Type-3 Feistel Network of The 128-bits Block Size Improved Blowfish Cryptographic Encryption

In this p aper, a new se cret-key block cipher c alled 128-bits Blowfish is proposed which i s a n evolutionary improvement of 64-bits B lowfish designed to meet t he re quirements of the Advanced Encryption Standard (AES) to increase security a nd to improve performance. Th e proposed a lgorithm will be used a variable key size up to 192 b ytes. It is a Type-3 Feistel network iterated simple function 16 times. Specifically, in this proposed algorithm, a combination of four S-boxes lookups, multiplications as well as fixed and data-dependent rotations will be u sed. M ixing ro und provide different levels of security, efficiency, flexibility and good avalanche effect. Th e proposal is w ord-oriented, in that all t he internal operations are performed on 32-b it words. So it is possible to implement the algorithm on smart cards efficiently.


Introduction:
Symmetric-key block ciphers have long been used as a fundamental cryptographic element for providing information security. Although they are primarily designed for providing data confidentiality, their versatility allows them to serve as a main component in the construction of many cryptographic systems such as pseudorandom number generators, message authentication protocols, stream ciphers, and hash functions. There are many symmetric-key block ciphers which offer different levels of security, flexibility, and efficiency. Among the many symmetric-key block ciphers currently available, some (such as DES, RC5, CAST, Blowfish, FEAL, SAFER, and IDEA) have received the greatest practical interest [1].
Most symmetric-key block ciphers (such as DES, RC5, CAST, and Blowfish) are based on a "Feistel" network construct and a "round function". A Feistel cipher involves dividing the plaintext into two halves (the length of them depend on the algorithm which is used) and repeatedly applying a round function to the data for some number of rounds, where in each round using the round function and a key (K1, K2,….Kn where n represent number of round), the left half is transformed based on the right half and then the right half is transformed based on the modified left half as shown in figure (1). The round function provides a basic encryption mechanism by composing several simple linear and nonlinear operations such as Exclusive-OR, substitution, permutation, and modular arithmetic [2]. This paper present some existing modern cipher such as ABC is a substitution-permutation network comprising 17 rounds with 3 different kinds of round functions. It is derived from MMB and SAFFER block cipher [3] and Unbalanced Feistel Networks and Block-Cipher Design (UFNs) consist of a series of rounds in which one part of the block operates on the rest of the block [4]. And also PRESENT: An Ultra-Lightweight which is block cipher. It is an example of an SP-network and consists of 31 rounds. The block length is 64 bits and two key lengths of 80 and 128 bits are supported [5]. Different round functions provide different levels of security, efficiency, and flexibility. The strength of a Feistel cipher depends heavily on the degree of diffusion and non-linearity properties provided by the round function. Many ciphers (such as DES and CAST) base their round functions on a construct called a "substitution box" (s-box) as a source of diffusion and non-linearity. Some ciphers (such as RC5) use bitwise data-dependent rotations and a few other ciphers (such as IDEA) use multiplication in their round functions for diffusion [1].
In this paper, an improvement of Blowfish algorithm which is symmetric-key block cipher is presented with a block size of 128 bits and a variable key size, up to 192 bytes. The philosophy of proposal algorithm is to use the full menu of "strong operations" supported in modern computers to achieve better security properties and provide high speed. The main aim behind the design of this proposal is to get the best security/performance tradeoff over existing ciphers.

Blowfish Algorithm
Blowfish is a block cipher that encrypts data in 8-byte blocks. The algorithm consists of two parts: a keyexpansion part and a data-encryption part. Key expansion converts a variable-length key of at most 64 bytes (512 bits) into several subkey arrays totaling 4168 bytes [6].

Subkeys:
Blowfish uses a large number of subkeys. These keys must be precomputed before any data encryption or decryption [6].

Encryption and Decryption:
The underlying philosophy behind Blowfish is that simplicity of design yields algorithm that is both easier to implement and through the use of a streamlined Feistel network, a simple S-box substitution and a simple P-box substitution. Feistel network makes up the body of the blowfish is designed to be as simple as possible, while still retaining the desirable cryptographic properties of the structure. Figure (2) illustrates the architecture of the Blowfish algorithm with 16-rounds. The input is a 64-bit data element, X, which is divided into two 32-bit halves: XL, XR For i= 1 to 16: XL = XL XOR Pi XR = F (XL) XOR XR swap XL and XR After the sixteenth round, swap XL and XR again to undo the last swap. Then, XR = XR XOR P17 and XL = XL XOR P18.

Finally, recombine XL and XR to get the ciphertext.
Each bit of the XL is only used as the input to one S-box. In DES many bits are used as inputs to two S-boxes, which strengthen the algorithm considerably against differential attacks.
The number of rounds is 16 and this number affects the size of the P-array and therefore the subkeygeneration process; 16 iterations permit key lengths up to 512 bits.

Function F:
The function F, shown in Fig.3 can be described as follows [6]. Divide XL into four eight-bit quarters: a, b, c, and d. Then, The non-reversible function is designed for strength, speed, and simplicity.
The function that combines the four S-box outputs must be fasted as possible. A simpler function would be to XOR the four values, but mixing addition mod 2 32 and XOR combines two different algebraic groups with no additional instructions. The alternation of addition and XOR ends with an addition operation because an XOR combines the final result with XR. Decryption is exactly the same as encryption, except that P1, P2,…….., P18 are used in the reverse order.

Subkeys Generation:
The subkeys are calculated using the Blowfish algorithm as follows: 1. Initialize first the P-array and then the four S-boxes, in order, with a fixed string. This string consists of the hexadecimal digits of pi (less the initial 3): P1 = 0x243f6a88, P3 = 0x13198a2e, P2 = 0x85a308d3, P4 = 0x03707344, etc.
PDF created with pdfFactory Pro trial version www.pdffactory.com Type-3 Feistel Network of The 128-bits Block Improved Blowfish Cryptographic Encryption 238 2. XOR P1 with the first 32 bits of the key, XOR P2 with the second 32bits of the key, and so on for all bits of the key (possibly up to P16). Repeatedly cycle through the key bits until the entire P-array has been XORed with key bits. (For every short key, there is at least one equivalent longer key; for example, if A is a 64bit key, then AA, AAA, etc., are equivalent keys.) 3. Encrypt the all-zero string with the Blowfish algorithm, using the subkeys described in steps (1) and (2) 4. Replace P1 and P2 with the output of step (3). 5. Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys. 6. Replace P3 and P4 with the output of step (5). 7. Continue the process, replacing all entries of the P array, and then all four S-boxes in order, with the output of the continuously changing Blowfish algorithm.
In total, 521 iterations are required to generate all required subkeys. Applications can store the subkeys rather than execute this derivation process multiple times [7].

The Proposed Algorithm:
The proposed algorithm works with four 32-bit registers A;B;C;D which contain the initial input plaintext as well as the output ciphertext at the end of encryption. The cipher is working with 32 bit words in that all the operations in proposal algorithm are applied to 32bit word. This algorithm is a type-3 Feistel network iterated simple function 16 times (Fig. 4). Mixing round provide different levels of security, efficiency, flexibility and good avalanche effect.
The Proposed algorithm is designed to use a full menu of "strong operations" supported in modern computers to achieve better security properties, high speed, and implementation flexibility. Proposal algorithm will be used primitive operations (add, subtract, multiply, exclusive-or, and data-dependent rotate). The proposal algorithm is resistance against linear and differential attacks by using four key dependent (S-box) tables of 255 32bit which is also good avalanche of data and key bits.
The Algorithm, shown in In each round the output of Ffunction is the input to E-function (which is derived from MARS algorithm) then, one data word will be used as the input to the E-function and the three output words from the Efunction are added or XORed to the other three data words. In addition, the source word is rotated by 13 positions to the left [1]. The proposal uses the same structure of F-function of previous Blowfish algorithm.
The decryption operation of proposed algorithm is the inverse of the encryption operation and the code for decryption is similar.

The E-function:
As mentioned above the Efunction is derived from Mars Encryption algorithm [1] with some The E-function takes as input one data word and uses two more key words to produce three output words. In this function three temporary variables will be used, denoted below by L, M and R (for left, middle and right). Below it is also refer to these variables as the three "lines" in the function. Initially, R will be set to hold the value of the source word rotated by 13 positions to the left, and M will be set to hold the sum of the source word and the first key word. Then the lowest nine bits of M will be viewed as an index to S-boxes (the Sbox is chosen by using this function (number of round mod 4), and set L to hold the value of the corresponding Sbox entry.
The second key word is multiplied (constrained to contain an odd integer) into R and then rotate R by 5 positions to the left (so the 5 highest bits of the product becomes the 5 lowest bits of R after the rotation). Then R XORed into L, and also view the five lowest bits of R as a rotation amount between 0 and 31, and rotate M to the left by this amount. Next, R will be rotated R by 5 more positions to the left and XOR it into L. Finally, again the five lowest bits of R will be viewed as a rotation amount and rotate L to the left by this amount. The first output word of the E-function is L, the second is M and the third is R (see figure 6).
The Algorithm in Figure 7 shows the E-function operation of proposal algorithm in detail.

Design rationale
In the design of the Efunction a combination of different operations will be used in a way that would maximize the advantages from each. Some properties of this function which are the following: a) Recall that when two words are multiplied, the lower bits of the input word have larger effect on the product than the higher bits. Thus, it is arranged so that bits which are not fed as input to the S-box will be the lowest bits in the data word which is being multiplied. The amount of rotation (13 bits) was set to maximize the resistance of the E-function to differential attacks. Also, since the internal structure of the E-function is very sensitive to the location of the input bits, it makes sense to apply a constant rotation to the data lines, so as to make it hard for an attacker to maintain a consistent behavior across rounds [1]. b) Recall also that when two words are multiplied, the most significant bits in the product are the "stronger bits" since they are affected by almost all the input bits. In the combination of the multiplication and the datadependent rotation, therefore it is arranged so that these "strong bits" are used to determine the amount of the data-dependent rotation [1]. c) Since the E-function is supposed to approximate a pseudo-random function, we would like to make the three lines of the function as "independent of each other" as possible. Thus very little interaction between the data in the three lines will be used. This also helps to avoid unwanted cancellations and makes it harder to obtain a linear approximation of one line in terms of another. d) Still trying to guarantee some measure of "independence" between the data lines, the value of one line will make sure that never completely determines the value of another line. Indeed, the relative entropy of any two lines is at least 9 bits (of lines L; R), and gets as high as 32 bits (of lines R; M). e) Since Line M will be viewed as the weakest output of the E-function (as it only carries the sum of the input and a key word, rotated by some amount), it is putted as the middle output line. In Type-3 Feistel Network of The 128-bits Block Improved Blowfish Cryptographic Encryption 240 this way, it never affects the next data line which is used as a source, but rather a data line which is used further down in the encryption process.

Subkey of proposed algorithm
Two basic ways ensure that the key is long enough to ensure a particular security level. One is to carefully design the algorithm so that the entire entropy of the key is preserved, so there is no better way to crypanalyze the algorithm other than brute force. The other is to design the algorithm with so many keys so that attacks that reduce the effective key length by several bits are irrelevant. The range of values, which a key will take, became large. A large key space is necessary to prevent exhaustive search for a key (Solving the problem of finding the correct value for a key by testing possible values until the correct One is found) [8]. The proposed will increase the maximum key length from 64 bytes, in previous Blowfish algorithm, to 192 bytes.
The proposed system still uses the same key generation process because it is designed to preserve the entire entropy of the key and to distribute that entropy uniformly throughout the subkey. It is also designed to distribute the set of allowed subkeys randomly throughout the domain of possible subkey [7]. So P-array of 48 32-bits subkeys: P 1 , P 2 , …………………..…, P 48 are used .
The P-array and S-boxes must be precomputed before any data encryption or decryption. The method used to generate these subkeys uses the same procedure, which is used in the original Blowfish algorithm.

Security of Proposed Blowfish algorithm
The most important requirement is stated succinctly in the AES announcement [9]: 'The security provided by an algorithm is the most important factor in the evaluation.' The security obtained by using the proposed algorithm is increased, compared the original Blowfish algorithm, by using block size of 128bits and allows 192bytes key length. The time-consuming subkeygeneration process adds considerable complexity for a brute-force attack.
The complexity of proposal algorithm will be increased by using combinations of basic operations. Hence by using E-function a diffusion and confusion to the outputs of S-box will be achieved. The permutations in proposed algorithm are key dependent so that it could avoid linking plaintexts to input to the first F-function and ciphertexts to input to the last F-function. An E-function will be used a combinations of basic operations to achieve a large number of encryption functions, i.e. permutations of binary n-bit vectors, high structural complexity.

An Attacker of the proposal Algorithm
Differential cryptanalysts work against block cipher algorithms that use constant S-boxes. The attack is heavily dependent on the structure of S-boxes; it looks specifically at ciphertext pairs whose plaintext has particular differences. It analyzes the evolution of these differences as the plaintext propagates through the rounds of algorithms when they are encrypted with the same key. Certain differences in plaintext pairs have a high probability of causing certain differences in the resulting ciphertext pairs. The proposal algorithm is patient to this type of attack and this belongs to many reasons: v This type of attack is largely theoretical. The enormous time and data requirements to mount a differential cryptanalytic attack put it almost beyond the reach of everyone.
v Key-dependent permutation function is used in each round such that the input bits are exchanged under the control of subkeys, so that the additive difference will be destroyed, as the bits are exchange, this could provide protection against linear and differential cryptanalysis. Linear cryptanalysis is work with large S-box (which is key dependent) and mapping is small number of bits to large number of bits. Using Efunction to the outputs of the S-box and making this function dependent on subkey hides these weaknesses.
Data dependent rotations can be performed quickly in software and hardware. Combined with arithmetic operations (such as addition), this operation is very effective against linear cryptanalysis. One problem with data-dependent rotations is that specifying a rotation amount for a wbit word only takes log w bits. Hence, while the result of this operation depends on all the bits in one operand, it only depends on very few bits in the other. This may lead to differential weaknesses, as was recently demonstrated by Biryukov and Kushilevitz [10].

4.2Avalanche Effect
Horst Feistel referred to the avalanche effect as: "a small change in the key gives rise to a large change in the ciphertext" . [11]. Table 1 shows the avalanche effect on the plaintext when only one bit is changed in the key by using Blowfish, RC6, Serpent and proposal algorithm. For example if the plaintext X=AAAAAAAAAAAAAAAA (16 characters (128 bits)) will be encrypted by proposal algorithm using two key which are changed in one bit resulting two ciphertext represented in hexadecimal: The avalanche effect computed by finding the number of changed in bits between these two ciphertext in above case it is equal to 68.
This section is prepared for making statistical test on the ciphertext that produced from encryption the plaintext: 242 a considerable exibility. Furthermore, its simplicity will allow analysts to quickly refine and improve our estimates of its security. It offers much improved security/performance over previous Blowfish algorithm by taking advantage of the powerful operations supported in today's computers.
During the design process, several things can be concluded about cipher design: 1. The Proposed algorithm is designed to be used in upgraded computer environments. It uses the full menu of "strong operations" supported in modern computers to achieve better security properties. This approach enables us to get better security per-instruction ratio for our software implementation of this proposal than is possible for existing ciphers. The design takes full advantage of the ability of today's computers to perform fast multiplications and data-dependent rotations. 2. Working with 32 bit words. Since most computers today (and in the near future) use word-size of 32 bits, all the operations in proposal algorithm are applied to 32-bit words. At the current state of the technology, this choice provides a good tradeoff between the ability to run the algorithm on computers which are available today (as well as on legacy systems and even 8-bit processors), and the ability to take advantage of larger word-size in future architectures. 3. Type-3 Feistel network. Since proposed algorithm has a block length of 128 bits and word-size of 32 bits, it follows that each block consists of four words. Among the various network-structures which are capable of handling four words in a block, it seems that a type-3 Feistel network provides the best tradeoff between speed, strength and suitability for analysis. A type-3 Feistel network consists of many rounds; where in each round one data word (and a few key words) is used to modify all the other data words. Compared with a type-1 Feistel network (where in each round one data word is used to modify one other data word), this construct provides much better diffusion properties with only a slightly added cost. Hence, fewer rounds can be used to achieve the same strength. Additionally, a type-3 Feistel network has advantages over structures in which several data words are used "at once" to modify other data words, in that these structures are typically much harder to analyze (and hence, much more prone to design errors). The reason is that in such structures the analysis must take into account all the possible combinations of values for the input data words, which quickly leads to unmanageable complexity. 4. Symmetry of encryption and decryption. We designed MARS to be as secure against chosen ciphertext attacks as against chosen plaintext attacks. This dictates making the cipher very symmetric, so the last half of the rounds are almost a "mirror image" of the first half. 5. From the results that were obtained in section 4 and after measuring the strength of the proposed algorithm it can conclude that the proposal algorithm increases the security and complexity compared with RC6, Blowfish and Serpent algorithms.