Security Analysis of Scalable Block Cipher PP-1 Applicable to Distributed Sensor Networks

PP-1 is a scalable block cipher which can be implemented on a platform with limited resource. In this paper, we analyze the security of PP-1 by using truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Our attack is applicable to full-round versions of them, respectively. The proposed attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These are the first known cryptanalytic results on PP-1.

PP-1 is an involutional SPN block cipher which can be implemented on a platform with limited resources. It supports the scalability, which allows using different data block sizes and secret key sizes. In detail, PP-1 is an -bit scalable block cipher and supports /2 -bit secret keys. ( = 64, 128, 192, . . .). It uses an 8 × 8 S-box which is an involution and a bit-oriented permutation which is also an involution. As a result, it is a totally involutional cipher. To our knowledge, there is no cryptanalytic result on PP-1.
In this paper, we analyze the security of PP-1 on truncated differential cryptanalysis. As concrete examples, we consider four versions of PP-1, PP-1/64, PP-1/128, PP-1/192, and PP-1/256. Here, 64, 128, 192, and 256 indicate the length of data blocks. Our attack is applicable to full-round versions of them, respectively. Our attack results are summarized in Table 1. Here, PP-1/ means an -bit PP-1 which supports a -bit secret key. Note that since our attacks do not use the property of the key schedule of PP-1, the data complexity and the memory complexity of the attacks on PP-1/ and PP-1/ 2 have the same value. From this table, our attacks can recover a secret key of PP-1 with the computational complexity which is faster than the exhaustive search. These results are the first known cryptanalytic results on PP-1.
The rest of this paper is organized as follows. In Section 2, we briefly present PP-1. In Section 3, differentials on PP-1 are derived, and their probabilities are computed. Truncated differential cryptanalysis on each version of PP-1 is proposed in Sections 4, 5, and 6, respectively. Finally, we give our conclusion in Section 7.

Description of PP-1
PP-1 is an -bit scalable block cipher and has -round SPN structure ( = 64, 128, 192, . . .). The length of a secret key is or 2 bits. In [10], the designers of PP-1 proposed the following four versions of PP-1 as concrete examples.
We omit the key schedule of PP-1, as it is not effectively used in our attack. Figure 1(a), the round function of PP-1 consists of ( /64) nonlinear NL functions (NL 0 , . . . , NL ( /64−1) ) and an -bit involutional permutation . For example, when = 64, the round function uses only NL 0 . Note that is not conducted in the last round.

The Round Function. As shown in
(NL 0 , . . . , NL ( /64−1) ) have the same structure but different round keys are used.
A 128 bit sub-round key (RK 0 , RK 1 ) is divided into eight 8 bit elementary keys as follows, respectively: Thus, each elementary key is XORed or added or subtracted with an 8 bit intermediate value. For example, RK 1 0 is XORed with the 8 bit output value of the first S-box.

The Permutation
Function . is an -bit involutional bit-oriented permutation. It is constructed by using two algorithms, the auxiliary algorithm (Algorithm 1) to compute auxiliary permutation Prm and the main algorithm (Algorithm 2) to compute permutation .
For example, the 128 bit permutation is obtained as a result of 64 calls of Algorithm 2 for a pair numbered as from 1 to 64, the number of block bits = 128 and the number of S-box bits = 8. When = 2, the value of Prm is equal to 9 and the resultant pair ( , ) = (3,18). It means that the third bit of the input value is mapping to the eighteenth bit of the output value.

Construction of Differentials on PP-1
In this section, we introduce the methodology of constructing differentials on PP-1 used in our attacks. For the simplicity of notations, we define the following notations.
(i) ( → ) : a -round differential characteristic where input/output differences are and , respectively.
: a -round differential where input/output differences are and , respectively.
(iii) ( , ): a byte string where the th byte value is and the other bytes are zero (the index of the left most byte is 0).

Differential Characteristic on PP-1.
In general, a differential characteristic with the higher probability passes less nonlinear operations, such as S-box, than it with the lower probability. Recall that a -function consists of S-box, addition, substraction, and XOR. Among these operations, nonlinear operations are S-box, addition, and subtraction. Thus, in order to construct a differential characteristic with a high probability, we should avoid them.
We examined such differential characteristics on PP-1. As a result, we found several -round differential characteristics with a probability of 2 −7⋅ . For example, in the case of PP-1/64, we can construct ((7, 0x01) → (7,0x01)) with a probability of 2 −7⋅ . This characteristic passes only one Sbox in each round and the probability that S-box outputs an output difference 0x01 from an input difference 0x01 is 2 −7 .
We expect that this type of difference characteristics have the highest probability. That is, they pass least S-boxes, addition operations, and subtraction operations. We extend it to differentials in the next subsection.

Finding of Differentials with a High
Probability. The probability of a differential is computed by adding the probabilities of all differential characteristics which are included in it. The more differential characteristics with a high probability a differential includes, the higher its probability is. Thus, in order to find a differential on PP-1 with a high probability, we consider the following criteria.
(i) In each round, a differential characteristic has only one active S-box.
(ii) In each round, a differential characteristic does not pass addition/subtraction operations.
The probabilities that all -round differential characteristics satisfying the above criteria are at least 2 −7⋅ , since the minimum probability from the difference distribution table on S-box is 2 −7 . Thus, we measure the probability of a differential by counting only the number of differential characteristics which satisfy the above criteria and are included in it. That is, if there are such differential characteristics, the probability of a differential including them is at least ⋅ 2 −7⋅ . On the other hand, in the case of differential characteristics which do not satisfy the above criteria, they pass the additional nonlinear operations in each round. In this case, the probabilities of them are much smaller than 2 −7⋅ . Thus, we expect that differential characteristics which do not satisfy the above criteria depend on the probability of a differential less.
In order to count efficiently differential characteristics satisfying the above criteria, we consider differences 's satisfying the following conditions. Let D be a set containing such 's. We can easily prove that all -round differential characteristics satisfying the above criteria include ( → ) 1 in each round ( , ∈ D). It means that we only need to consider D in order to find all differential characteristics holding the above criteria.

Truncated Differential Analysis on PP-1/64
In this section, we propose truncated differential analysis on full-round PP-1/64 64 and full-round PP-1/64 128. Since PP-1/64 64 and PP-1/64 128 have the same structure except the key schedule, the attack procedures on them are similar. Thus, we mainly introduce the attack procedure on PP-1/64 64.

Construction of Structures.
We consider a structure consisting of 256 plaintext; that is, = {( ‖ ) | = 0, 1, 2, . . . , 255} where is a 56 bit fixed value. Then we can compose 2 15 plaintext pairs for each structure. Among these plaintext pairs, there are 2 7 plaintext pairs where an input difference of round 2 is one of ((7, )) for each . Table 3 presents the expected number of right plaintext pairs where an output difference of round 10 is included in ((7, )). These values are computed as follows: ] .  Table 3).
In our attack on PP-1/64 64, we first obtain a 72 bit partial information on RK 11 = (RK 11 0 , RK 11 1 ) and an 8 bit RK 1 007 . The attack procedure is as follows (see Figure 2).
(1) Choose 2 37.29 structures which are composed of 256 plaintexts and obtain the corresponding ciphertexts. From these ciphertexts, compute 2 52.29 (= 2 15 ⋅ 2 37.29 ) (3) Filter out the ciphertext pairs where Δ 00 , Δ 01 , Δ 03 , Δ 05 and Δ 06 are not zero in A. Do the following for the remaining ciphertext pairs: (a) Guess an 8 bit RK 11 107 (note that this substep indicates "Guess 1" in Figure 2). (b) Partially encrypt all remaining ciphertext pairs with the guessed round key RK 11 107 to get Δ 11 07 . Check that Δ 11 07 is included in ( 1 ) from (4). If it is included in ( 1 ), add the counter, corresponding to the guessed key, to one. (c) Output a guessed key which has the maximal counter as a right RK 11 107 .
(4) From A, filter out the ciphertext pairs where Δ 00 , Δ 03 , Δ 05 , and Δ 06 are not zero and the ciphertext pairs considered in Step (3). Do the following for the remaining ciphertext pairs: (a) Check that Δ 07 is a nonzero value for each remaining ciphertext pair. Partially encrypt the ciphertext pairs passing this test with the recovered round key RK 11 107 to obtain Δ 11 07 . If this value is not included in ( 1 ), filter out the corresponding ciphertext pairs.  (c) Similarly to Step (5)(c), check that Δ 11 00 is included in ( 4 ). Output a guessed key which has the maximal counter as a right RK 11 100 .
(c) Similarly to Step (6)(c), check that Δ 11 06 is included in ( 5 ). Output a guessed key which has the maximal counter as right RK 11 006 and RK 11 106 .

(8) From A, filter out the ciphertext pairs considered in
Step (a) Guess an 8 bit RK 1 007 ("Guess 7" in Figure 2). (b) Partially encrypt the plaintext pairs in Step (9) with the guessed round key to obtain the output difference of the 8th S-box in round 1, that is, {0x01, 0x02, 0x04, 0x08, 0x09, 0x80, 0x84}, add the counter, corresponding to the guessed key, to one. In the case of the attack on PP-1/64 128, the data and memory complexities are the same as them of the attack on PP-1/64 64. However, the computational complexity of this attack is dominated by Step (1) and (10), since we should do an exhaustive search for the remaining 48 bit key information. The computational complexity of Step (1) is about 2 45.29 (≈ 2 37.29 ⋅ 2 8 ) encryptions. In Step (10), the probability that a wrong key passes this step is 2 −64 . Thus, it is sufficient to use just one plaintext/ciphertext pair. The computational complexity of Step (10) is about 2 48 . Hence, the computational complexity of PP-1/64 128 is about 2 48.21 (≈ 2 45.29 + 2 48 ) encryptions.

Conclusion
In this paper, we have presented the first known cryptanalytic results of four concrete versions of a scalable block cipher PP-1, full-round PP-1/64, full-round PP-1/128, full-round PP-1/192, and full-round PP-1/256, by using truncated differential cryptanalysis. As summarized in Table 1, our attacks on these algorithms require computational complexities smaller than the exhaustive search. These results indicate that PP-1 is vulnerable to truncated differential cryptanalysis and that it is insecure.