Related-Key Differential Attacks on COSB-128

COSB-128 (Moldovyan et al., 2002) is a block cipher with 128-bit and 256-bit secret keys, which use key and data-dependent operational substitutions in fast controllable permutation blocks (CPB) concept. It is designed with a simple key schedule to ensure a high speed of data transformation by fast block encryption algorithms and expected to be high stability to all known methods of cryptanalysis, especially differential and linear attacks. In this paper, we show that the COSB-128 block cipher still remains weaknesses to differential related-key cryptanalysis, by constructing two full 10-round related-key differential characteristics (DCs) of COSB-128 with high probabilities, and thence propose our two related-key differential attacks. The attacks require about 224 data and time complexities to recover 63-bit key information and 222 data and time complexities to recover 6-bit key information. This study is the first known cryptanalytic result on COSB-128 until now. From this study, the new potential for the cryptanalysis on these types of block cipher will be further revealed.


Introduction
Recently, the use of network-based devices and services has increased gradually. Thence, the security becomes an essential interest, which is required not only to be strong with most known attacks but also to be optimized on software-hardware implementations [1,2] or specialized applications. With these criteria, designing cipher using in which data-dependent controllable operations is a cryptographic primitive approach in modern applied cryptography.
When the best known algorithms using controllable permutations (RC5, RC6, etc. [3]) showed their limitations in protective transformation, the operational substitutions offer promise for fast block encryption algorithms with better performance.
Recently, there are some designs of block ciphers which are presented, such as CIKS-1 [4], CIKS-128 [5], Cobra-H64, Cobra-H128 [6], SCO-1, SCO-2, and SCO-3 [7] which aim to enhance the security of the DDP-(data-dependent permutation-) based ciphers structure. Although there are many well-known ciphers, with different specifications and characteristics, the security of them is still under consideration. All of them use a very simple key scheduling for high speed encryption algorithms, which enables the cryptanalysis exploit by applying related-key attacks concept.
COSB-128 [8] is a 128-bit block cipher with a 256-bit key; the number of round is 10. It uses controlled operational substitution (COS) with the concept of fast controllable permutation blocks (CPB) [9]. This cipher is expected to have high performance in hardware-software implementations and high stability to all known cryptanalysis, especially differential attacks and linear attacks. Related-key differential cryptanalysis was introduced in 1994 by Biham [1,2] and has become an effective and popular method for attacking many types of block ciphers. This attack researched on CIKS-cipher family [10], Cobra-cipher family [11], or SCO-cipher family [12]. . . has given a reasonable result with better performance.
In this paper, we show that this type of block cipher is still vulnerable to related-key differential attack, by constructing two full 10-round differential characteristics (DCs) of COSB-128 with high probabilities; thence, we present our two related-key differential attacks on it. The attack allows us to recover 63-bit key information with about 2 24 data related-key chosen plaintexts and 2 24 encryptions and 6bit key information with about 2 22 data related-key chosen Crypt (e)  This paper is organized as follows: in Section 2, we present the COSB-128 block cipher; in Section 3, the related-key differential characteristics and our related-key differential attack on COSB-128 are proposed. Finally, we give the conclusion of this paper in Section 4.

Description of COSB-128 Block Cipher
In this section, the structure of COSB-128 block cipher is reviewed. Firstly, we notice some notations using through the whole paper. The cipher = ( 1 , 2 , . . . , ) is assigned with 1 and being the most significant bit and the least significant bit, respectively: (i) Δ : the input difference in round ; (ii) Δ : the round-key difference in round ; (iii) Δ : the output difference in round ; (iv) , : the th bit and th bit are ones; the others are zeros within a cipher (e.g., 2,5 = (0, 1, 0, 0, 1, 0, . . . , 0)). The encryption procedure of COSB-128 is as follows.

Key Recovery Attacks on COSB-128
In this section, we construct a full 10-round related-key differential characteristic (DC) of COSB-128 with high probabilities using some properties of Crypt ( ) function and thence propose our related-key differential attack on COSB-128 block cipher.

Properties of COSB-128.
We obtain some appropriate properties of Crypt ( ) function of COSB-128 that enable us to construct related-key differential characteristics.

Properties with
is a probability to have the output difference Δ of F 2/1 , with Δ and Δ being the input difference and the controlling vector difference, respectively. Then we can calculate the probability as the following.

3.1.2.
Properties with F / . Extensively, we let Pr(F / )(Δ / Δ , Δ ) be a probability to have the output difference Δ of F / , with Δ being the input difference and Δ being the controlling vector difference. We have the following.

Properties with Transformation H and G
(a) Let , , and be the inputs of transformation H, respectively:
We describe the way to construct the DCs in detail as follows.
(Z 1 ) The first rounds with the input and round key differences are (0, 0) and (0, 16 , 0, 0), respectively, so the output difference of the first H is 192 with probability 1 (Section 3.1.4(a)). Thence, since the input difference and the control vector difference of F 64/192 are 0 International Journal of Distributed Sensor Networks 5 Table 2: Related-key differential characteristics (DCs) of a full 10-round COSB-128.
and 192 , the output difference of F 64/192 is 0 with probability E1 = 2 −2 (Section 3.1.3(b)). The output difference of G is 0 with probability E2 = 1 when the input and the round key differences are 0 and 0, respectively (odd round cycle, Q = 1 ⊕ 3 ). Plus, the output difference of F −1 64/192 is 0 with probability E3 = 1 since output difference of the second H is 0 with probability 1 (Section 3. 1.4(b)). Finally, we can get that the output difference of function Crypt ( ) is 0 with probability 2 −2 in case the input differences are (0, 0) under the round key differences which are (0, 16 , 0, 0). Apply the method (Z 1 ) for the fifth round and ninth round to find the DC of them.
(Z 2 ) The second round with the input and round key differences are (0, 0) and (0, 0, 16 , 0), respectively; so the output difference of the first H is 0 with probability 1. Thence, since the input difference and the control vector difference of F 64/192 are 0 and 0, the output difference of F 64/192 is 0 with probability E1 = 1 (Section 3.1.3(a)). The output difference of G is 0 with probability E2 = 1 when the input and the round key differences are 0 and 0, respectively (even round cycle, Q = 2 ⊕ 4 ). Plus, the output difference of F −1 64/192 is 0 with probability E3 = 2 −2 (Section 3.1.3(b)) since output difference of the second H is 32 with probability 1 (Section 3.1.4(b)). Finally, we can get that the output difference of function Crypt ( ) is 0 with probability 2 −2 in case the input differences are (0, 0) under the round key differences which are (0, 0, 16 , 0). Apply the method (Z 2 ) for the sixth round to find the DC of it.
With the last round, we change a little the difference characteristics for the output of F −1 64/192 support to our relatedkey differential attacks. The input and round key differences of Crypt ( ) are (0, 0) and (0, 0, 16 , 0). The output difference of F 64/192 is 0 with probability E1 = 1 (the output difference of the first H is 0). Thus, the output difference of G with the input and the round key differences being 0 and 0 is 0 with probability E2 = 1 (Section 3. 1.4(b)). Plus the output difference of the second H is 32 with probability 1 (Section 3.1.4(a)); in this case, the input difference and the control vector differences of F −1 64/192 are 0 and 32 ; we get that the output difference F −1 64/192 is with probability 2 −4 (Section 3.1.1). Finally, for the last round, the related-key differential characteristic holds the probability 2 −4 .
See the Appendix for more description.

The First Related-Key Differential Attack on COSB-128.
Based on the related-key DC we have constructed, we can recover a part of master key of COSB-128. At first, we encrypt 2 23 plaintext pairs ( , * ) and Δ = ⊕ * = (0, 16 ) to get 2 23 corresponding ciphertext pairs ( , * ) under an unknown key = ( 1 , 2 , 3 , 4 ) and an unknown related key ( 1 , 2 ⊕ 16 , 3 , 4 ). While the probability of related-key differential characteristics of COSB-128 is 2 −22 , we expect there are at least 2 ciphertext pairs ( , * ) with the difference ( 16 , ) for each , where 1 ≤ ≤ 64. So, with the DC described in Table 2, we can infer the th one-bit difference where the ciphertext pairs ( , * ) are given from the output differences of F V 32 6 1/2 in F −1 64/192 at the last round (refer to Figure 3). Thence, it can be expected that the differential route given is unique and we are able to retrieve 6 bits of controlling vectors for this route.
The related-key differential attack on the full-round COSB-128 is as follows.
The data complexity of this attack is 2 24 related-key chosen plaintexts. The time complexity of (1) is about 2 24 full round COSB-128 encryptions and the time complexities of (2) and (3) are much less than that of (1). Also, each ciphertext pair passes (2) with probability of at least 2 −22 ; thence, the ciphertext pairs with ( 16 , ) difference are expected to be at least 2. It means, for each (1 ≤ ≤ 64), we have at least one ciphertext pair meets the ( 16 , ) difference. So, we expect to retrieve 56-bit keys information of F −1 64/192 and 7-bit keys information of F 64/192 with the data and time complexities of 2 24 .

The Second Related-Key Differential Attack on COSB-128.
For increasing the differential probability, we propose the second attack by constructing another related-key differential characteristic on COSB-128 with probability 2 −20 . In fact, we assume the probability of differential patterns of the 2nd, 3rd, 4th, 5th, and 6th layers in the box F −1 64/192 at the last round is 1. It means the bit-one input difference of the 32th F 2/1 always gets the direction to the -bit output difference of the 6th layer. Also, the probability is 1 because when the input difference is (0, 1) and controlling vector difference is 0 of F 2/1 , the corresponding hamming weight of output difference is always 1. Then, we can recover a 6-bit key with data complexity being about 2 22 related-key chosen plaintexts with time complexity of about 2 22 full round COSB-128 encryptions.
The second related-key differential attack on COSB-128 is as follows.
(1) This step is same as the algorithm applied on the Step (1) of the first related-key differential attack on COSB-128 in Section 3.3.
Thus, we can extent this attack to retrieve the whole of master key pair ( , ) by applying an exhaustive search for the remaining keys. The exhaustive search takes a running time of 2 250 encryptions and recovers the full key with the same data complexity and time complexity of about 2 250 fullround COSB-128 encryptions.

Conclusion
The network-environment devices and services have increased rapidly in recent years. It leads the cryptography to new way; it does not only offer protection for stability to all known attacks, but also needs to be optimized on softwarehardware implementations and suitable for most constrained environment applications in communication networks nowadays. In order to construct fast block encryption algorithms for ensuring high speed encryption in data transformation, the data-dependent controllable operations have been highly used.
While the operational permutation blocks (RC5, RC6, etc. [3]) still remain limitations in protective data transformation, COSB-128 [8] is a 128-bit block and 256-bit key, which uses the controllable operational substitutions in the concept of CPB [9], is proposed to give a good performance and be stable to most known cryptanalyses.
In this paper, we constructed the two related-key differential characteristics of a full 10-round of COSB-128 cipher with high probabilities based on some differential properties International Journal of Distributed Sensor Networks  International Journal of Distributed Sensor Networks combined with the simple key schedule within COSB-128 structure. Then, it enables us to propose the two related-key differential attacks on COSB-128. Our attacks require 2 24 and 2 22 related-key chosen plaintexts, respectively, with the time complexities of 2 24 and 2 22 full-round COSB-128 encryptions, to recover 63 bits and 6 bits key information, respectively. This research is the first known cryptanalytic result on COSB-128 so far. Furthermore, it is hoped it will extend a new potential with better performance for cryptanalysis on this algorithm with type of ciphers in further research.