Security analysis of pure DDP-based cipher proper for multimedia and ubiquitous device

Telecommun Syst (2010) 44: 267–279DOI 10.1007/s11235-009-9264-8

Security analysis of pure DDP-based cipher properfor multimedia and ubiquitous device

Changhoon Lee · Sangjin Lee · Jong Hyuk Park ·Sajid Hussain · Jun Hwan Song

Published online: 28 January 2010© Springer Science+Business Media, LLC 2010

Abstract DDP-64, based on various controlled operations,is a 64-bit Feistel-like block cipher consisting of 10 roundswith a 128-bit key. It was designed to attempt to have a highsecurity level and a high speed performance in hardware onubiquitous computing systems and multimedia. In this pa-per, however, we show that DDP-64 doesn’t have a highsecurity level, more precisely, we show that it is vulnera-ble to related-key differential attack. This attack, which ismuch faster than the key exhaustive search, requires about254 data and 254 time complexities. This work is the firstknown cryptanalytic result on DDP-64 so far.

This work is supported by a Korea University Grant.

C. LeeSchool of Computer Engineering, Hanshin University, 411,Yangsan-dong, Osan-si, Gyeonggi-do, Koreae-mail: [email protected]

S. Lee (�)Center for Information Security Technologies (CIST), KoreaUniversity, Anam-dong, Sungbuk-gu, Seoul, Koreae-mail: [email protected]

J.H. ParkDepartment of Computer Science and Engineering, SeoulNational University of Technology, 172 Gongreung 2-dong,Nowon-gu, Seoul, 139-742, Koreae-mail: [email protected]

S. HussainJodrey School of Computer Science, Acadia University,Wolfville, Nova Scotia, Canadae-mail: [email protected]

J.H. SongDepartment of Mathematics, Hanyang University, Seoul, Koreae-mail: [email protected]

Keywords Ubiquitous · Block cipher · DDP-64 ·Data-dependent permutation · Related-key attack ·Differential cryptanalysis

1 Introduction

Security and privacy are primary requirements and impor-tant issues that have attracted the research community inter-est in recent year in the field of any multimedia, ubiquitouscomputing systems, sensor networks, wireless and mobilecommunications. As the most common method for provid-ing these requirements, we often use encryption algorithmswith high performance. However, the above applications forencryption require low power devices and fast computationcomponents which imply that the number and complexity ofthe encryption operations should be kept as small as possi-ble. Some of them also need a small amount of texts to beencrypted with a key which is frequently changed.

To attain these goals, data-dependent permutations(DDPs), which can be easily embedded in microcontrollersand general purpose CPUs, have been introduced as one ofcryptographic primitives. According to recently publishedresults on them and their applications, they are well suitedto design fast ciphers oriented to a cheap hardware imple-mentation. Indeed, several DDP-based ciphers have beenproposed for a fast hardware implementation with a lowcost, such as CIKS-1 [18], CIKS-128 [4], SPECTR-H64 [3],Cobra-S128 [5], Cobra-H64 [24], Cobra-H128 [24], DDP-64 [19], and so on. They are also suitable for the applicationsof many networks requiring a high speed encryption becausethey use very simple key schedules in order to have no timeconsuming key preprocessing. However, since DDPs are justa linear primitive and conserve weights of transformed bitstrings, the DDP-based ciphers have potential weaknessesagainst cryptanalytic attacks [12–15]. However, there have

mailto:[email protected]





268 C. Lee et al.

Table 1 Results of our related-key differential attacks on the full-round DDP-64 and of exiting related-key differential attacks on fullrounds of selected DDP-based ciphers

Block Complexity Number of Comment

Cipher Data/Time Rec. Key Bits

DDP-64 254RK-CP/254 22 This paper

254RK-CP/2106 128 (full) This paper

Cobra-H64 215.5RK-CP/215.5 23 [16]

(10 rounds) 215.5RK-CP/2105 128 (full) [16]

Cobra-H128 244RK-CP/244 63 [16]

(12 rounds) 244RK-CP/2193 256 (full) [16]

RK-CP: Related-Key Chosen Plaintexts, Time: Encryption units

been no known cryptanalytic results of the DDP-based ci-pher DDP-64 yet.

In this paper, we evaluate the security of DDP-64.1 Inparticular, we show that related-key differential techniquescan be used to devise a key recovery attack on DDP-64,which is the first known cryptanalytic result on DDP-64 sofar. To begin with, we introduce the structural propertiesof the controlled permutations used in the round functionsof DDP-64, which allow us to make full-round related-keydifferential characteristics with high probabilities. We thenpresent a related-key differential attack on the full-roundDDP-64. This attack recovers 22 bits of the key with about254 data and 254 time complexities. By the exhaustive searchtechnique for the remaining key bits, our attack is convertedinto a full-key recovering attack having a data complexityof 254 related-key chosen plaintexts, a time complexity of2106. These works are the first known cryptanalytic resultson DDP-64 so far. Table 1 summarizes our results and ex-isting cryptanalytic results on some of selected DDP-basedciphers.

It seems that the related-key attack is difficult or eveninfeasible to conduct in many cryptographic applications,since it would certainly be unlikely that an attacker couldpersuade a sender to encrypt plaintexts under related keysunknown to the attacker. However, as demonstrated in[7, 25, 26], the related-key attack is feasible in some of thecurrent real-world applications such as the IBM 4758 cryp-toprocessor, PGV-type hash functions, message authentica-tion codes, recent authenticated encryption modes, cases ofkey-exchange protocols that do not guarantee key integrity,and key-update protocols that updates session keys using aknown function. For instance, the related-key attack modelsproposed to analyze a randomized message authentication

1Since the DDP-based ciphers which are known to be analyzed havedifferent structures from the DDP-64 cipher, the existing attacks onthem are not directly applied to the DDP-64 cipher.

code named RMAC [26] and IBM 4758s EDEx Mode ofOperation [25] exist in real applications.

This paper is organized as follows; in Sect. 2, we brief-ly describe DDP-boxes, used in DDP-64. Section 3 de-scribes DDP-64 and their structural properties. In Sects. 4,we present our related-key differential attack on DDP-64.Finally, we conclude in Appendix A.

2 Preliminaries

In this section, we introduce some notation and controlledoperations which are the components of DDP-64. The fol-lowing notation is used throughout the paper. A bit indexwill be numbered from left to right, starting with bit 1. IfP = (p1,p2, . . . , pn) then p1 is the most significant bit andpn is the least significant bit.

• ei,j : a binary string in which the i-th and j -th bits are oneand the others are zeroes, e.g., e1,3 = (1,0,1, . . . ,0).

• ⊕: bitwise-XOR operation• ≪ (≫): left (right) cyclic rotation• Pr(Ψ )(ΔY/ΔX,ΔV ): a probability that the output differ-

ence of Ψ is ΔY when the input difference and control-ling input difference of Ψ are ΔX and ΔV , respectively.

2.1 Controlled elements

The DDPs can be performed with controlled permutation(CP) boxes, which are defined as follows.

Definition 1 (CP-box) Let C(X,V ) be a function C :{0,1}n × {0,1}m → {0,1}n. C is called a CP-box, ifC(X,V ) is a bijection for any fixed V .

To begin with, we describe linear CP-boxes, DDPs,which are denoted by Pn/m. The Pn/m is the set of permu-tations on n-bit binary vectors X depending on some con-trolling m-bit vector V . It is constructed by using the basicswitching elements P2/1 as elementary building blocks per-forming controlled transposition of two input bits x1 and x2.Here, the P2/1-box which is controlled by one bit v and out-puts two bits y1 and y2 is defined as follows: y1 = x1+v andy2 = x2−v , i.e., if v = 1, it swaps two input bits otherwise(if v = 0), it does not.

To execute variable permutations, the Pn/m-box is gen-erally constructed as a superposition of the operations per-formed on bit sets:

Pn/m = LV1 ◦ π1 ◦ LV2 ◦ π2 ◦ · · · ◦ πs−1 ◦ LVs

where L is an active layer composed of n2 P2/1 parallel ele-

mentary boxes, V1,V2, . . . , Vs are controlling vectors of theactive layers from 1 to s = 2m

n, and π1,π2, . . . , πs−1 are

fixed permutations (see Fig. 1).Due to the symmetric structure Pn/m and P −1

n/m dif-fer only with the distribution of controlling bits over the

Security analysis of pure DDP-based cipher proper for multimedia and ubiquitous device 269

Fig. 1 (a) Pn/m, (b) P2/1, (c) P4/4, (d) P −14/4, (e) P8/12, (f) P −1

8/12

Fig. 2 (a) P32/96, (b) P −132/96

boxes P2/1. Thus to construct P −1n/m, it is sufficient to num-

ber the boxes P2/1 from left to right and from bottom to topand to replace πi by π−1

s−i , e.g., as shown in Fig. 2, P V32/96

and P V ′32/96 are mutually inverse when V = (V1,V2, . . . , V6)

and V ′ = (V6,V5, . . . , V1).However, they are not free from drawbacks as a crypto-

graphic primitive. The most important drawback is that theyare just linear primitives, that is, the linear combination ofoutput bits is equal to that of input bits due to the nature ofpermutations.

3 DDP-64

In this section, we briefly describe DDP-64. It is a pureDDP-based block cipher which is designed only with data-dependent permutations, fixed permutations, and XOR op-erations. This cipher is composed of the initial transforma-tion (IT), e-dependent round function Crypt(e), and the fi-nal transformation (FT) and its encryption procedure is per-formed as in Table 2. Note that e = 0 (resp. e = 1) denotesencryption (resp. decryption)

Table 2 Encryption procedure of DDP-64

Encryption Procedure

[Step 1] An input block is divided into two subblocks PL and PR .

[Step 2] Perform IT: P 1L = PL ⊕ RK0

L and P 1R = PR ⊕ RK0

R ;

[Step 3] For j = 2 to r do:

◦ (PjL,P

jR) := Crypt(e)(P j−1

L ,Pj−1R ,RKj−1,(e)),

◦ Swap the data subblocks: T = PjR , P

jR = P

jL ,P j

L = T ;

[Step 4] j = r + 1 do: (P r+1L ,P r+1

R ) := Crypt(e)(P rL,P r

R,RKr,(e));

[Step 5] Perform FT: CL = P r+1L ⊕ RKr+1

L and CR = P r+1R ⊕ RKr+1

R ;

[Step 6] Return the ciphertext block C = (CL,CR).

3.1 Description of DDP-64

DDP-64 is a 10-round iterated block cipher with a 64-bit in-put and a 128-bit key. Its general structure and round func-tion are shown in Fig. 4(a) and (b), respectively.

As depicted in Fig. 4(b) the Crypt(e) function is com-posed of two DDP-boxes P32/96, P −1

32/96, two extension

boxes E, E′, e′-dependent fixed permutation∏(e′), involu-

tion permutation I , and F -box.Given an input L = (l1, . . . , l32), the extension E out-

puts V = (V1,V2,V3,V4,V5,V6) = (Ll,L≫6l ,L≫12

l ,Lr ,L≫6

r ,L≫12r ) where Ll = (l1, . . . , l16), Lr = (l17, . . . , l32),

|li | = 1 (1 ≤ i ≤ 32) and |Vi | = 16 (1 ≤ i ≤ 6).E′ forms 80-bit output vector W = (W1,W2,W3,

W4,W5) for given input Z′ = (Z′l ,Z

′r ) where W1 = Z′

l ,

W2 = Z′l≪5, W3 = Z′

l≪10, W4 = Z′

r , W5 = Z′r≪5.

The e′-dependent fixed permutation∏(e′) is used to pre-

vent homogeneity of the encryption procedure in the case ofthe key having structure K = (X,X,X,X). Its

∏(0) is spec-ified as follows: (1,4,7,2,5,8,3,6) (9,12,15,10,13,16,

270 C. Lee et al.

Fig. 3 (a) F -box and (b) P32/48 and P −132/48

11,14)(17,20,23,18,21,24,19,22) (25,28,31,26,29,

32,27,30). Thus,∏(e′⊕1)

(Y ) = X, if Y = ∏(e′)(X).

The involution I is described with two rotations by 8 bits:Y = I (X1,X2) = (X≪8

1 ,X≪82 ) where X1, X2 ∈ {0,1}16.

Lastly, as depicted in Fig.3(a), the F -box comprisestwo three-layer CP boxes P32/48 and P −1

32/48 separated with

fixed permutation∏′ which is described as follows: (1, 33)

(2, 9)(3, 17)(4, 25)(5)(6, 13)(7, 21)(8, 34, 29, 4 0)(10, 35)(11, 18)(12, 26)(14)(15, 36, 22, 38)(16, 30)(19, 37)(20, 27)(23) (24, 31)(28, 39)(32).

The 80-bit controlling vector W = (W1,W2,W3,W4,W5)

of the F -box is divided into 48-bit controlling vector(W1,W2,W3) of the CP box P32/48 and 32-bit part (W4,W5)of the controlling vector to the CP box P −1

32/48. The 16-bitvector W6 is formed with the extension box “Ext” us-ing eight of the least significant 8 bits of the output H =(H1,H2,H3,H4,H5), where H1,H2, . . . ,H5 ∈ {0,1}8. Theoutput of the “Ext” box is the vector W6 = (H5,H5).

Each round key RKj consists of four e-dependent roundkeys (A

j

1,Aj

2,Aj

3,Aj

4) defined as in Table 3. Here, if e = 0(encryption), Oi = Ki otherwise (decryption), O1 = K3,O2 = K4, O3 = K1, O4 = K2, where a 128-bit key K =(K1,K2,K3,K4).

Table 3 Key schedule and switching bit e′ of DDP-64

RKj 1 2 3 4 5 6 7 8 9 10

Aj

1 O3 O2 O1 O4 O3 O3 O4 O1 O2 O3

Aj

2 O4 O3 O2 O1 O2 O2 O1 O2 O3 O4

Aj

3 O1 O4 O3 O2 O1 O1 O2 O3 O4 O1

Aj

4 O2 O1 O4 O3 O4 O4 O3 O4 O1 O2

e′(e=0) 1 0 1 1 0 1 1 1 0 1

e′(e=1) 0 1 0 0 0 1 0 0 1 0

RK0 = (RK0L, RK0

R) = (O1,O2), RK11 = (RK11L , RK11

R ) = (O4,O3)

3.2 Properties for components of DDP-64

In this subsection, we describe some properties for compo-nents of Crypt(e) of DDP-64, which allow us to constructtheir full-round related key differential characteristics. Tobegin with, we describe several basic properties of the con-trolled elements (Properties 1 and 2), which can induce theproperties of components of Crypt(e) (Properties 3 and 4).

Property 1 Let CE be a P2/1 or a F2/1. Then we obtain thefollowing basic properties for Pr(CE)(ΔY/ΔX,ΔV ).

(a) Pr(P2/1)((0,0)/(0,0),0) = Pr(P2/1)((1,1)/(1,1),0) = 1


Fig. 4 (a) General structure of DDP-64, (b) Crypt(e) of DDP-64

(b) Pr(P2/1)(ΔY/(0,0),1) = Pr(P2/1)(ΔY/(1,1),1) = 2−1

where ΔY = {(0,0), (1,1)}.(c) Pr(P2/1)(ΔY/ΔX,ΔV ) = 2−1 where ΔY = {(0,1),

(1,0)}, ΔX = {(0,1), (1,0)}, ΔV = {0,1}.

The above properties are also extended into the followingproperties.

Property 2 Let CE be one of Pn/m and P −1n/m. Then we

obtain the following extended properties for Pr(Pn/m)(ΔY/

ΔX,ΔV ).

(a) Pr(Pn/m)(ej /ei,0) = Pr(P−1

n/m)(ej /ei,0) = 1 for some i

and j (1 ≤ i, j ≤ n), more generally, if Y = Pn/m(V )(X)

and Y ′ = Pn/m(V )(X′) then Hw(X ⊕ X′) =

Hw(Y ⊕ Y ′). It also holds in P −1n/m-box.

(b) Pr(Pn/m)((0)/(0), ei) = Pr(P−1

n/m)((0)/(0), ei) = 2−1.

Property 3 Let Pn/m(V )(X) ⊕ Pn/m(V )(X ⊕ ei) = ej forsome i and j . Then we have the following properties;

(a) If n = 8, m = 12 then the exact one difference routefrom ei to ej via three P2/1-boxes is fixed. It also holdsin P −1

8/12-box.(b) If n = 32, m = 96 then the exact two difference routes

from ei to ej via six P2/1-boxes are fixed. It also holdsin P −1

32/96-box.

For example, consider i = 8 and j = 2 in the Prop-erty 3(a). Then, we can exactly know the 3 bits of control-

ling vectors (1,1,0) corresponding to three elements P2/1-boxes of P8/12-box with probability 1. See Fig. 5. In Fig. 5,the bold line denotes the possible difference route when theinput and output differences of P8/12 and P −1

8/12 are fixed.

Property 4 Let Pr(F )(ΔY/(ΔX,ΔW)) be a probability tohave the output difference ΔY , when the input and control-ling vector differences are ΔX and ΔW , respectively. Thenthe following properties hold for F -box of DDP-64.

(a) Pr(F )(0/(0, (0,0,0,0,0))) = 1.(b) Pr(F )(0/(e32, (0,0,0,0,0))) = 2−4.

Proof There are two differential routes e32 → 0 withprobability 2−5. The first route is the case that the out-put difference of P32/48 of F -box is to be e28 withprobability 2−3 when the input and controlling vectordifferences are e32 and 0, respectively. Then, ΔH =(0,0,0,0, e7) and Pr

(P−132/48)

(0/0, (0,0, e7,15)) = 2−2.

So, this case holds with 2−5 (= 2−3 · 2−2). The sec-ond one is the case that the output difference of P32/48

of F -box is to be e29 with probability 2−3 when theinput and controlling vector differences are e32 and 0,respectively. Then, similarly, ΔH = (0,0,0,0, e8) andPr

(P−132/48)

(0/0, (0,0, e8,16)) = 2−2. So, this case holds

with 2−5 (= 2−3 · 2−2). It is easy to see that there is noother differential routes e32 → 0 for F . Hence, by thesetwo cases, Pr(F )(0/(e32, (0,0,0,0,0))) = 2−4. �

(c) Pr(F )(0/(0, (0,0,0, e16, e11))) = 2−2.

272 C. Lee et al.

Fig. 5 An example of the difference routes when the input and output differences of P8/12 and P −18/12 are fixed

Proof Since ΔX = 0 and ΔW = (W1,W2,W3,W4,W5) =(0,0,0, e16, e11), the input and controlling vector differ-ences of P −1

32/48 are 0 and (e16, e11,0) with probabil-ity 1, respectively. Since Pr

(P−132/48)

(0/(0, (e16, e11,0))) =2−2, Pr(F )(0/(0, (0,0,0, e16, e11))) = 2−2. �

4 Related-key differential attack on DDP-64

In this section, we show how to construct full-round related-key differential characteristics of DDP-64 by using the prop-erties presented in the previous section, and then presentakey recovery attack on the full-round DDP-64.

4.1 Related-key differential characteristics of DDP-64

We consider the situation that we encrypt plaintextsP = (PL,PR) and P ′ = (P ′

L,P ′R) under an unknown key

K = (K1,K2,K3,K4) and an unknown related-key K ′ =(K ′

1,K′2,K

′3,K

′4) such that P ⊕ P ′ = (0,0) and K ⊕ K ′ =

(0,0, e32,0), respectively. We can then obtain 256 full-round related-key differential characteristics α → βj,k,32

with the same probability of 2−51, where α = (0,0) andβj,k,32 = (0, ej,k,32) for each j and k (1 ≤ j ≤ 16 and17 ≤ k ≤ 32) as depicted in Table 8 of Appendix A. Thefirst 9 rounds of these differential characteristics are com-posed alternatively of the following 4 classes of one-rounddifferential characteristics of Crypt(e) according to the dif-ference condition of round key, ΔRK. We assume that theinput difference of Crypt(e) in 4 cases, ΔRI is zero.

− C1: ΔRK = (ΔA1,ΔA2,ΔA3,ΔA4) = (e32,0,0,0)

Since ΔA1 = e32 and ΔRI = 0, ΔL(1) = e32 and ΔV =(0,0,0, e16, e6, e12). Then, by Property 1(b) and Prop-erty 2(b), ΔO is 0 with probability 2−3 (= P 1). Further-more, since ΔZ = ΔZ′ = 0 and ΔW = ΔW ′ = 0, ΔY =

Table 4 Related-key differential characteristic of DDP-64

R (i) ΔRIi ΔRKi P 1/P 2/P 3/P 4 Pro. Ca.

IT (0,0) (0,0) · 1 ·1 (0,0) (e32,0,0,0) 2−3/1/1/1 2−3 C1

2 (0,0) (0, e32,0,0) 1/2−4/2−2/1 2−6 C2

3 (0,0) (0,0, e32,0) 1/1/1/2−3 2−3 C3

4 (0,0) (0,0,0, e32) 1/2−2/2−4/1 2−6 C4

5 (0,0) (e32,0,0,0) 2−3/1/1/1 2−3 C1

6 (0,0) (e32,0,0,0) 2−3/1/1/1 2−3 C1

7 (0,0) (0,0,0, e32) 1/2−2/2−4/1 2−6 C4

8 (0,0) (0,0, e32,0) 1/1/1/2−3 2−3 C3

9 (0,0) (0, e32,0,0) 1/2−4/2−2/1 2−6 C2

10 (0,0) (e32,0,0,0) 2−3/1/1/2−9 2−12 C1′

FT (0, ej,k) (0, e32) · 1 ·Out. (0, ej,k,32) · · · ·Tot. · · · 2−51 ·

j (1 ≤ j ≤ 16) and k(17 ≤ k ≤ 32): fixed values, Out.: OutputPro.: Probability, Ca.: Case, Tot.: Total

ΔY ′ = 0 with probability 1 by Property 4(a). Thus,ΔO ′ = 0 with probability 1 (= P 4) because ΔL′(3) =ΔV ′ = 0 and the input difference of P −1

32/96 = 0. Henceif ΔRI = (0,0) and ΔRK = (e32,0,0,0) then the cor-responding output difference of Crypt(e) is (0,0) withprobability 2−3.

− C2: ΔRK = (ΔA1,ΔA2,ΔA3,ΔA4) = (0, e32,0,0)

Since ΔA1 = 0 and ΔRI = 0, ΔO is to be 0 with prob-ability 2−3 (= P 1). Since ΔA2 = e32, ΔA4 = 0, andΔZ′ = 0, ΔW = 0, ΔY is to be 0 with probability2−4 (= P 2) by Property 4(b). Similarly, ΔY ′ = 0 withprobability 2−2 (= P 3) because ΔZ′ = 0, ΔZ = e32,and ΔW ′ = (0,0,0, e16, e11). Thus, ΔO ′ is zero with


probability 1 (= P 4) because ΔL′(3) = 0 and ΔV ′ =(0,0,0,0,0,0). Hence, if ΔRI = (0,0) and ΔRK =(0, e32,0,0) then the corresponding output difference ofCrypt(e) is (0,0) with probability 2−6.

Similarly, we can check in the below two cases C3 and C4that the output differences of Crypt(e) also hold zero withprobabilities 2−3 and 2−6, respectively.

− C3: ΔRK = (ΔA1,ΔA2,ΔA3,ΔA4) = (0,0, e32,0)

− C4: ΔRK = (ΔA1,ΔA2,ΔA3,ΔA4) = (0,0,0, e32).

In the last round, however, we use another one-round dif-ferential characteristic with probability 2−12 to make ourkey recovery attack easy, which we call C1′. This is obtainedas follows. Since ΔRK = (e32,0,0,0) and ΔRI = (0,0),ΔV is (0,0,0, e16, e6, e12), where its three controlling bitsof e16, e6, and e12 whose values are one correspond to the8th, 3rd, and 6th P2/1-boxes of 4th, 5th, and 6th active lay-ers in P32/96, respectively. By Property 1(a), the above twoP2/1-boxes of the 4th and 5th layers can have a zero out-put difference with probability 2−1 and, by Property 1(a),the 6th P2/1-box of the 6th layer corresponding to e12 is tohave a nonzero two-bit output difference (1,1) with prob-ability 2−1. Thus, the output difference of P32/96 is e23,24

with probability 2−3 and the output difference of I is e15,16

with probability 1. Finally, we construct the difference pat-terns e15,16 → ej,k (1 ≤ j ≤ 16 and 17 ≤ k ≤ 32) for P −1

32/96as like in Figs. 6 and 7 (note that there are only two differ-ence patterns to have ej,k output differences from the inputdifference e15,16 through P −1

32/96.). In Figs. 6 and 7, since

the input difference of PV ′8

62/1 corresponding to the control-

ling vector V ′86 of the first layer is (1,1) and ΔV ′8

6 = 0, by

Property 1(a), the corresponding output difference of PV ′8

62/1

is (1,1) with probability 1. If the output differences of PV ′6

52/1

and PV ′8

52/1 are fixed to (1,0) and (0,1) with probability 2−1

as depicted in Fig. 6, or to (0,1) and (1,0) with probabil-ity 2−1 as depicted in Fig. 7 then one of these nonzero twobits always moves to the j th-bit of P −1

32/96 (1 ≤ j ≤ 16) with

probability 2−4 and similarly, the other nonzero one-bit dif-ference moves to the kth-bit of P −1

32/96 (17 ≤ k ≤ 32) with

probability 2−4 for each j and k. Thus for any fixed j and k,ΔP −1

32/96(ΔV ′=0)(ΔX = e15,16) = ej,k with probability 2−9

(= 2−10 + 2−10). Hence the last round differential charac-teristic holds with probability 2−12 (= 2−3 · 2−9).

4.2 Key recovery attack

We now present a key recovery attack on DDP-64 us-ing our 256 related-key differential characteristics. To be-gin with, we encrypt 253 plaintext pairs P = (PL,PR) andP ′ = P under an unknown key K = (K1,K2,K3,K4) and

an unknown related-key K ′ = (K1,K2,K3 ⊕ e32,K4), re-spectively, and then get the 253 corresponding ciphertextpairs C = (CL,CR) and C′ = (C′

L,C′R), i.e., EK(P ) = C

and EK ′(P ) = C′, where E is the block cipher DDP-64.Since our full-round related-key differential characteristicsof DDP-64 have a probability of 2−51 each, we expect about4 ciphertext pairs (C,C′) such that C ⊕ C′ = (0, ej,k,32) foreach j and k (1 ≤ j ≤ 16 and 17 ≤ k ≤ 32). Accordingto our differential characteristics described in Table 4, wecan deduce that the j th and kth one-bit differences in such

(C,C′) are derived from the output differences of P(V ′6

5 )

2/1 and

P(V ′8

5 )

2/1 in P −132/96 of the last round (refer to Figs. 6 and 7).

That is, we can expect that there are unique two differentialroutes: one is that the j th and the kth differences come from

P(V ′6

5 )

2/1 and P(V ′8

5 )

2/1 , respectively as depicted in Fig. 6, andthe other is that the j th and the kth differences come from

P(V ′8

5 )

2/1 and P(V ′6

5 )

2/1 , respectively as depicted in Fig. 7. Then,by using Property 3 we can extract 10 (= 5 + 5) bits of con-trol vectors for each of these two routes. However, since inthe attack procedure one route is right and the other is wrong, one of the extracted 10 bits may not be correct. For exam-ple, assume that the difference of CR is e8,25,32. Then wecan obtain the following two 10 bits of control vectors (referto Figs. 6 and 7, and Tables 5, 6, 7, and 8). Here, we let vi ,Ki

j , CiL denote the ith-bit of a controlling vector V , a subkey

Kj , and of a left half of ciphertext CL, respectively.

Case1:

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

v70 = C32L ⊕ K32

4 ⊕ K321 = 1,

v53 = C21L ⊕ K21

4 ⊕ K211 = 0,

v37 = C9L ⊕ K9

4 ⊕ K91 = 0,

v22 = C16L ⊕ K16

4 ⊕ K161 = 1,

v8 = C8L ⊕ K8

4 ⊕ K81 = 1,

v72 = C18L ⊕ K18

4 ⊕ K181 = 0,

v56 = C24L ⊕ K24

4 ⊕ K241 = 0,

v47 = C3L ⊕ K3

4 ⊕ K31 = 1,

v31 = C9L ⊕ K9

4 ⊕ K91 = 0,

v13 = C13L ⊕ K13

4 ⊕ K131 = 1

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

Case2:

⎛

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

v70 = C32L ⊕ K32

4 ⊕ K321 = 0,

v54 = C22L ⊕ K22

4 ⊕ K221 = 0,

v45 = C1L ⊕ K1

4 ⊕ K11 = 1,

v29 = C7L ⊕ K7

4 ⊕ K71 = 0,

v13 = C13L ⊕ K13

4 ⊕ K131 = 0,

v72 = C18L ⊕ K18

4 ⊕ K181 = 1,

v55 = C23L ⊕ K23

4 ⊕ K231 = 0,

v39 = C11L ⊕ K11

4 ⊕ K111 = 0,

v24 = C2L ⊕ K2

4 ⊕ K21 = 1,

v8 = C8L ⊕ K8

4 ⊕ K81 = 0

⎞

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

274 C. Lee et al.

Fig. 6 The possible routes when the output differences of the PV ′6

52/1 and P

V ′85

2/1 in P −132/96 are fixed as (1,0) and (0,1), respectively

If we use enough plaintext pairs to follow the above pro-cedure, we can distinguish the right key from wrong keysby the maximum likelihood method even though each righttext pair may make to extract 10 bits of a wrong key pair.Based on this idea we can devise the following key recoveryalgorithm on the full-round DDP-64.

1. Prepare 253 plaintext pairs (Pi,P′i ), i = 1, . . . ,253,

where Pi = P ′i for each i. All Pi are encrypted using

a master key K and all P ′i are encrypted using another

master key K ′ where K and K ′ have the (0,0, e32,0)

difference. Encrypt each plaintext pair (Pi,P′i ) to get the

corresponding ciphertext pair (Ci,C′i ).

2. Check that Ci ⊕ C′i = (0, ej,k,32) for each i, j and k

(1 ≤ j ≤ 16 and 17 ≤ k ≤ 32). We call the bit positionsof j and k j -PBO and k-PBO (Position with Bit One),respectively.

3. For each ciphertext pair (Ci,C′i ) passing the test of

Step 2, extract two 10 bits of controling vectors by chas-

ing difference routes between these PBOs and the po-

sitions of nonzero input bits in P(V ′6

5 )

2/1 and P(V ′8

5 )

2/1 . Com-pute candidates of the corresponding bits of K1 ⊕K4 andK ′

1 ⊕K ′4. Output 10-bit subkey pairs with maximal num-

ber of hits each.

The data complexity of this attack is 254 related-keychosen plaintexts. The time complexity of Step 1 is 254

full-round DDP-64 encryptions and the time complexity ofSteps 2 and 3 is much less than that of Step 1. By our related-key differential characteristics each ciphertext pair can passStep 2 with probability at least 2−51 and thus the expectationof ciphertext pairs with the (0, ej,k,32) difference for eachj and k (1 ≤ j ≤ 16 and 17 ≤ k ≤ 32) that pass this testis at least 4. This means that the expected number of hitsfor each 10-bit right key is 4. On the other hands, the ex-pected number of hits for each 10-bit wrong key is 4 · 2−10.Thus we can retrieve 16 bits of information of keys in the


Fig. 7 The possible routes when the output differences of the PV ′6

52/1 and P

V ′85

2/1 in P −132/96 are fixed as (0,1) and (1,0), respectively

lower layer of P −132/96 and 6 bits of information of keys in

the upper layer of P −132/96 with a data and a time complex-

ity of 254, and with a high success rate. Moreover, this at-tack can be simply extended to retrieve the whole of masterkey pair by performing an exhaustive search for the remain-ing keys. This full-key recovery attack has a data complex-ity of 254 related-key chosen plaintexts, a time complexityof 2106.

5 Conclusion

The block cipher DDP-64 has been designed for giving afast and cheap hardware implementation and a high secu-rity for the various multimedia and ubiquitous computingdevices. Indeed, it is considerably resistant against conven-tional attacks such as the differential attack and the linear

attack. In this paper, however, we have presented the related-key differential attack on DDP-64 which is the first currentlyknown cryptanalytic result. According to our result, the full-round DDP-64 can be broken by 254 and 254 data and timecomplexities. It is obvious that our cryptanalytic result is nota practical threat to the security of DDP-64, however, we ex-pect that the method developed in this paper would be usefulfor the further analysis of DDP-64.

Appendix A: Classes of the key bits correspondingto the possible routes

The following tables represent classes of key bits corre-sponding to the possible routes when the nonzero input dif-

ferences of PV ′6

52/1 and P

V ′85

2/1 and the output difference ej,k in

P −132/96-box are fixed.

276 C. Lee et al.

Table 5 Classes of thecontrolling vectorscorresponding to the differenceroute in Fig. 6 when the nonzero

input difference of PV ′6

52/1 and

output difference ej inP −1

32/96-box are fixed

Class ei Controlling vectors

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 1(1),CL1 e1 v33 = C5

L ⊕ K51 ⊕ K5

4 = 1(1), v17 = C11L ⊕ K11

1 ⊕ K114 = 0(0),

(e2) v1 = C1L ⊕ K1

1 ⊕ K14 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 1(1),CL2 e3 v33 = C5

L ⊕ K51 ⊕ K5

4 = 1(1), v17 = C11L ⊕ K11

1 ⊕ K114 = 1(1),

(e4) v2 = C2L ⊕ K2

1 ⊕ K24 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 1(1),CL3 e5 v33 = C5

L ⊕ K51 ⊕ K5

4 = 0(0), v18 = C12L ⊕ K12

1 ⊕ K114 = 0(0),

(e6) v3 = C3L ⊕ K3

1 ⊕ K34 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 1(1),CL4 e7 v33 = C5

L ⊕ K51 ⊕ K5

4 = 0(0), v18 = C12L ⊕ K12

1 ⊕ K114 = 1(1),

(e8) v4 = C4L ⊕ K4

1 ⊕ K44 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 0(0),CL5 e9 v37 = C9

L ⊕ K91 ⊕ K9

4 = 1(1), v21 = C15L ⊕ K15

1 ⊕ K154 = 0(0),

(e10) v5 = C5L ⊕ K5

1 ⊕ K54 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 0(0),CL6 e11 v37 = C9

L ⊕ K91 ⊕ K9

4 = 1(1), v21 = C15L ⊕ K15

1 ⊕ K154 = 1(1),

(e12) v6 = C6L ⊕ K6

1 ⊕ K64 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 0(0),CL7 e13 v37 = C9

L ⊕ K91 ⊕ K9

4 = 0(0), v22 = C16L ⊕ K16

1 ⊕ K164 = 0(0),

(e14) v7 = C7L ⊕ K7

1 ⊕ K74 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 1(1), v53 = C21

L ⊕ K211 ⊕ K21

4 = 0(0),CL8 e15 v37 = C9

L ⊕ K91 ⊕ K9

4 = 0(0), v22 = C16L ⊕ K16

1 ⊕ K164 = 1(1),

(e16) v8 = C8L ⊕ K8

1 ⊕ K84 = 0(1)



52/1 and

output difference ek inP −1

32/96-box are fixed


v72 = C18L ⊕ K18

1 ⊕ K184 = 0(0), v56 = C24

L ⊕ K241 ⊕ K24

4 = 1(1),CL9 e17 v43 = C15

L ⊕ K151 ⊕ K15

1 = 1(1), v27 = C5L ⊕ K5

1 ⊕ K54 = 0(0),

(e18) v9 = C9L ⊕ K9

1 ⊕ K94 = 0(1)

CL10 e19 v43 = C15L ⊕ K15

1 ⊕ K154 = 1(1), v27 = C5

L ⊕ K51 ⊕ K5

4 = 1(1),(e20) v10 = C10

L ⊕ K101 ⊕ K10

4 = 0(1)

v72 = C18L ⊕ K18

1 ⊕ K184 = 0(0), v56 = C24

L ⊕ K241 ⊕ K24

4 = 1(1),CL11 e21 v43 = C15

L ⊕ K151 ⊕ K15

4 = 0(0), v28 = C6L ⊕ K6

1 ⊕ K64 = 0(0),

(e22) v11 = C11L ⊕ K11

1 ⊕ K114 = 0(1)

v72 = C18L ⊕ K18

1 ⊕ K184 = 0(0), v56 = C24

L ⊕ K241 ⊕ K24

4 = 1(1),CL12 e23 v43 = C15

L ⊕ K151 ⊕ K15

4 = 0(0), v28 = C6L ⊕ K6

1 ⊕ K64 = 1(1),

(e24) v12 = C12L ⊕ K12

1 ⊕ K124 = 0(1)

v72 = C18L ⊕ K18

1 ⊕ K184 = 0(0), v56 = C24

L ⊕ K241 ⊕ K24

4 = 0(0),CL13 e25 v47 = C3

L ⊕ K31 ⊕ K3

4 = 1(1), v31 = C9L ⊕ K9

1 ⊕ K94 = 0(0),

(e26) v13 = C13L ⊕ K13

1 ⊕ K134 = 0(1)

v72 = C18L ⊕ K18

1 ⊕ K184 = 0(0), v56 = C24

L ⊕ K241 ⊕ K24

4 = 0(0),CL14 e27 v47 = C3

L ⊕ K31 ⊕ K3

4 = 1(1), v31 = C9L ⊕ K9

1 ⊕ K94 = 1(1),

(e28) v14 = C14L ⊕ K14

1 ⊕ K144 = 0(1)

v72 = C18L ⊕ K18

1 ⊕ K184 = 0(0), v56 = C24

L ⊕ K241 ⊕ K24

4 = 0(0),CL15 e29 v47 = C3

L ⊕ K31 ⊕ K3

4 = 0(0), v32 = C10L ⊕ K10

1 ⊕ K104 = 0(0),

(e30) v15 = C15L ⊕ K15

1 ⊕ K154 = 0(1)

v72 = C18L ⊕ K18

1 ⊕ K184 = 0(0), v56 = C24

L ⊕ K241 ⊕ K24

4 = 0(0),CL16 e31 v47 = C3

L ⊕ K31 ⊕ K3

4 = 0(0), v32 = C10L ⊕ K10

1 ⊕ K104 = 1(1),

(e32) v16 = C165L ⊕ K16

1 ⊕ K164 = 0(1)




52/1 and

output difference ej inP −1

32/96-box are fixed


v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 1(1),CL′

1 e1 v35 = C7L ⊕ K7

1 ⊕ K74 = 1(1), v19 = C13

L ⊕ K131 ⊕ K13

4 = 0(0),(e2) v1 = C1

L ⊕ K11 ⊕ K1

4 = 1(0)

v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 1(1),CL′

2 e3 v35 = C7L ⊕ K7

1 ⊕ K74 = 1(1), v19 = C13

L ⊕ K131 ⊕ K13

4 = 1(1),(e4) v2 = C2

L ⊕ K21 ⊕ K2

4 = 1(0)

v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 1(1),CL′

3 e5 v35 = C7L ⊕ K7

1 ⊕ K74 = 0(0), v20 = C14

L ⊕ K141 ⊕ K14

4 = 0(0),(e6) v3 = C3

L ⊕ K31 ⊕ K3

4 = 1(0)

v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 1(1),CL′

4 e7 v35 = C7L ⊕ K7

1 ⊕ K74 = 0(0), v20 = C14

L ⊕ K141 ⊕ K14

4 = 1(1),(e8) v4 = C4

L ⊕ K41 ⊕ K4

4 = 1(0)

v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 0(0),CL′

5 e9 v39 = C11L ⊕ K11

1 ⊕ K114 = 1(1), v23 = C1

L ⊕ K11 ⊕ K1

4 = 0(0),(e10) v5 = C5

L ⊕ K51 ⊕ K5

4 = 1(0)

v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 0(0),CL′

6 e11 v39 = C11L ⊕ K11

1 ⊕ K114 = 1(1), v23 = C1

L ⊕ K11 ⊕ K1

4 = 1(1),(e12) v6 = C6

L ⊕ K61 ⊕ K6

4 = 1(0)

v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 0(0),CL′

7 e13 v39 = C11L ⊕ K11

1 ⊕ K114 = 0(0), v24 = C2

L ⊕ K21 ⊕ K2

4 = 0(0),(e14) v7 = C7

L ⊕ K71 ⊕ K7

4 = 1(0)

v72 = C18L ⊕ K18

1 ⊕ K184 = 1(1), v55 = C23

L ⊕ K231 ⊕ K23

4 = 0(0),CL′

8 e15 v39 = C11L ⊕ K11

1 ⊕ K114 = 0(0), v24 = C2

L ⊕ K21 ⊕ K2

4 = 1(1),(e16) v8 = C8

L ⊕ K81 ⊕ K8

4 = 1(0)



52/1 and

output difference ek inP −1

32/96-box are fixed


v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 1(1),CL′

9 e17 v41 = C13L ⊕ K13

1 ⊕ K131 = 1(1), v25 = C3

L ⊕ K31 ⊕ K3

4 = 0(0),(e18) v9 = C9

L ⊕ K91 ⊕ K9

4 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 1(1),CL′

10 e19 v41 = C13L ⊕ K13

1 ⊕ K131 = 1(1), v25 = C3

L ⊕ K31 ⊕ K3

4 = 1(1),(e20) v10 = C10

L ⊕ K101 ⊕ K10

4 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 1(1),CL′

11 e21 v41 = C13L ⊕ K13

1 ⊕ K131 = 0(0), v26 = C4

L ⊕ K41 ⊕ K4

4 = 0(0),(e22) v11 = C11

L ⊕ K111 ⊕ K11

4 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 1(1),CL′

12 e23 v41 = C13L ⊕ K13

1 ⊕ K131 = 0(0), v26 = C4

L ⊕ K41 ⊕ K4

4 = 1(1),(e24) v12 = C12

L ⊕ K121 ⊕ K12

4 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 0(0),CL′

13 e25 v45 = C1L ⊕ K1

1 ⊕ K14 = 1(1), v29 = C7

L ⊕ K71 ⊕ K7

4 = 0(0),(e26) v13 = C13

L ⊕ K131 ⊕ K13

4 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 0(0),CL′

14 e27 v45 = C1L ⊕ K1

1 ⊕ K14 = 1(1), v29 = C7

L ⊕ K71 ⊕ K7

4 = 1(1),(e28) v14 = C14

L ⊕ K141 ⊕ K14

4 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 0(0),CL′

15 e29 v45 = C1L ⊕ K1

1 ⊕ K14 = 0(0), v30 = C8

L ⊕ K81 ⊕ K8

4 = 0(0),(e30) v15 = C15

L ⊕ K151 ⊕ K15

4 = 0(1)

v70 = C32L ⊕ K32

1 ⊕ K324 = 0(0), v54 = C22

L ⊕ K221 ⊕ K22

4 = 0(0),CL′

16 e31 v45 = C1L ⊕ K1

1 ⊕ K14 = 0(0), v30 = C8

L ⊕ K81 ⊕ K8

4 = 1(1),(e32) v16 = C165

L ⊕ K161 ⊕ K16

4 = 0(1)

278 C. Lee et al.

References

1. Biham, E., & Shamir, A. (1993). Differential cryptanalysis of thedata encryption standard, ISBN: 0-387-97930-1, 3-540-97930-1.

2. Goots, N. D., Moldovyan, A. A., & Moldovyan, N. A. (2001). Fastencryption algorithm Spectr-H64. In LNCS: Vol. 2052. MMM-ACNS’01 (pp. 275–286). Berlin: Springer.

3. Goots, N. D., Izotov, B. V., Moldovyan, A. A., & Moldovyan,N. A. (2003). Modern cryptography: Protect your data with fastblock ciphers. Wayne: A-LIST Publish.

4. Goots, N. D., Izotov, B. V., Moldovyan, A. A., & Moldovyan, N.A. (2003). Fast ciphers for cheap hardware: Differential analysisof SPECTR-H64. In LNCS: Vol. 2776. MMM-ACNS’03 (pp. 449–452). Berlin: Springer.

5. Goots, N. D., Moldovyan, N. A., Moldovyanu, P. A., & Sum-merville, D. H. (2003). Fast DDP-based ciphers: From hardwareto software. In 46th IEEE midwest international symposium oncircuits and systems.

6. Kavut, S., & Yücel, M. D. (2002). Slide attack on Spectr-H64. InLNCS: Vol. 2551. INDOCRYPT’02 (pp. 34–47). Berlin: Springer.

7. Kelsey, J., Schneier, B., & Wagner, D. (1996). Key schedulecryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES.In LNCS: Vol. 1109. Advances in cryptology—CRYPTO ’96 (pp.237–251). Berlin: Springer.

8. Kelsey, J., Schneier, B., & Wagner, D. (1997). Related-key crypt-analysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2,and TEA. In LNCS: Vol. 1334. ICICS’97 (pp. 233–246). Berlin:Springer.

9. Kim, J., Kim, G., Hong, S., Lee, S., & Hong, D. (2004).The related-key rectangle attack—application to SHACAL-1. InLNCS: Vol. 3108. ACISP 2004 (pp. 123–136). Berlin: Springer.

10. Kim, J., Kim, G., Lee, S., Lim, J., & Song, J. (2004). Related-keyattacks on reduced rounds of SHACAL-2. In LNCS: Vol. 3348.INDOCRYPT 2004 (pp. 175–190). Berlin: Springer.

11. Ko, Y., Hong, D., Hong, S., Lee, S., & Lim, J. (2003). Linear crypt-analysis on SPECTR-H64 with higher order differential prop-erty. In LNCS: Vol. 2776. MMM-ACNS03 (pp. 298–307). Berlin:Springer.

12. Ko, Y., Lee, C., Hong, S., & Lee, S. (2004). Related key differ-ential cryptanalysis of full-round SPECTR-H64 and CIKS-1. InLNCS: Vol. 3108. ACISP 2004 (pp. 137–148). Berlin: Springer.

13. Ko, Y., Lee, C., Hong, S., Sung, J., & Lee, S. (2004). Related-key attacks on DDP based ciphers: CIKS-128 and CIKS-128H. InLNCS: Vol. 3348. Indocrypt 2004 (pp. 191–205). Berlin: Springer.

14. Lee, C., Hong, D., Lee, S., Lee, S., Yang, H., & Lim, J. (2002). Achosen plaintext linear attack on block cipher CIKS-1. In LNCS:Vol. 2513. ICICS 2002 (pp. 456–468). Berlin: Springer.

15. Lee, C., Kim, J., Hong, S., Sung, J., & Lee, S. (2005). Related-key differential attacks on Cobra-S128, Cobra-F64a, and Cobra-F64b. In LNCS: Vol. 3715. MYCRYPT 2005 (pp. 245–263). Berlin:Springer.

16. Lee, C., Kim, J., Sung, J., Hong, S., & Lee, S. (2005). Related-keydifferential attacks on Cobra-H64 and Cobra-H128. In LNCS: Vol.3796. Tenth IMA international conference on cryptography andcoding (CCC 2005) (pp. 201–219). Berlin: Springer.

17. Matsui, M. (1993). Linear cryptanalysis method for DES cipher.In LNCS: Vol. 765. Advances in cryptology—EUROCRYPTO’93(pp. 386–397). Berlin: Springer.

18. Moldovyan, A. A., & Moldovyan, N. A. (2002). A cipher based ondata-dependent permutations. Journal of Cryptology, 15(1), 61–72.

19. Moldovyan, N. A., Sklavos, N., & Koufopavlou, O. (2005). PureDDP-based cipher: Architecture analysis, hardware implementa-tion cost and performance up to 6.5 Gbps. The International ArabJournal of Information Technology, 2(1), 24–27.

20. Moldovyan, N. A., Sklavos, N., Moldovyan, A. A., &Koufopavlou, O. (2005). CHESS-64, a block cipher based on data-dependent operations: Design variants and hardware implemen-tation efficiency. Asian Journal of Information Technology, 4(4),323–334.

21. Sklavos, N., & Koufopavlou, O. (2003). Dada dependent rotations,a trustworthy approach for future encryption and systems/ciphers:low cost and high performance. Computers and Security, 22(7).

22. Sklavos, N., Moldovyan, N. A., & Koufopavlou, O. (2003). Anew DDP-based cipher CIKS-128H: Architecture, design & VLSIimplementation optimization of CBC-encryption & hashing over1 GBPS. In Proceedings of the 46th IEEE midwest symposium oncircuits & systems, December 27–30, Cairo, Egypt.

23. Sklavos, N., Moldovyan, N. A., & Koufopavlou, O. (2003). En-cryption and data dependent permutations: Implementation costand performance evaluation. In LNCS: Vol. 2776. MMM-ACNS2003 (pp. 337–348). Berlin: Springer.

24. Sklavos, N., Moldovyan, N. A., & Koufopavlou, O. (2005). Highspeed networking security: Design and implementation of twonew DDP-based ciphers. Mobile Networks and Applications—MONET, 25(12), 219–231.

25. Phan, R. C.-W., & Handschuh, H. (2004). On related-key andcollision attacks: The case for the IBM 4758 cryptoprocessor. InLNCS: Vol. 3225. ISC 2004 (pp. 111–122). Berlin: Springer.

26. Razali, E., & Phan, R. C.-W. (2006). On the existence of related-key oracles in cryptosystems based on block ciphers. In LNCS:Vol. 4277. OTM workshops 2006 (pp. 425–438). Berlin: Springer.

Changhoon Lee received his Ph.D.degree in Graduate School of In-formation Management and Secu-rity (GSIMS) from Korea Univer-sity, Korea. He is now a professor inthe School of Computer Engineer-ing, Hanshin University, Korea. Heis also an editorial board member ofIJITCC and JIPS. Furthermore, hehas been serving as a guest editorfor international journals by somepublishers. His research interests in-clude information security, cryptol-ogy, embedded security in cars, dig-ital forensics, ubiquitous and perva-

sive computing etc. He is currently a member of the IEEE, IEEE CS,IEEE Communications, IACR, KIISC, KIPS, KITCS, KMMS, KONI,and KIIT societies.

Sangjin Lee received Doctoral de-gree in Mathematics from KoreaUniversity, Korea, in 1989. He wasa professor of Department of Math-ematics at Korea University fromMarch 1999 to August 2001 andhas been a professor of GraduateSchool of Information Managementand Security at Korea Universitysince August 2001. He is also apresident of Cryptography ResearchSociety and a director for industry-academic cooperation in Korea In-stitute of Information Security andCryptology. His research interests

include digital forensic, cryptography, cryptanalysis, and informationhiding.


Jong Hyuk Park received his Ph.D.degree in the Graduate School of In-formation Security from Korea Uni-versity, Korea. He is now a profes-sor at the Department of ComputerScience and Engineering, Seoul Na-tional University of Technology,Korea. He has published many re-search papers in international jour-nals and conferences. He has beenserving as chairs, program commit-tee, or organizing committee chairfor many international conferencesand workshops. He is editor-in-chief of the International Journal of

Information Technology, Communications and Convergence (IJITCC).In addition, he has been serving as a guest editor for international jour-nals by some publishers. His research interests include security anddigital forensics, ubiquitous and pervasive computing, context aware-ness, multimedia services, etc. He got the best paper award in ISA-08conference, April, 2008.

Sajid Hussain is an Assistant Pro-fessor in the Jodrey School of Com-puter Science, Acadia University,Canada. He received Ph.D. in Elec-trical Engineering from the Univer-sity of Manitoba, Canada. He is anAdjunct Professor in the Facultyof Computer Science at DalhousieUniversity and a Visiting Lecturerfor SPIE. He is interested in smarthomes, telehealth, and industry au-tomation. He has co-organized sev-eral journal special issues, con-ferences, and workshops. He hasserved on many technical program

committees and reviewed papers for several journals. Further, he hasreviewed grant proposals for NSERC’s Discovery, SPG, and RTIgrants. He is a member of IEEE, ACM, IET, SPIE, CIPS, CAIAC,and Sigma Xi societies.

Jun Hwan Song received Ph.D. ofScience in Mathematics from Rens-selaer Polytechnic Institute, USAin 1993. He is now an associateProfessor at Department of Mathe-matics at Hanyang University, Ko-rea. He is interested in cryptog-raphy, cryptanalysis, mathematicalprogramming and digital forensic.

Documents

Security analysis of pure DDP-based cipher proper for multimedia and ubiquitous device