b(r) = 0.5P(r) < 2 –15r – 1.

From the obtained evaluations, it follows that three encryption rounds of the
DDP-64 cipher are enough for preventing linear cryptanalysis.
It is necessary to mention that the value of the constant C = (10101010) is
chosen so that its weight φ(C) is equal to 4. This value was chosen because for
any other weight, another mechanism of forming linear characteristic ((AL0, AR1|j);
(BL0', BR1|g); b(2)) takes the prevailing role. This mechanism is due to the different
probability of the replacement of the active bit passing from the left branch of the
round transformation into the right branch by zero and one values. This mecha-
nism determines the following value of the offset of the aforementioned two-round
linear characteristic:

b(2) = 2–2r–6 (|φ(C)–4|/4)r/2 = 2–3r–6|φ(C)–4|r/2.

From this formula, it can be clearly seen that having φ(C) ≠ 4 linear crypt-
analysis becomes considerably more efficient. Thanks to the aforementioned choice
of the weight φ(C), it is possible to ensure high strength of the DDP-64 cipher
against linear cryptanalysis.
Now it is time to consider several other types of attacks. Algebraic attacks at the
DDP-64 algorithm are impossible because of high degree of the algebraic normal
form. The complexity of boolean functions (containing more than 100,000 terms)
describing the round transformation of the DDP-64 algorithm further complicate
such attacks. Despite a very simple key schedule, DDP-64 is strong against slide at-
tacks on ciphers that do not use key precomputation procedures. This is achieved
because the cipher under consideration uses the following:

Aperiodic subkey schedule

Round transformation that doesn’t represent an involution and contains
switched operation with aperiodic schedule of modes
356 Innovative Cryptography, Second Edition

In particular, the latter factor prevents slide attacks in the case when all subkeys
have the same values. Despite the simplicity of the key schedule, “symmetric” keys
K'' = (X, Y, Y, X) and K'' = (X, X, X, X) are neither weak, nor semi-weak, because
decryption requires appropriate switching of the Π(e') operation. For example, by
considering the round transformation, it is easy to notice that T(e=0)(C, K') M, where
C = T(e=0)(M, K″ ). Finding semi-weak pairs of keys for DDP-64 is difficult, if ever
possible.
The latter notes allow for drawing the following important conclusion: per-
mutations dependent on e play an important role in DDP-64, which doesn’t in-
clude the procedure of key precomputation. For comparison, note that for the
SPECTR-H64 cipher, where there are no switched operations, for every value X the
256-bit key K = (X, X, X, X, X, X, X, X) is weak. In addition, using such a key cre-
ates prerequisites for successful implementation of slide attacks.

Evaluation of DDP-64 Hardware Implementation

The interest in evaluation of different variants of hardware implementation of the
DDP-64 cipher is because this cipher in its “pure” form demonstrates high effi-
ciency of variable permutations as a cryptographic primitive. Consequently, hard-
ware resources used for implementation, and efficiency parameters, depend only
on the implementation of variable permutations. On the example of this cipher, it
is possible to obtain typical evaluations of hardware implementations. Time delay
corresponding to one active layer of multilayer controlled permutations blocks is
approximately equal to τ, where τ is the delay time of the XOR (⊕) operation. The
delay time (T) of the Pm/n block can be evaluated as T ≈ 2mτ/n. The critical path of
combinational schemes implementing different cipher elements are hard to evalu-
ate in terms of τ, because in this case there is no binding to specific microelectronic
technology. In chosen units the critical path of one round of DDP-64 is equal to
16τ. Critical path of 10-round DDP-64 cipher makes 162τ (two units are related to
the execution of initial and final transformations).
Complexity of the hardware implementation of the Pn/m block is 6m AND—
NOT gates. Implementation of 10 DDP-64 rounds requires less than 30,000
AND—NOT gates. To this set, it is necessary to add a certain number of gates cor-
responding to the 160-bit key register and two 64-bit registers for input and output
data, which makes approximately 4500 gates. According to these evaluations, the
total complexity of implementing 10 (8) rounds of DDP-64, including overhead for
the registers for storing keys and data is less than 35,000 (29,000) AND—NOT
gates when using the implementation variant consisting of the execution of the
combinational scheme including full number of encryption rounds. Table 5.37 pre-
sents comparative evaluation of the complexity of circuit implementation for dif-
ferent ciphers (numbers marked by the * sign relate to the results provided in
“Hardware Evaluation of the AES Finalists” by T. Kasua, T. Ichikawa, and M. Mat-
 Designing Fast Ciphers Based on Controlled Operations 357

sui). The convenient way to express the cipher performance is to present it in the
number of bits transformed during the time τ.

TABLE 5.37 Comparative Evaluation of the DDP-64 Hardware Implementation

From the data provided in Table 5.37, it can be clearly seen that the fastest
implementation corresponds to the 128-bit Rijndael cipher (the performance is
approximately f ≈ 1.35 bit/τ), which is achieved by relatively high implementation
cost. The cheapest implementation corresponds to DDP-64 (453 – 547 gates/bit).
The DDP-64 cipher has the performance f ≈ 0.42 – 0.52 bit/τ, which exceeds the
performance values of most widely used cryptoschemes, such as RC6 (f ≈ 0.15
bit/τ), Triple-DES (f ≈ 0.29 bit/τ), and TwoFish (f ≈ 0.27 bit/τ). It is remarkable that
implementation of DDP-64 requires considerably fewer circuit resources in com-
parison to DES. These results show that the DDP-64 cryptoscheme is well suited for
building into intellectual chips and microcontrollers of different types. Thanks to
the low cost of circuit implementation, efficiency of the cryptographic primitive,
and general importance of various operations of bit permutations, the controlled
permutation operation is a good candidate for implementation in the form of a
new fast command for building into the standard command set of general-purpose
processors.
For obtaining more general patterns of the parameters of hardware implemen-
tations of different ciphers, special research was conducted for designing encrypt-
ing devices on the basis of various algorithms based on data-dependent permutations.
The following two variants of implementation have been chosen:

Using programmable logical matrices of the FPGA type from Xilinx Vitrex
Using custom chips designed and implemented using the 0.33-mkm technology
358 Innovative Cryptography, Second Edition

This research was carried out in cooperation with the Patras University
(Greece). Implementation parameters of the DDP-64, CIKS-1, and SPECTR-H64
were studied. Implementation was carried out for the following two architectures:

Circuit implementation of one round and its use for carrying out all encryption
rounds with changing round keys (iterative architecture—IA).
Pipelined implementation with the number of levels equal to the number of
encryption rounds, implementing full number of encryption rounds at the cir-
cuit level (pipelined architecture—PA).

Pipelined architecture ensures considerably higher performance; however, it

also requires higher expenses for the hardware resources. Iterative architecture en-
sures minimum cost of implementation; however, the performance drop is signif-
icant. Nevertheless, IA has one significant advantage consisting of the possibility of
using block ciphers in the mode of concatenation of the cipher blocks while pre-
serving the same level of performance that is ensured in the electronic code book
mode (independent encryption of data blocks).
Implementation results are outlined in Table 5.38. Comparison to the similar
implementation of other ciphers (Table 5.39) shows that DDP-64, COBRA-H64
and SPECTR-H64 ensure higher speed with smaller hardware expenses in compar-
ison to AES and IDEA cryptosystems. Their implementation cost slightly exceeds
the implementation cost of the DES algorithm; however, they raise the encryption
speed multiple times.

TABLE 5.38 Parameters of Hardware Implementation of DDP-64, COBRA-H64,

and SPECTR-H64 Ciphers Using Programmable and Custom VLSI Circuits

*Configurable Logic Blocks (CLB) are standard logical elements of this type of VLSI circuits.
**The area of the used surface of the semiconductor chip is specified in sqmil units;1 sqmil = 7.45 10–4 mm2.
 Designing Fast Ciphers Based on Controlled Operations 359

TABLE 5.39 Comparison of the Results of Hardware Implementation of Different

Ciphers Using Programmable VLSI Circuits

The DDP-64 and COBRA-64 ciphers are characterized by smaller hardware ex-
penses in comparison to the SPECTR-H64 cryptosystems for all variants of imple-
mentation, which is ensured by individual features of building of the encryption
round. By performance, they exceed the SPECTR-H64 cryptoscheme in any case.
Nevertheless, all three ciphers based on variable permutations have very close
parameters and give an estimate of the efficiency of hardware implementation of
such ciphers.
Thus, it is possible to draw the following conclusions in relation to the DDP-
64 cipher:

DDP-64 ensures high performance and inexpensive hardware implementation.

The DDP-64 structure is well suited for carrying out detailed differential analy-
sis, in particular for computing differential characteristics with low number of
active bits that have the highest probability values.
This cipher is strong against differential, linear, and other attacks.
The DDP-64 cryptosystem is an example of ciphers based only on controlled
permutations and illustrating high efficiency of controlled permutations as a
cryptographic primitive.
360 Innovative Cryptography, Second Edition

Differential Cryptanalysis of the COBRA-H64 Cipher

Similar to some other ciphers based on data-dependent permutations, in the
COBRA-H64 cryptosystem variable bit permutations carried out over the right
data subgroup result in that the differential characteristics with differences having
low weight have the highest probability. The probability of characteristic signifi-
cantly decreases with the growth of the difference weight, because active bits fall
into random positions when the difference passes through the right branch. Dif-
ferential analysis provided in this section is an empiric one. It is based on the study
of various differences having the weight ranging from 1 to 6. Although the proba-
bility tends to considerably decrease with the growth of the difference weight, to
accomplish the differential analysis it is necessary to carry out a generalized theo-
retical investigation. Such an investigation will allow us to obtain a formal proof of
the fact that there are no characteristics with the probability exceeding some pre-
defined value. In general, this task seems too labor-intensive even for a small num-
ber of rounds. Empiric analysis is meaningful as one of the stages of the strength
analysis. This note also relates to the analysis carried out for other ciphers.
Differences corresponding to the left and to the right data subgroups are de-
noted as ΔL and ΔR. The difference of an iterative differential characteristic appears
as (ΔL, ΔR). When considering some individual operation F, input and output dif-
ferences related to it are denoted as ΔF and Δ(F), respectively. The number of active
bits of the difference and positions to which they belong are specified in lowercase
characters. Bit values will be written after the vertical line (|) character. At the same
time, it will be assumed that notations Δ2|i,j and Δ2 are essentially different: the first
designation stands for specific difference with two active bits, while the second
stands for one of the differences with two active bits.
The mechanism of forming the differential characteristic is determined by the
properties of operations carried out within the round transformation and by the
structure of that transformation. Using these operations, it is easy to compute char-
acteristics of the P32/96 and P−132/96 controlled permutations blocks that correspond
to small values of z in difference Δ zL , which determines the difference at the control
input of the controlled permutations block. Probability values of different charac-
teristics are presented in Tables 5.40 and 5.41, where ΔX and ΔY are input and out-
put differences of the controlled permutations block.

X Y L
Table 5.40 Values of Probabilities p( Δ → Δ / Δ1 ) for Block P32/64
 Designing Fast Ciphers Based on Controlled Operations 361

TABLE 5.41 Values of Probabilities p( Δ X → ΔY / Δ 2L ) for Block P32/64

When executing operation G, bits in positions 1, 2, …, 29 influence four out-

put bits. In this case, modification of the input bit in position i results in deter-
ministic modification of the output bit belonging to this position, and probabilistic
change of the output bits in positions i + k, where k = 1, 2, 3. Formulae describing
the dependency of modification of the output bits in case of modification of
the input bit xi are provided in Table 5.42. As can be easily noticed, difference
Δ1|i passes operation G without modification with probability values equal to 2–3 if
1 ≤ i ≤ 29, 2–2 if i = 30, 2–1 if i = 31, and 1 if i = 32.

TABLE 5.42 Probabilities of Active Bit Generation in Different Positions of the

Output of Function G in Case of Modification of the Input Bit i

Thus, we have discovered that two-round iterative differential characteristics

with differences (0, Δ1R ) or ( Δ1L , 0) are the most efficient. Mechanisms used for
forming them are identical; therefore, it is reasonable to consider only the passing
of the first difference through two rounds. Because we do not specify the number
of specific rounds to which the active bit belongs, only one of the existing single-bit
differences in the right data subgroup is meant.
Assume that in the first round the difference Δ1R propagates through the right
R
branch. Then, with the probability p(i) = 2−5, the difference Δ1|i will appear at the
−1
output of the P 32/96 block, which after transposition of subgroups will be trans-
L
formed into difference Δ1|i . The latter difference introduces no less than two active
bits into the right branch as it propagates through the left branch of the cryp-
toscheme at the expense of executing two G operations and superimposing their
362 Innovative Cryptography, Second Edition

output values on the right subgroup using the modulo-e summation operation.
Each with the probability 2−3 introduces only one bit, and the probability of intro-
ducing only two active bits into the right branch is 2−6. The main contribution into
the forming of two-round characteristic is due to the following two cases.

Event A
Top operation G generates only one active bit at its output with the probabil-
ity p1 = 2–3.
Bottom operation G generates only one active bit at its output with the proba-
bility p1 = 2–3.
Because of the presence of the difference of the control vector generated by dif-
ference Δ1|iL , the P32/96 block forms difference Δ 2|Ri, j ' , where j' = π(e ⊕ 1)(I(i)), with
the probability p3 depending on i.
R
Difference Δ 2|i, j ' after summation with active bits formed at the output of op-
erations G is transformed into zero difference that passes the P−132/96 block
without modification with the probability p4 = 2−3.

Event B
Difference Δ0R passes the P32/96 controlled permutations block without modifi-
cation with the probability p3 = 2−3.
Top operation G generates only one active bit at its output with the probabil-
ity p1 = 2−3.
Bottom operation G generates only one active bit at its output with the proba-
bility p2 = 2−3.
Because of the presence of the difference at the control input of block P−132/96,
the latter resets to zero both active bits of the difference Δ 2|Ri ', j , where i' = π(e)(i),
supplied at its input, with the probability p3 dependent on i.

The contribution of other mechanisms into the probability of two-round

characteristic P(2) can be neglected because it is significantly lower than the
contribution of events A and B. The probability contributions of these two events
will be designated as P' and P'', respectively. Thus, the result appears as follows:
P(2) ≈ P' + P''. To compute probabilities P' and P'', it is necessary to take into ac-
count the distribution of control bits over both controlled permutations blocks
present in the right branch. Contributions of different bits of the left subgroup, to
L
which the active bit of the difference Δ1|i belongs, are different. Both events are con-
sidered similarly, with the only difference that consists in the following. When
studying Event A, the probability of the situation when two active bits generated by
the active switching element (that is, the element to which the active bit of the
control vector difference is applied) of the P32/96 block fall into positions j' and i is
 Designing Fast Ciphers Based on Controlled Operations 363

considered. When studying Event B, we consider the probability of two active bits
present in positions j and i' = π(e)(i) at the output of the bottom controlled permu-
tations block falling to the input of the same active switching element of block
P−132/96. Because of the topological symmetry of blocks P32/96 and P−132/96, consider-
ation of Event B can be reduced to consideration of Event A, in which the opera-
tional block P32/96 forms the difference Δ 2|Ri' , j at its output provided that the
difference Δ1|L j is present in the left branch.
Consider the computation of the probability P' using the scheme of forming
two-round characteristic shown in Figure 5.49. The difference of the left subgroup
L
Δ1|i , which at the same time is the input difference of the permutation involution
L
I, after the operation I is transformed into difference Δ1| j . Because of this, the top
operation G introduces the active bit belonging to i-th position into the right
branch, and the bottom operation G introduces the active bit belonging to position j.
The probability of the event in which the top (bottom) operation G forms only
one active bit of the difference at its output is equal to the value p1 (p2), which is de-
pendent on i (j). One of the three active switches of the top controlled permutations
block can generate a pair of active bits, which can fall into positions i and j as they
propagate to the output.

FIGURE 5.49 Two-round differential

characteristic 0||Δ1|k of the COBRA-H64 cipher.
364 Innovative Cryptography, Second Edition

Probability of this event (p3) depends on i. As the result of summation with the
active bit introduced by the top operation G, only j'-th active bit remains at the
input of the switched permutation π(e). This bit, after execution of operation π(e),
falls into position with the number equal to π(e)(j') = π(e)(π(e ⊕ 1)(j)) = j, where it an-
nihilates with the active bit introduced by the bottom operation G. As the result,
zero difference is formed at the input of the bottom controlled permutations block,
which passes it with the probability p4 = 2−3. Values of probabilities p1, p2, p3, and
p4 are listed in Table 5.42. Note the specific feature of the case i = 13, for which ac-
tive bits generated by both operations G can cancel each other. Because of the lat-
ter circumstance, in case i = 13 the following output differences of the top
controlled permutations block bring a considerable contribution into the proba-
R
bility P': Δ 213 R
| ,15 , Δ 213
Δ R| ,17 and Δ 213
| ,16, 213
R
| ,18. For this case, Table 5.42 provides
several averaged integral values of p1, p2, and p3. Probability P' can be computed
according to the following formula:
i=32 i=32
P' ≈ ∑ p( i ) p
1
p2 p3 p4 = p( i ) p4 ∑p 1
p2 p3 ≈ 1.33 ⋅ 2−20 ,
i=1 i=1

where the first sign of approximate equality accounts for neglecting of the weak de-
pendency between events to which probabilities p3 and p4 are related. Values of
probability p3 are computed with the account of the distribution of bits of the con-
trol left data subgroup over elementary switches of the top block of controlled per-
mutations; that is, with the account of the structure of extension block E. For
example, in case i = 5 we have j = 18 and j' = 15; in which case, switching elements
with numbers 5, 31, and 41 are active.
Also, it is necessary to account for the following three cases when the top block
of controlled permutations generates difference Δ 2R|5,13 :

1. Depending on the value of the right data subgroup R, the fifth switching el-
ement forms at its output a pair of active bits with the probability (this
happens in the case when two of its input bits are different). Element 31
forms zero difference at its output with the probability 0.5, and the proba-
bility of zero difference appearing at the output of element 41 is also 0.5
(this takes place when both input bits of the corresponding element are
equal).
2. Switches 5 and 41 form zero difference at their outputs with the probabil-
ity 0.5, and switch 31 produces two active bits with the probability 0.5.
3. Switching elements with numbers 5 and 31 with the probability 0.5 form
zero difference at their outputs, and element 41 produces two active bits.
 Designing Fast Ciphers Based on Controlled Operations 365

Taking into account the structure of block E, each bit of the L subgroup con-
trols permutation of six different bits of the R subgroup. Because of this, the prob-
ability of each of the preceding listed three events is exactly equal to 2-3. One of the
output bits of element 5 with the probability 2–5 (it passes five active layers of block
P32/96) falls into position five at the output of the P32/96 operation. The second out-
put bit of element 5 falls into position 13 with the same probability. As the result,
the first event forms the difference Δ 2R|5,13 with the probability p(1) = 2–3(2–5)2 = 2–13.
The second even cannot result in forming such a difference at the output of
the P32/96 block, which means that p(2) = 0. For the third even, the result appears as
follows: p(3) = 2–3(2–3)2 = 2–9. Thus, for i = 5 the probability will be p3 = p(1) + p(2) +
+ p(3) ≈ 1.06 ⋅ 2–9. Proceeding the same way, it is possible to compute the probabil-
ity values of all the other values of i. Note that cases with values 17 ≤ i ≤ 32 intro-
duce zero contribution into probability P2.
For Event B, it is possible to obtain the probability value P22 H 2 20, proceed-
ing the similar way, and then compute the value P(2):

P(2) ≈ P' + P'' ≈ 1.33 ⋅ 2–20 + 2–20 ≈ 1.16 ⋅ 2–19.

For the cases of 8 and 10 encryption rounds of the COBRA-H64 cipher, the fol-
lowing values are obtained: P(8) = P4(2) ≈ 1.82 ⋅ 2–76 and P(10) = P5(2) ≈ 1.05 ⋅ 2–94.
Taking into account that for random transformation a single-bit difference
(0, Δ1R ) is formed at the output, with the probability P = 32 ⋅ 2–64 = 2–59 > P(8) > P(10),
it is possible to conclude that COBRA-H64 is strong against differential cryptanaly-
sis, because it is undistinguishable from a random transformation using characteris-
tics with the greatest probabilities.
The use of switched operation π(e) eliminates weak and semi-weak keys. This
makes the use of simple key schedule more secure. The use of different values of
parameter e in different encryption rounds ensures elimination of the periodicity of
the encryption procedure. Consequently, it ensures protection against slide attacks
even in the case of using the same round keys in all rounds, which can take place in
the case of secret keys having structures like K = (X, X, …, X).

Differential Cryptanalysis of the COBRA-H128 Cipher

The COBRA-H128 cipher is similar in structure to the COBRA-H64 algorithm.
This similarity can be traced even in the differential properties of these ciphers. For
the COBRA-H128 cipher, differential characteristics with a small number of active
bits also have higher probabilities in comparison to characteristics including dif-
ferences of greater weights. The characteristic corresponding to the passing of the
difference (0, Δ1R ) through two rounds has the greatest probability. The mechanism
366 Innovative Cryptography, Second Edition

of its passing through the encryption procedure is similar to that of the COBRA-
H64 cipher. The difference is that dimensions of the used controlled permutations
blocks and G operations are different.
Active bit passes the first round with the probability 1. In this case, it is moved
into another position; however, for the case when positions are not specified when
denoting the difference, any output difference with the specified number of active
bits will present interest (no matter what the numbers of the positions of active bits
might be). This means that in this case, we will consider sets of all differences with
the specified number of active bits instead of individual differences. When only one
input bit of the G operation is modified, only one bit will change at its output,
which corresponds to the same position as the modified input bit. In addition, six
more output bits can change with the probability 0.5. Main variants of forming dif-
ferent variants of two-round characteristic are related to consideration of occur-
rence of differences Δ(2G|i,)i+1 , Δ(2G|i ,)i+2, Δ(2G|i ,)i+3 , Δ(2G|i ,)i+4, Δ(2G|i ,)i+5 , and Δ(2G|i ,)i+6 at the
output of operation G (for i > 58 indices i + k have values that exceed 64; for such
indices it is necessary to adopt the value i + k – 64). By specifying operation G
through boolean functions, it is easy to write the formulae describing modification
of the output bits in position i + k, where k = 0, 1, …, 6 (see Table 5.43).

TABLE 5.43 Probabilities of Generation of the Active Bit at the Output of Function
G in the Case of Modification of the i-th Input Bit

Described here are events A1 and A2, the contribution of which into the prob-
ability of two-round characteristic of the COBRA-H128 cipher is the most signifi-
cant. Consider the mechanism of forming two-round characteristic with the
difference (0, Δ1R ) shown in Figure 5.50. The difference Δ1R after the execution of
R
the first round will transform into difference Δ1|i with the probability p' = 2–6, and
L
after transposition of data subblocks the difference will transform to Δ1|i ; that is, the
L
(
difference 1|iΔ , 0 ) is supplied to the input of the second round with the probabil-
 Designing Fast Ciphers Based on Controlled Operations 367

ity p = 2–6. The active bit from the left branch passes through the top operation G
G
with probability 2–6, generating difference Δ1|i at the output of this operation. The
active bit from the left branch also passes through the bottom operation G; how-
ever, before doing this it passes through the fixed permutation Π and transforms
into difference Δ1| j , where j = Π(i). Difference Δ1| j passes through bottom opera-
tion G with the probability 2–6. In this case, thanks to permutation Π, in the course
of execution of operations G different bits of the left data subgroup influence the
generation of new active bits in positions i + k (for the top operation G) and posi-
tions j + k (for the bottom operation G), where k = 0, 1, …, 6. Thus, the two events
G
just considered are independent. Differences Δ1|i and Δ1|Gj are superimposed of the
right subgroup. If a pair of active bits is generated in the top controlled permuta-
tions block, and these bits fall into positions i and j, they will be superimposed over
one bits introduced from the left branch of the cryptoscheme and reset them to
zero, thus forming zero difference at the input of the bottom controlled permuta-
tions block. Generation of active bits in controlled permutation block can take
place, because the active bit from the left subgroup generates three unit differences
of the control vector V; that is, the difference ΔV3 will appear at the control input of
the controlled permutations block. If the zero difference of the right subgroup
passes the top controlled permutations block, then two active bits introduced from
the left branch can annihilate in the bottom controlled permutations block pro-
vided they simultaneously are moved to the same elementary switch, to whose con-
trol input unit bit from the control vector is supplied.
There also are other mechanisms of forming two-round characteristic with dif-
ference (0, Δ1R ); however, their contribution into the probability of the characteris-
tic is considerably smaller. There are only two events with significant contribution.

Event A1 (see Figure 5.50):

G
Difference Δ1|i is formed at the output of the top operation G with the proba-
–6
bility p1 = 2 .
Difference Δ1|Gj is formed at the output of the bottom operation with the prob-
ability p2 = 2–6.
P'
Difference Δ 2|i, j ' , where j' = I(j) is formed at the output of the top controlled
permutations block (P64/192) with the probability p3(i,j').
Difference Δ1G|i ⊕ Δ 2P|i' , j ' ⊕ Δ1G|i = Δ0 is formed at the input of the bottom con-
trolled permutations block (P–164/192) .
Zero difference passes the bottom controlled permutations block with the
probability p4 = 2–3.
368 Innovative Cryptography, Second Edition

FIGURE 5.50 Two-round differential characteristic

0||Δ1|k of the COBRA-H128 cipher.

Event A2:
With the probability p1 = 2–6, difference is formed at the output of the top
G
operation G, which, after passing operation I, turns into difference Δ1|i , where
i' = I(i).
Zero difference passes the top controlled permutations block with the proba-
bility p3 = 2–3.
G
Difference Δ1|i is formed at the output of the bottom operation G with the
probability p2 = 2–6.
Difference Δ 2|Ri' , j is reset to zero when passing the lower controlled permuta-
tions block with the probability p4(i',j).

Computation of probabilities p3(i,j ') and p4(i',j) requires consideration of the

extension block structure and the topology of controlled permutations block. The
obtained data are presented in Table 5.44.
 Designing Fast Ciphers Based on Controlled Operations 369

TABLE 5.44 Probabilities of Elementary Events of the Case A1

The probability of event A1, in the case if the active bit of the left subblock
belongs to position i, is designated as P(i) = p1p2p3(i,j')p4. Accounting for the depen-
dency of the probability P(i) on the value i, the contribution of event A1 into the
probability of two-round characteristic can be written as follows:

i=64 i=64
P ' = p ' ∑ P( i ) = p ' p1 p2 p4 ∑ p3( i, j ') ≈ 1.125 ⋅ 2−30 ,
i=1 i=1

where p2 = 2–6 is the probability of the event in case of which the active bit of the dif-
ference falls into position i after the first round. Events A1 and A2 are symmetric.
Computation of the contribution of the second event into the probability of two-
round characteristic P'' = 1.125~2–30 is carried out in a similar way. Thus, the prob-
ability of the two-round characteristic takes the following value:

P(2) ≈ P' + P'' ≈ 1.125 ⋅ 2–29.

Probability of the event when differences with one active bit pass the complete
number of rounds is equal to P(12) = P6(2) ≈ 2–173. For 10 rounds of the COBRA-
H128 cipher, the result will be as follows: P(10) = P5(2) ≈ 2–144. Accounting that for
a random transformation 1-bit difference (0, Δ1R ) is formed at the output with the
probability P = 64 ⋅ 2–128 = 2–122 > P(10) > P(12), it is possible to conclude that
COBRA-H128 is strong against the attack under consideration, because in relation
to this attack, the cipher is not distinguishable from a random transformation.
The use of switched operation Π(e) eliminates weak and semi-weak keys. This
makes the use of simple key schedule more secure. Employing different values of
parameter e in different rounds of encryption (and decryption) ensures elimination
of periodicity and protection against slide attacks in the case when the same round
keys are used in all rounds; consequently, the protection is also ensured for the case
of secret keys having the structure like K = (X, X, …, X).
370 Innovative Cryptography, Second Edition

SUMMARY

To conclude, consider comparative characteristics of the cryptographic strength of

the ciphers discussed here against differential cryptanalysis. These characteristics
are outlined in Table 5.45.

TABLE 5.45 Comparison of Cryptographic Strength of the Various Fast Ciphers Against
Differential Cryptanalysis

Characteristic Value P(r)*

Cipher r Difference Probability

COBRA-H64 10 (0, Δ1R ) P(2) ≈ 1.13 × 2–19 2–75

COBRA-H64 8 (0, Δ1R ) P(2) ≈ 1.13 × 2–19 2–94
COBRA-H128 12 (0, Δ1R ) P(2) ≈ 1.125 × 2–29 2–173
COBRA-H128 10 (0, Δ1R ) P(2) ≈ 1.125 × 2–29 2–144
DDP-64 10 (Δ1L , 0) P(2) ≈ 1.37 × 2–17 1.2 × 2–83
DDP-64 8 (Δ1L , 0) P(2) ≈ 2–32 1.7 × 2–67
*The contribution of the characteristic parameter into the probability after passing through r rounds.
 Recommended Reading

PROBLEMS OF CONTEMPORARY CRYPTOGRAPHY

Shannon, C. E., “Communication Theory of Secrecy Systems.” Bell Systems Tech-

nical Journal, vol. 28, 1949, pp. 656–715.
Diffie W., and M. E. Hellman, “New Directions in Cryptography.” IEEE Transac-
tions on Information Theory, 1976, vol. IT-22. pp. 644–654.
Rabin, M. O., “Digitalized Signatures and Public Key Functions as Intractable as
Factorization.” Technical Report MIT/LCS/TR-212, Mit Laboratory for Com-
puter Science, 1979.
Fiat A., and A. Shamir, “How To Prove Yourself: Practical Solutions to Identi-
fication and Signature Problems.” Advances in Cryptology—CRYPTO’86,
Springer-Verlag, 1987, vol. 263, pp. 186–194.
Elgamal, T., A Public Key Cryptosystem and a Signature Scheme Based on Discrete
Logarithms.” IEEE Transactions on Information Theory, 1985, vol. IT-31, No.
4, pp. 469–472.
Schnorr, C. P., “Efficient Signature Generation by Smart Cards.” J. Cryptology,
1991, vol. 4., pp. 161–174.
Schnorr, C. P., “Efficient Identification and Signatures for Smart Cards.”
Advances in Cryptology—CRYPTO’89, Springer-Verlag, 1990, vol. 435, pp.
239–252.
Chaum, D., “Blind Signatures for Untraceable Payments.” Advances in Cryptology:
Proc. of CRYPTO’82, Plenum Press, 1983, pp. 199–203.
Chaum, D., “Security Without Identification: Transaction Systems to Make Big
Brother Obsolete.” Communication of the ACM, 1985, vol. 28, No. 10., pp.
1030–1044.
Wenbo, Mao, Modern Cryptography. Theory and Practice. Prentice Hall PTR, New
Jersey, 2004.
Pieprzyk, J., T. Hardjono, and J. Seberry, Fundamentals of Computer Security.
Springer-Verlag. Berlin, 2003.

371
372 Innovative Cryptography, Second Edition

Menezes, A. J., and S. A. Vanstone, Handbook of Applied Cryptography. CRC Press,

1996.
Schneier, B., Applied Cryptography: Protocols, Algorithms, and Source Code (Second
Edition). New York: John Wiley & Sons, 1996.

PERMUTATIONS NETWORKS AND CIPHERS ON THEIR BASIS

Benes, V. E., “Algebraic and Topological Properties of Connecting Networks.” Bell

Systems Technical Journal, 1962, vol. 41, pp. 1249–1274.
Benes, V. E., Mathematical Theory of Connecting Networks and Telephone Traffic.
New York: Academic Press, 1965.
Waksman, A., “A Permutation Network.” Journal of the ACM. 1968, vol. 15, No.
1, pp. 159–163.
Parker, S., “Notes on Shuffle/Exchange-Type Switching Networks.” IEEE Transac-
tions on Computers, 1980, vol. C-29, No. 5, pp. 213–222.
Portz, M. A., “Generalized Description of DES-Based and Benes-Based Permuta-
tion Generators.” Advanced in Cryptology–AUSCRYPT’92 // Lecture Notes in
Computer Science, Springer-Verlag, 1992, vol. 718, pp. 397–409.
Van Rompay, B., L. Knudsen, and V. Rijmen, “Differential Cryptanalysis of the ICE
Encryption Algorithm.” Proceedings of the 6th International Workshop, Fast
Software Encryption—Fse’98, LNCS, Springer-Verlag, vol. 1372, 1998, pp.
270–283.
Rivest, R. L., “The RC5 Encryption Algorithm.” 2nd Int. Workshop “Fast Software
Encryption,” Proc./Springer-Verlag LNCS, 1995, vol. 1008, pp. 86–96.
Rivest, R. L., M. J. B. Robshaw, R. Sidney, and Y. L. Yin, “The RC6 Block Cipher.”
Proc. of 1st Advanced Encryption Standard Candidate Conference, Ventura,
CA, August 20–22, 1998, (http://www.nist.gov/aes).
Moldovyan, A. A., and N. A. Moldovyan, “A Cipher Based on Data-Dependent
Permutations.” Journal of Cryptology, 2002, vol. 15, pp. 61–72.
Moldovyan, A. A., “Fast Block Ciphers Based on Controlled Permutations.” Com-
puter Science Journal of Moldova, 2000, vol. 8, No. 3, pp. 270–283.
Goots, N. D., A. A. Moldovyan, and N. A. Moldovyan, “Fast Encryption Algorithm
Spectr-H64.” Proceedings of the International Workshop, Methods, Models,
and Architectures for Network Security/LNCS, Springer-Verlag, 2001, vol.
2052, pp. 275–286.
 Recommended Reading 373

Moldovyan, N. A., A. A. Moldovyan, and N. D. Goots, “Variable Bit Permutations:

Linear Characteristics and Pure VBP-Based Cipher.” Computer Science Jour-
nal of Moldova, 2005, vol. 13, No. 1(37), pp. 84–109.
Izotov, B. V., N. D. Goots, A. A. Moldovyan, and N. A. Moldovyan, “Fast Ciphers
For Cheap Hardware: Differential Analysis of SPECTR-H64.” Proceedings of
the International Workshop, Methods, Models, and Architectures for Net-
work Security (MMM-ANCS’03). LNCS, Springer-Verlag, vol. 2776, 2003, pp.
449–452.
Lee, Changhoon, Deukjo Hong, Sungjae Lee, Sanjin Lee, Hyungjin Yang, and
Jongin Lim, “A Chosen Plaintext Linear Attack on Block Cipher CIKS-1.”
Springer-Verlag LNCS, vol. 2513, pp. 456–468.
Izotov, B., A. Moldovyan, and N. Moldovyan, “Controlled Operations as a Cryp-
tographic Primitive.” Proceedings of the International Workshop, Methods,
Models, and Architectures for Network Security, Lecture Notes in Computer
Science, Berlin: Springer-Verlag, vol. 2052. 2001, pp. 230–241.
Ko, Y., D. Hong, S. Hong, S. Lee, and J. Lim, “Linear Cryptanalysis on SPECTR-
H64 With Higher Order Differential Property.” Proceedings of the Interna-
tional Workshop, Methods, Models, and Architectures for Network Security,
Lecture Notes in Computer Science, Springer-Verlag, Berlin: 2003, vol. 2776,
pp. 298–307.
Moldovyan N. A., “Fast DDP-Based Ciphers: Design and Differential Analysis of
Cobra-H64.” Computer Science Journal of Moldova, 2003, vol. 11, No. 3 (33),
pp. 292–315.

SUBSTITUTION-PERMUTATIONS NETWORKS AND

CIPHERS ON THEIR BASIS

Kam, J. B., and G. I. Davida, “Structured Design of Substitution-Permutation

Encryption Networks.” IEEE Transactions on Computers, 1979. vol. 28, No.
10, pp. 747–753.
Moldovyan, N. A., A. A. Moldovyan, and M. A. Eremeev, “A Class of Data-
Dependent Operations.” Int. Journal of Network Security, 2006, vol. 2, No 3,
pp. 187–204 (http://isrc.nchu.edu.tw/ijns/).
Moldovyan, N. A, A. A. Moldovyan, M. A. Eremeev, and N. Sklavos, “New Class
of Cryptographic Primitives and Cipher Design for Networks Security.” Int.
Journal of Network Security, 2006, vol. 2, No. 2, pp. 114–125 (http://isrc.
nchu.edu.tw/ijns/).
374 Innovative Cryptography, Second Edition

Moldovyan, N. A., A. A. Moldovyan, M. A. Eremeev, and D. H. Summerville,

“Wireless Networks Security and Cipher Design Based on Data-Dependent
Operations: Classification of the FPGA Suitable Controlled Elements.” Int.
Conf. on Computing, Communications and Control Technologies, August
14–17, 2004, Austin, TX, CCCT2004 Proc., vol. vii, pp. 123–128.
Moldovyan, N. A., N. Sklavos, A. A. Moldovyan, and O. Koufopavlou, “CHESS-64,
A Block Cipher Based On Data-Dependent Operations: Design Variants and
Hardware Implementation Efficiency.” Asian Journal of Information Tech-
nology, 2005, No. 4(4), pp. 323–334.
Moldovyan, A. A., N. A. Moldovyan, and N. Sklavos, “Minimum Size Primitives
For Efficient VLSI Implementation of DDO-Based Ciphers.” Proceedings of
the 12th IEEE Mediterranean Electrotechnical Conference–Melecon 2004,
May 12–15, Dubrovnik, Croat.
Moldovyan, N. A., M.A. Eremeev, N. Sklavos, and A. Kristiansen, “Encryption
Hardware Optimization Via Designing New Primitives.” Int. Conference on
Computing, Communications and Control Technologies, August 14–17,
2004, Austin, TX, CCCT2004 Proc., vol. vi, pp. 464–469.
Moldovyan, N. A., M.A. Eremeev Sklavos, and O. Koufopavlou, “New Class of the
FPGA Efficient Cryptographic Primitives.” Proceedings of the ISCAS, 2004.

BIT PERMUTATION INSTRUCTION

Moldovyan, N. A., N. D. Goots, P. A. Moldovyan, and D. H. Summerville, “Fast

DDP-Based Ciphers: From Hardware to Software.” Proceedings of the 46th
IEEE Midwest Symposium on Circuits and Systems, Cairo, Egypt, December
27–30, 2003.
Shi, Z. J., and R. B. Lee, “Bit Permutation Instructions for Fast Software Cryptog-
raphy.” Proceedings of the IEEE International Conference on Application-
pecific Systems, Architecture and Processors, Boston, MA, July 10–12, 2000,
p. 138–148.
Lee, R. B., Z. J. Shi, and X. Yang, “Efficient Permutation Instructions for Fast Soft-
ware Cryptography.” IEEE Micro, 2001, vol. 21 (6), pp. 56–69.
Lee, R. B., Z. J. Shi, R. L. Rivest, and M. J. B. Robshaw, “On Permutation Opera-
tions in Cipher Design.” Proceedings of the International Conference on
Information Technology: Coding and Computing (ITCC’04), Las Vegas, NV,
April 5–7, 2004, vol. 2, pp. 569–579.
 Recommended Reading 375

SOFTWARE CIPHERS

Moldovyan, A. A., and N. A. Moldovyan, “Fast Software Encryption Systems for

Secure and Private Communication.” 12th International Conf. on Computer
Communication. Seoul, Korea, August 21–24, 1995, Proceedings, vol. 1, pp.
415–420.
Moldovyan, A. A., and N. A. Moldovyan, “Software Encryption Algorithms for
Transparent Protection Technology.” Cryptologia, January 1998, vol. xxii,
No. 1, pp. 56–68.
Moldovyan, A. A., N. A. Moldovyan, and B. Ya Sovetov, “Software-Oriented
Ciphers for Computer Communication Protection.” Int. Conf. Applications
of Computer Systems, ACS’97 Proceedings, November 13–14, 1997, Szczecin,
Poland, pp. 443–450.
Moldovyan, N. A. “Provably Indeterminate 128-Bit Cipher,” Computer Science
Journal of Moldova, 1997, vol. 5, No. 2(14), pp. 185–197.
Eremeev, M. A., V. I. Korjik, N. A Moldovyan, and A. Mukherjii, “Fault-Based
Analysis of Flexible Ciphers.” Computer Science Journal of Moldova, 2002,
V. 10, No. 29, pp. 46–52.

HARDWARE IMPLEMENTATION OF BLOCK CIPHERS

Sklavos, N. and O. Koufopavlou, “Architectures and VLSI Implementations of the

AES-Proposal Rijndael.” IEEE Transactions on Computers, vol. 51, Issue 12,
2002, pp. 1454–1459.
Sklavos, N. and O. Koufopavlou, “Architectures and FPGA Implementations of
the SCO (-1,-2,-3) Ciphers Family.” Proceedings of the 12th International
Conference on Very Large Scale Integration, (IFIP VLSI SOC ‘03), Darmstadt,
Germany, December 1–3, 2003.
Sklavos, N., N. A. Moldovyan, and O. Koufopavlou, “Pure DDP-Base Cipher:
Architecture Analysis, Hardware Implementation Cost and Performance Up
to 6.5 Gbps.” International Arab Journal of Information Technology, 2005,
vol. 2, No. 1, January 2005, pp. 24–32.
Sklavos, N., A. A. Moldovyan, and O. Koufopavlou, “Encryption and Data Depen-
dent Permutations: Implementation Cost and Performance Evaluation Work-
shop MMM-ANCS’2003 Proc.” LNCS, Springer-Verlag, Berlin, 2003, vol.
2776, pp. 343–354.
376 Innovative Cryptography, Second Edition

Sklavos, N., A. A. Moldovyan, and O. Koufopavlou, “High Speed Networking

Security: Design and Implementation of Two New DDP-Based Ciphers.”
Mobile Networks and Applications, Special Issue on Algorithmic Solutions
for Wireless, Mobile, Ad Hoc and Sensor Networks, MONET Journal, Kluwer,
2004.
Elbirt, A. J., W. Yip, B. Ghetwynd, and C. Paar (2000), “An FPGA Implementation
and Performance Evaluation of the AES Block Cipher Candidate Algorithm
Finalists.” 3rd Advanced Encryption Standard Conference Proceedings. April
13–14, 2000. New York, NY, (http://www.nist.gov/aes).
Cheung, O. Y. H, K. H. Tsoi, P. H. W. Leong, and M. P. Leong, “Tradeoffs in Par-
allel and Serial Implementations of The International Data Encryption Algo-
rithm.” Proceedings of CHES 2001, LNCS 2162, pp. 333–337, Springer-Verlag,
2001.
Chitu, C., and M. Glesner, “An FPGA Implementation of the AES-Rijndael in
OCB/ECB Modes of Operation.” Microelectronics Journal, Elsevier Science,
vol. 36, pp. 139–146, 2005.
Rudra Atri , Pradeep K. Dubey, Charanjit S. Jutla, Vijay Rumar, Josyula R. Rao, and
Pankaj Rohatgi, “Efficient Rijndael Encryption Implementation with Com-
posite Field Arithmetic.” Proceedings of the 3rd International Workshop
Cryptographic Hardware and Embedded Systems—CHES 2001, Lecture
Notes in Computer Science, Springer-Verlag LCNS 2162, pp. 171–180, 2001.
Albirt, A. J., W. Yip, B. Ghetwynd, and C. Paar, “FPGA Implementation and Per-
formance Evaluation of the AES Block Cipher Candidate Algorithm Finalists.”
3rd Advanced Encryption Standard Conference Proceedings. April 13–14,
2000. New York, NY, (http://www.nist.gov/aes).
Preneel, B., Et Al., “Performance of Optimized Implementations of the Nessie
Primitives.” Project IST-1999-12324, 2003, (See p. 36; http://www.cryptonessie.
org).
 Index

Numbers and Symbols in protection tools, 58–63

|| (concatenation operation), 92 reliability of, 8
:= (assignment operation), 92 secrecy building strength of, 75–76
128-bit block ciphers, 73 standardization of, 66–68
“2m congruence addition”, 252–253 uncertainty of flexible ciphers, 82
32-block ciphers, 73 archives, secret data, 64–65
512-byte block ciphers, 73 arithmetic operations, designing one-key cryptosystems
64-bit block ciphers, 73 using, 32
⊕ (bit-wise addition modulo) assignment operation (:=), 92
“2m congruence addition”, 252–253 asymmetric key cryptosystems, see two-key cryptosystems
CIKS-128, 240 attacks
designating for fast software ciphers, 92 algebraic, 357
SPECTR-128, 231 based on hardware errors, 312–314
SPECTR-H64, 220 brute-force, 63
⊗ (bitwise logical multiplication), 92 chosen or adapted text, 11
common types of, 21
A cryptographic, 2
absolute security, 7 digital signatures and, 48–50
active adversaries, 41 homophonic ciphers and, 52
active bits integrity control, 15
analysis of SPECTR-128 cipher, 294–300 internal vs. external, 41
analysis of SPECTR-H64 block cipher, 282–286, slide, 214–215
287–293 SPECTR-Z cipher protecting against, 106–111
adapted text cryptanalysis, 11 testing cryptosystems against, 9–11
addition, ⊕ (bit-wise addition modulo) authentication
“2m congruence addition”, 252–253 handshake protocol for remote, 14
CIKS-128, 240 information, 16
designating for fast software ciphers, 92 in two-key cryptosystems, 39
SPECTR-128, 231 user, 13–14
SPECTR-H64, 220 authorization
Adleman, L., 42–45 internal adversaries having valid, 41
Advanced Encryption Standard (AES), 67–68 protecting against unauthorized access, 58–63
adversaries, 41 avalanche effect, 352
AES (Advanced Encryption Standard), 67–68 avalanche vectors
algebraic attacks, DDP-64 cryptosystem, 357 defined, 272
algebraic operations, designing one-key cryptosystems, 32 Hamming weight, 273
algorithms; see also by individual types
byte encryption, 113 B
checksumming, 15 bent function, 223
in contemporary computer systems, see SPECTR-Z bijective transformations, of CEs, 150
digital signature attacks on, 49–50 bit-wise addition modulo (⊕)
file encryption, 111–113 “2m congruence addition”, 252–253
generating extended encryption keys, 79–81 CIKS-128, 240
information protection technology and, 19–22 designating for fast software ciphers, 92
key length and security, 63–64 SPECTR-128, 231
multipass cryptoschemes with flexible, 84–85 SPECTR-H64, 220
overview of, 39–41 bit-wise logical multiplication (⊗), 92

377
378 Index

blind signatures, 47–48 software, see software ciphers

block ciphers; see also by individual type testing, 63–64
based on variable permutations, 130–137 cipher security rule, 9
defined, 8, 27 ciphertext
enciphering and deciphering procedures, 66 chosen ciphertext cryptanalysis, 11
Feistel’s cryptoscheme for, 31 cryptographic methods, 6–7
implementing substitutions for, 33 frequency cryptanalysis and, 277
iterated, 30–31 known ciphertext cryptanalysis, 10
overview of, 27–29 pre-compression decreasing risk of attack, 52
product, 29–30 circuit representation, of CEs, 150–151
representing with substitution tables, 73 COBRA-F64a/COBRA-F64b, 260–265
Russian encryption system and, 319 F function (encryption algorithm), 263
simple key schedule for, 184–187 general encryption scheme, 260–261
SPECTR-H64, see SPECTR-H64 overview of, 260
statistical properties, 272–276 round keys, schedule for using, 261–263
substitutions and, 73–74, 78, 277 security of, 307–312
Block F, DDP-64 cryptosystem, 136–137 speed parameters and cryptographic security, 263–265
Boolean functions (BFs) COBRA-H128, 343–347
CIKS-128 cipher, 240, 243–244 controlled permutations, 345
cryptographic strength of ciphers and, 350 cryptographic strength of, 372
elementary controlled involutions, 138–146 differential cryptanalysis (DC) of, 367–371
perfect nonlinear or bent function, 223 fixed permutations, 346–347
SPECTR-128 cipher, 231, 233 nonlinear G function, 346–347
SPECTR-H64, 220 overview of, 343–344
transformation properties, 225 round keys schedule, 344
boot sector data, SPECTR-Z cryptosystem, 113–115 switched permutations, 347
brute-force attacks, 63 COBRA-H64, 335–343
bytes cryptographic strength of, 372
designating for fast software ciphers, 92 differential cryptanalysis (DC) of, 362–367
encryption of current, 113 fixed permutations, 342
general encryption scheme, 336–338
C nonlinear G function, 342–343
CBO (controlled binary operations), 35 overview of, 335–336
CBOs (controlled binary operations), 35 round keys schedule, 338–340
CEs, see controlled elements (CEs) switched permutations, 341–342
Chaum blind signature, 47–48 variable permutations, 340–341
checksumming algorithms, 15 coding, 52–53
chosen ciphertext cryptanalysis, 11 coin tossing, computerized, 17–18
chosen plaintext cryptanalysis, 10–11 combinational-probabilistic model (CPM)
chosen text attacks, 52 estimating cipher security, 279
CIKS-1, 360–361 overview of, 90–91
CIKS-128, 238–248 testing strength of SPECTR-F, 107–111, 121–124
control vector E, extending, 244–245 command area errors, hardware faults, 313
Crypt procedure, 240–242 “Communication Theory of Secrecy Systems” (Shannon),
F function procedures, 239 8
FT (final transformation), 239–240 completeness criteria, block ciphers, 272, 274
general encryption scheme, 238–239 compression
IT (initial transformation), 239–240 pre-compression and risk of attack, 52
nonlinear G function, 243–244 secret data archives and, 65
overview of, 238 computationally complex (hard-to-solve) problems, 17
round keys, schedule for using, 245–-247 computationally secure cryptosystems
scheme universality, 247–248 developing using diffusion and confusion, 27
vector Boolean function G, 243 overview of, 25
ciphering, 7 computationally unfeasible solutions, 24–25
ciphering round, 31 computerized coin tossing, 17–18
cipher round, see rounds (r), of transformations computerized secret voting systems
ciphers; see also algorithms; by individual types blind signatures used in, 47–48
comparing cryptographic strength of, 372 defined, 17–18
 Index 379

computer systems (CSs) controlled permutation blocks (CPBs)

disk encryption algorithms, 101–106 constructing different orders of, 127
evaluating cryptographic strength, 106–111 DDP-64, 129–130
information protection in, 1–6 defined, 37
SPECTR-F cryptosystem for, see SPECTR-F designing inverse, 127–129
SPECTR-Z cryptosystem for, see SPECTR-Z differential characteristics of, 280–286
unauthorized access protection, 58–63 passing differences through, 282–286
concatenation operation (||), 92 structure of, 126–127
conditionally complex computations, 24 controlled permutations (CPs), 248–272; see also con-
conditionally secure ciphers, 24–25 trolled substitution-permutation networks (CSPNs)
confusion CIKS-128, 240
computationally secure cryptosystems using, 27 COBRA-F64a/COBRA-F64b, 260–265
product ciphers, 29 COBRA-H128, 345
software ciphers, 77 DDP32 (Data Dependent Permutation 32 bit),
controlled binary operations (CBO), 35 248–251
controlled bit permutation operations, 248 DDP-S64/DDP-S128, see DDP-S(64/128)
controlled elements (CEs) differential cryptanalysis (DC) and, 281–282
elementary controlled involutions, 138–146 executing data-dependent bitwise permutations,
full classification of nonlinear, 146–153 164–169
migrating to F2/2 type, 164–169 fixed commutators, 242
controlled involutions, 138–146, 332–333 one-layer box of, 242
controlled operational substitutions (COSs), 153–164 overview of, 35–36, 248
CIKS-128, 243 SPECTR-128, 231
evaluating complexity of circuit design when imple- SPECTR-H64, 220
menting, 163–164 SPECTR-SZ software cipher, see SPECTR-SZ
overview of, 34–36 controlled permutations networks (CPNs)
principles of building, 153–156 defined, 125
probabilistic characteristics of, 156–163 executing variable permutations, 126
SPECTR-128, 233 controlled substitution-permutation networks (CSPNs)
SPECTR-H64, 222 building of different orders, 171–178
controlled operations, 32–37 extended switch operations, 210–215
advantages of, 36 hardware implementation of switched, 203–206
characteristics of, 32 implementing switched controlled operations based
controlled operational substitutions, 34–36 on, 188
controlled permutations and controlled binary opera- recursive procedure in building, 189–196
tions, 35–36 splitting into pairs of mutually inverse modifications,
cryptographic strength of ciphers built on, 349–351 179–181
designing fast ciphers based on, 276 switched, 177–179
elementary controlled involutions, 138–146 switched, on basis of different orders, 201–203
general substitution operations in, 32–33 switched, on the basis of F2/1 elements, 207–208
RC5 and, 33 switched, on the basis of F2/2 elements, 209–210
table substitutions in, 34 switched, proof of, 181–184
trapdoor attacks and, 69 symmetric, 177–179, 196–200
controlled operations, switched, 171–216 control vectors
for block ciphers with simple key use schedule, CIKS-128, 244–245
184–187 mechanisms for coordinating, 326–330
building CSPNs of different orders with, 171–184 SPECTR-128, 234–236
COBRA-H64, 336 SPECTR-H64, 225–226
concept of, 187–189 COSs, see controlled operational substitutions (COSs)
extension of switching property in, 210–214 CPBs, see controlled permutation blocks (CPBs)
hardware implementation of, 203–206 CPM, see combinational-probabilistic model (CPM)
splitting into pairs of mutually inverse modifications, CPNs (controlled permutations networks)
189–196 defined, 125
summary of, 214–215 executing variable permutations, 126
switched CSPNs of different orders, 201–203 CPs, see controlled permutations (CPs)
switched CSPNs with controlled elements including cryptanalysis
pairs of mutually inverse modifications, 206–210 adapted text, 11
symmetric topological structures and, 196–201 chosen ciphertext, 11
380 Index

chosen plaintext, 10–11 protection against forgery, 18–19

cipher testing, 63–64 standardization of, 66–68
defined, 2, 8 stenography vs., 70
frequency, 28–29 two-key, see two-key cryptosystems
keyless reading method for, 82 cryptography applications, 12–19
known ciphertext, 10 computerized coin tossing, 17–18
known plaintext, 10 computerized secret voting systems, 17
on non-deterministic or flexible ciphers, 11–12 digital cash, 17
secrecy of encryption algorithm and, 75 digital signatures, 16–17
security of ciphers with pseudo-random key selection, information authentication, 16
88 information integrity control, 14–15
strength of SPECTR-Z algorithm, 106–111 overview of, 12
cryptanalysis, based on controlled operations, 276–321 protection against creating false messages, 12–13
attacks based on hardware errors, 312–314 protection against document forgery, 18–19
COBRA-F64a/COBRA-F64b, 307–312 valid user authentication, 13–14
DDP-S128, 306–307 Cryptography: Fast Ciphers (Moldovban, Moldovyan,
DDP-S64, 303–306 Goots, Izotov), 354–356
differential characteristics of CPBs, 280–286 cryptography issues, 7–12
flexible ciphers, 276–280, 316–319 beginnings of scientific period, 8
GOST 28147-89 algorithm, 319 cipher security rule, 9
pseudorandom subkey selection, 319–320 pre-scientific period, 7–8
RC5 cipher, 314–316 testing new cryptosystems, 9–11
SPECTR-128, 293–303 cryptology, 2
SPECTR-H64, 286–293 CSs (computer systems), see computer systems (CSs)
Crypt/Decrypt procedures
CIKS-128, 240–242 D
COBRA-F64a/COBRA-F64b, 263 data area errors, hardware faults during encryption, 313
COBRA-H128, 343–344 data bits, probabilistic mix of random bits, 52–56
DDP-64, 132 Data Dependent Permutation 32 bit, see DDP32 (Data
DDP-S(64/128), 266–268, 270 Dependent Permutation 32 bit)
SPECTR-128, 230–232 data-dependent permutations, 362
SPECTR-F, 118 data-dependent subkey sampling
SPECTR-H64, 220–222, 323–324 defined, 77
SPECTR-SZ, 255–257, 258 fast software ciphers based on, 93–94
SPECTR-Z, 102–106 data protection tools (DPTs), 59–63
cryptochips DDP32 (Data Dependent Permutation 32 bit)
defined, 3 COBRA-F64a/COBRA-F64b, 263–265
general scheme of transformations, 96–98 description of hypothetical DDP32 command,
cryptogram, 6–7 248–251
cryptographic attacks, see attacks SPECTR-SZ, 251–252
cryptographic protocols speed parameters and cryptographic security, 259–260
blind signatures used in, 47–48 DDP-64
digital signature attacks on violations of, 49–50 attack vulnerabilities, 357
digital signatures as, 41 as block cipher based on variable permutations, 130
two-key cryptosystems using, 39–41 cryptographic strength of, 351–352
cryptographic transformations, see transformation opera- general scheme of, 130–133
tions hardware implementation, 358–361
cryptography key schedule and specification of value of Bit E',
built-in trapdoor issues, 68–70 134–135
classical method of, 6–7 overview of, 129
computer information protection, 1–6 structure of block F, 136–137
definition of, 6 switched permutations, 134–136
enciphering and archiving, 64–65 transpositions of subkeys, 134–135
encrypting and coding, 65–66 DDP-S(64/128), 265–272
encryption algorithms, 58–63 128-bit version, 268–272
information protection technology, 19–22 64-bit version, 266–268
key length and security, 63–64 analysis of DDP-S128, 306–307
one-key, see one-key cryptography analysis of DDP-S64, 303–306
probabilistic ciphers, see probabilistic ciphers general encryption scheme, 265–266
 Index 381

overview of, 265 cipher design and length of, 26–27

round keys schedule, 261–263 designing one-key cryptosystems using algebraic opera-
security of DDP-S128, 272 tions, 32
security of DDP-S64, 268 extended, see extended (working key) keys
DDSS-1 cipher, 316–319 private, see private keys
deciphering, 30 round, see round keys
decrypt, see Crypt/Decrypt procedures secret, see secret keys
decryption mini-algorithm, 114–115 encryption rounds, see rounds (r), of transformations
degree of completeness, block ciphers, 272, 274 encryption scheme
design issues CIKS-128, 238–239
ciphers, 25–27 COBRA-F64a/COBRA-F64b, 260–261
inverse CPBs, 127–129 COBRA-H64, 336–338
DES standard, 66–67 DDP-S(64/128), 265–266
differential cryptanalysis (DC) SPECTR-128, 229
applying to Markovian cryptoalgorithms, 350 SPECTR-H64, 218
COBRA-H128, 367–371 Encrypt procedure, SPECTR-SZ, 255–257
controlled permutations (CP) operation and, 281–282 entropy of key [H(K)], 25
DDP-64, 352 extended (working key) keys
influence of incoming text bits on transformed text, DDP-S(64/128), 266
273–274 generating, 79–81
overview of, 11, 280–281 SPECTR-128, 229
probabilistic mix of random and data bits, 52–56 SPECTR-H64, 227
RC5, 33 SPECTR-SZ, 254
SPECTR-Z, 106 testing new cryptosystems based on, 11
Diffie-Hellman extension block procedure, see E (extension block)
invention of two-key cryptography, 2–4 procedure
key length and security, 64 external adversaries, 41
method of public key distribution, 38 external attacks, 41
“New Directions in Cryptography”, 8 external threats, 21
trapdoor one-way function design, 37
diffusion F
building product ciphers for, 29 -f (modulo 2f subtraction), 92
computationally secure cryptosystems using, 27 F2/1 elements, 153–156
for software ciphers, 77 building ciphers based on substitution-permutation
digital cash, 17, 47–48 networks, 183–184
digital signatures building controlled substitutions using, 153–156
Chaum blind signature, 47–48 full classification of, 146–153
El Gamal digital signature, 45–47 switched CSPNs on the basis of, 207–208
modern applications of, 16–18 F2/2 elements
overview of, 41–42 building ciphers based on substitution-permutation
RSA cryptosystem of, 42–45 networks, 183–184
types of attacks on, 48–50 criteria for building, 166–167
discrete exponentiation, 38 migrating of controlled elements to, 164–166
discrete Fourier transform, 223 switched CSPNs on the basis of, 209–210
document validation, 18–19 visual design of, 167–169
DPTs (data protection tools), 59–63 F3/1 elements, 183
F3/2 elements, 183
E F3/3 elements, 183
E (extension block) procedure F4/1 elements, 183
DDP-64, 131 F4/2 elements, 183
SPECTR-128, 234–236, 300 fast ciphers, based on controlled operations
SPECTR-H64, 226 CIKS-128, see CIKS-128
e-code book, 277 design principles, 276
El Gamal digital signature, 45–47, 64 SPECTR-128, see SPECTR-128
El Gamal public cipher, 57–58 SPECTR-H64, see SPECTR-H64
enciphering, 52–53 fast ciphers, based on controlled permutations
encrypt, see Crypt/Decrypt procedures COBRA-F64a/COBRA-F64b, see COBRA-
Encrypt_512 procedure, SPECTR-F, 118 F64a/COBRA-F64b
encryption keys DDP-S(64/128), see DDP-S(64/128)
382 Index

SPECTR-SZ, see SPECTR-SZ ciphers using two similar G operations, 324–326

fast ciphers, with simple key schedule, 320–372 SPECTR-128, 233–234
ciphers using two similar G operations, 324–326 SPECTR-H64, 223–225
COBRA-H128, see COBRA-H128 GOST block cipher, 11, 319
COBRA-H64, see COBRA-H64 GOST Russian standard, 66
combining transformation of subgroups with high government regulations, enciphering algorithms, 3–5
parallelism level, 330–335
mechanisms for coordinating control vectors, 326–330 H
overview of, 320–321 Hamming weight
variants of ciphers based on variable permutations, of avalanche vectors, 273
321–324 probabilistic characteristics of of COSs, 156–163
Feistel networks, 347 handshake protocols, 14
Feistel’s cryptoscheme, 31 hard computations, 24
F function (encryption algorithm), 239 hardware
COBRA-F64a/COBRA-F64b, 263 attacks generating random errors in, 106–107
DDP-64, 136–137 cryptographic protection tools, 58–63
DDP-S(64/128), 266 implementation, 358–361
SPECTR-128, 230 Russian encryption methods for, 67
SPECTR-H64, 218–219 hardware ciphers, 3
file encryption key, 111–113 hardware errors
fixed permutations, COBRA-H128, 346–347 attacks based on, 312–314
fixed permutations, COBRA-H64, 342 GOST 28147-89 and, 319
fixed procedures, creating flexible software ciphers with RC5 and, 314–316
permutations of, 84 round transformation function and, 320
flexible (nondeterministic) software ciphers, 81–89 “Hardware Evaluation of the AES Finalists” (Kasua,
analysis of, 316–319 Ichikawa, and Matsui), 358–359
building with flexible input, see SPECTR-F hash functions, 15
creating pseudo-probabilistic, 86–88 hashing algorithm, 46–47
creating with multipass cryptoschemes, 84–85 hexadecimal constants, 92, 253
creating with permutations of fixed procedures, 84 H(K) (entropy of key), 25
creating with transformation operations, 85–86 homophonic ciphers, 50–51
defining, 78–79 hybrid cryptosystems, 44
design principles, 81–84
estimating security of, 278 I
with provable nonequivalence of modifications, 88–89 infinite key, 25–26
testing, 11 infinite keystream ciphers, 24
foreign systems, software protection tools, 5–6 information authentication, 16
forgery, protection against document, 18–19 information integrity control, 14–15
Form_Q procedure, SPECTR-Z, 98–101 information protection
FormKey procedure, SPECTR-SZ, 255 computer systems, 2
Fourier transform, 223 technology, 19–22
FPGA, 359 information redundancy, 8
frequency cryptanalysis initialization module
block ciphers and, 28–29 software ciphers, 79–81
defined, 277 SPECTR-SZ, 253
F round function initializing algorithm, 7
DDP-64 cryptosystem using, 130, 132 input bits, to output bits, block ciphers, 272
Feistel’s cryptoscheme, 31, 129 integrity attacks, digital signatures, 49–50
FT (final transformation) integrity control
CIKS-128, 239–240 message integrity checks, 14–16
DDP-S(64/128), 266, 269 message integrity detection code, 12–13
SPECTR-128, 236 internal adversaries, 41
SPECTR-H64, 226–227 internal attacks, 41
functional key components, flexible ciphers, 82–83 internal threats, 21
inverse controlled permutation blocks, 127–129
G involutions, controlled, 138–146, 332–333
generator functions prototype, 233, 243 IT (initial transformation)
G function; see also nonlinear G function CIKS-128, 239–240
CIKS-128, 240, 243–244 DDP-S(64/128), 266, 269
 Index 383

SPECTR-128, 230 hybrid cryptosystems, 44

SPECTR-H64, 219–220 product and iterated block ciphers, 27–31
iterated ciphers, 30–31 one-time tape ciphers, 24
one-way function, password protection, 13
K output bits, to input bits, block ciphers, 272
Kerkhoff (the cryptographer), 9
key length, and security, 63–64 P
keyless reading method, of cryptanalysis, 82 P2/1 permutation element
known ciphertext cryptanalysis, 10 designing inverse CPBs, 127–129
known plaintext cryptanalysis, 10 elementary controlled involutions, 138–146
structure of CPB, 126
L parallelism, combining transformation of subgroups with
LCA, see linear cryptanalysis (LCA) high parallelism level, 330–335
linear cryptanalysis (LCA) parametric key components, 82–83
overview of, 11 passive adversaries, 41
probabilistic mix of random and data bits, 52–56 passwords
RC5, 33 keys vs., 64
SPECTR-Z, 106 user authentication at login, 13–14
linear transformations Patras University, 360
designing secure block ciphers, 29 perfect nonlinear function, Boolean functions (BFs), 223
G function and, 224–225 permutations (transpositions)
login, password protection at, 13–14 controlled operations, see controlled permutations
loops, see rounds (r), of transformations (CPs)
CSPNs, see controlled substitution-permutation net-
M works (CSPNs)
Markovian cryptoalgorithms, 350 designing one-key cryptosystems using, 32
MDC (modification detecting code), 15 of fixed procedures, 84
message integrity checks substitution-permutation networks, see substitution-
as component of information integrity control, 14–15 permutation networks
information authentication and, 16 variable, switched, and fixed in COBRA-H64, 340–342
overview of, 12–13 variants of ciphers based on variable permutations,
message integrity detection code, 12–13 321–324
mini-algorithm, decryption, 114–115 pipelined architecture, implementation, 360
mobile telephony, use of cryptochips in, 3 plaintext
modification detecting code (MDC), 15 chosen plaintext cryptanalysis, 10–11, 52
Monte Carlo method, 273 cryptographic methods, 6–7
multipass cryptoschemes, 84–85 influence of incoming text bits on transformed text,
multiplication, bitwise logical multiplication (⊗), 92 273–274
known plaintext cryptanalysis, 10
pre-compression and risk of attack, 52
N precomputations
New American Standard, for block encryption, 274 flexible ciphers, 81–82
“New Directions in Cryptography” (Diffie and generating extended encryption keys, 79–81
Hellman), 8 in nondeterministic cryptosystems, 75–76
nondeterministic software ciphers, see flexible software cipher scheme, 97–98
(nondeterministic) software ciphers SPECTR-F, 116
nonlinear G function SPECTR-Z, 98–101
CIKS-128, 243–244 transformation of boot sector data, 113–114
COBRA-H128, 346–347 privacy regulations, 3–4
COBRA-H64, 342–343 private-key cryptography, see one-key cryptography
SPECTR-128, 231, 233–234 private keys
SPECTR-H64, 220, 223–225 cryptographic protection against forgery, 18–19
El Gamal digital signature, 45–47
O key length and security, 64
one-key cryptography, 22–37 in RSA cryptosystem, 43–45
cipher design issues, 25–27 in two-key cryptosystems, 16–17
conditional and unconditional security, 22–25 probabilistic ciphers, 50–58
controlled operations, 32–37 avoiding attacks based on trapdoors, 69–70
emergence of, 8 data compression and, 52
384 Index

El Gamal, 57–58 round ciphering function, 31

homophonic, 50–51 round keys
mechanisms in two-key ciphers, 56–57 CIKS-128, 245–-247
probabilistic mix of data and random bits, 52–56 COBRA-F64a/COBRA-F64b, 261–263
simple probabilistic mechanism, 51–52 COBRA-H128, 344
probabilities COBRA-H64, 338–340
COBRA-F64a/COBRA-F64b analysis, 309–311 DDP-S(64/128), 261–263, 271
COBRA-H128 analysis, 367–371 defined, 31
COBRA-H64 analysis, 362–367 SPECTR-128, 236–238
of COSs, 156–163 SPECTR-H64, 227–229
DDP-64, 354–356 rounds (r), of transformations
passing differences through CPBs, 282–286 COBRA-F64a/COBRA-F64b, 263
SPECTR-128 analysis, 294–303 DDP-S(64/128), 266, 269
SPECTR-H64 analysis, 287–293 defined, 31
product ciphers, 29–30 fixed permutations and, 327
protection scheme, security administrator setting up, 62 hardware errors and, 320
protocols, cryptographic, 39–41 SPECTR-F, 117–120
pseudo-probabilistic nondeterministic ciphers, 86–88 SPECTR-SZ, 257–258
pseudo-random subkey selection two identical G operations, 329
designing software ciphers using, 77 RSA cryptosystem
pseudo-probabilistic nondeterministic ciphers using, key length and security, 64
86–88 overview of, 42–45
security of, 319–320 Russia
pseudo-random transformations GOST standard, 319
creating flexible software ciphers with, 85–86 software protection tools, 5
defined, 74 standardization of encryption algorithms, 66–67
public ciphering, 16 RysCrypto association, 67
public ciphers, 16
public-key cryptosystems, 16; see also two-key cryptosys- S
tems S2/1 type, CEs
public keys characteristics of, 147–149
distribution system, 37–39 circuit representation of, 150–151
El Gamal digital signature, 45–47 SAFER cipher, 33
RSA cryptosystem, 44–45 scheme universality, CIKS-128, 247–248
secrecy
Q cipher design issues, 26
quantum cryptography, 8 of encryption algorithms, 75
secret-key cryptography, see one-key cryptography
R secret keys
R2/1 type, CEs COBRA-H64, 336
characteristics of, 147–149 in cryptanalysis, 277
circuit representation of, 150–151 flexible (nondeterministic) software ciphers based on,
random bits, 52–56 11, 78–79
random number generator (RNG), 53 modern cryptosystems based on, 7
random number k, El Gamal digital signature, 46–47 SPECTR-H64, 322
RC5 steganography making use of, 70
analysis of, 314–316 working key vs., 11
hardware errors and, 314–316 security
security against linear and differential cryptanalysis, 33 absolute, 7
redundancy of the language (D), 25 based on pseudorandom subkey selection, 319–320
regulations, on enciphering algorithms, 3–4 cipher security rule, 9
research, cryptographic, 4 COBRA-F64a/COBRA-F64b, 263–265, 307–312
resident module, SPECTR-SZ, 255 DDP-S(64/128), 268, 272
Rivest, R., 42–45 estimating cipher security, 277–278
RNG (random number generator), 53 GOST, 319
rotation operation “>>>” information protection technology system, 19–22
CIKS-128, 240 SPECTR-128, 300–303
SPECTR-128, 231 SPECTR-SZ, 258–260
SPECTR-H64, 220 security administrators, 62
 Index 385

SG-128, 372 cipher structure, 253–254

Shamir, A., 42–45 decrypt procedure, 258
Shannon, C. E., 8, 22–23, 25 designations and input data for, 252–253
signing procedure, in RSA cryptosystem, 44 Encrypt procedure, 255–257
simple key use schedule, 184–187 extended key generation procedure, 254
single-key cryptography, see one-key cryptography FormKey procedure, 255
slide attacks, 214–215 overview of, 251–252
software ciphers rounds (r), 257–258
combinational-probabilistic model (CPM), 90–91 speed parameters and cryptographic security, 258–260
computer systems, see computer systems (CSs) Table_H procedure, 254–255
defined, 76 SPECTR-Z
designing with pseudo-random subkey selection, 77 criteria of definition, 95–96
design principles, 76–79 disk encryption algorithms, 101–106
fast, 92 evaluating strength of, 106–111
flexible, see flexible (nondeterministic) software ciphers file encryption in, 111–113
initializing, 79–81 general scheme of transformations, 96–98
secrecy and strength of algorithms, 73–76 overview of, 94–95
SPECTR-F, see SPECTR-F precomputations, 98–101
SPECTR-SZ, see SPECTR-SZ SPECTR-F based on, 115
using subkey sampling depending on data, 93–94 transformation of boot sector data, 113–115
software cryptographic protection tools, 3, 58–63 speed of encryption
SPECTR-128, 229–238 COBRA-F64a/COBRA-F64b, 263–265
analysis of, 293–303 one-key vs. two-key cryptography, 44
CIKS-128 compared with, 238 SPECTR-SZ, 258–260
Crypt procedure, 230–232 splitting, switched controlled operations, 189–196
extending control vector E, 234–236 standardization, of encryption algorithms, 66
F function procedures, 230 statistical properties, block ciphers, 272–276
FT (final transformation), 236 “avalanche effect”, estimating, 272–273
general encryption scheme, 229 influence of incoming text bits on transformed text,
IT (initial transformation), 230 273–274
nonlinear G function, 233–234 influence of key bits on transformed text, 274–276
round key schedule, 236–238 steganography, 70
security of, 300–303 stream ciphers, 8, 66
vector Boolean function G, 233 subkey sampling, see data-dependent subkey sampling
SPECTR-F, 115–124 substitution operations; see also controlled operational
decryption procedure in reduced rounds, 118 substitutions (COSs)
Encrypt_512 procedure, 118 avoiding attacks based on trapdoors, 69
oriented toward software implementation, 120–121 block ciphers and, 73–74, 78, 277
overview of, 115–116 building product ciphers based on, 29–30
precomputations, 116 controlled operational, 34–36
rounds (r), 117–120 defined, 77
strength of, 121–124 implementing one-key cryptosystems using, 32–34
transformation algorithms, 117 substitution-permutation networks, 125–169
SPECTR-H64, 217–229 block cipher based on variable permutations, 130–137
analysis of, 286–293 combined with Feistel networks, 347
control vector E, extending, 225–226 controlled bit permutations, 125–129
Crypt procedure, 220–222 COS based on F2/1 elements, 153–164
DDP-64 compared with, 352 elementary controlled involutions, 138–146
F function procedures, 218–219 full classification of F2/1 elements, 146–153
FT (final transformation), 226–227 variants for selection of F2/2 elements, 164–169
general encryption scheme, 218 switched controlled operations, see controlled operations,
hardware implementation, 360–361 switched
IT (initial transformation), 219–220 switched CSPNs, 209–210
key requirements, 322 on the basis of F2/1 elements, 207–208
nonlinear G function, 223–225 on the basis of F2/2 elements, 209–210
overview of, 217 defined, 177–179
round key schedule, 227–229 of different orders, 201–203
vector Boolean function G, 222–223 hardware implementation of, 203–206
SPECTR-SZ, 251–260 switched permutations
386 Index

analysis of cryptographic strength of ciphers built on, emergence of, 2–4, 8

349–351 overview of, 16–17
COBRA-H128, 347 protection against forgery, 18–19
COBRA-H64, 341–342 two-round characteristic
symmetric CSPNs, 177–179, 192 COBRA-F64b, 308
symmetric topological structure, CSPNs, 196–200 COBRA-H64, 365
DDP-S128, 306
T DDP-S64, 305
Table_H procedure, SPECTR-SZ, 254–255
table substitutions, 34–35 U
templates, transformation operation, 85 unauthorized access (UA), 58–63
testing unconditionally secure ciphers, 23–24
attacks based on known secret keys, 11 unicity distance
ciphers, 63–64 conditionally secure ciphers and, 24
cryptosystems, 9–11 defined, 8
non-deterministic or flexible ciphers, 11 Shannon’s model for estimating, 25
three-round characteristic, COBRA-F64a, 308 United States standards, of encryption, 66–68
transformation operations; see also word transformation USA National Institute of Standards and Technologies, 274
combining transformation of subgroups with high user authentication
parallelism level, 330–335 as modern application of cryptography, 13–14
confusion and diffusion as, 27 setting up protection scheme, 62–63
creating flexible software ciphers with, 85–86 transparent encryption and, 61
DDP-64, 132
designing secure block ciphers, 29 V
ensuring strong encryption with, 73 variable permutations
final, see FT (final transformation) COBRA-H128, 345
initial, see IT (initial transformation) COBRA-H64, 340–341
overview of, 19 problems solved with, 351
properties of, 224–225 variants of ciphers based on, 321–324
simple key schedule for block ciphers, 185–186 vector Boolean function G
SPECTR-Z cipher, 96–98 CIKS-128, 240, 243
terminology for fast software ciphers, 92 SPECTR-128, 233
transparent cryptographic, 61 SPECTR-H64, 220, 222–223
transparent cryptographic transformation, 61 vectors (V), control
transparent encryption, 61 extension procedure for CIKS-128, 240
transparent protection method, 60–61 extension procedure for SPECTR-128, 234–236
transpositions (permutations), see permutations (transposi- extension procedure for SPECTR-H64, 225–226
tions) verification procedure, in RSA cryptosystem, 44
trapdoor encryption algorithms, 6 voting systems, computerized secret, 17–18, 47–48
trapdoor one-way function, 37–38
trapdoors, 68–70 W
TV, use of cryptochips in commercial, 3 W↔V, 92
two-key cryptosystems, 37–50 Walsh-Hadamard transformation (WHT), 223–224, 234
basic problems in, 39 word transformation, 101, 107–111
Chaum blind signature, 47–48 work factor W(n), 25
cryptographic protocols, 39–41
digital signature attacks, 48–50
digital signatures, 41–42 X
El Gamal digital signature, 45–47 Xilinx Vitrex, 359
hybrid cryptosystems, 44
key length and security, 64 Z
public key distribution system, 37–39 Z2/1 type, CEs, 151–152
RSA cryptosystem, 42–45
two-key cryptosystems, applications
computerized secret voting systems, 17–18