IMPLICATIONS OF BITSUM ATTACK ON TINY ENCRYPTION ALGORITHM AND XTEA

TEA and XTEA are block ciphers that uses Fiestal structure. We enciphered a fixed message with different keys using TEA and XTEA cryptographic algorithms. Our interest was to find the correlation of the bitsum of the ciphertext with the bitsums of the corresponding keys. In our attempt, we found that for specific patterns of keys, whatever be the plaintext, the bitsum of the key is in perfect correlation with bitsum of the ciphertext.


INTRODUCTION
proposed Tiny Encryption Algorithm, a Fiestal cipher that is using many iterations rather than complicated coding (Wheeler and Needham, 1994). A single bit change in the plain text can make up to 32 bits change in the Cipher Text. TEA performs very efficiently on modern computers and hand held devices.
The easy implementation of TEA has made it a very popular and is being used in electronic product development, PDA data encryption, smart card encryption, embedded systems.
David Wagner has informed the developers of TEA that TEA has two minor weaknesses Needham and Wheeler (1997) through an e-mail. To overcome those weaknesses, Needham and Wheeler (1997) presented XTEA, which is a block cipher with 64-bit block size and 128 bit key. XTEA is retaining the simplicity and efficiency of TEA. It has some rearrangements of XORs and shifts and it has a more complex key schedule.

CRYPTANALYSIS
Cryptanalysis is the science of breaking the cryptographic ciphers. We have some Ciphertext produced by some algorithm and we try to produce plaintext or, better, the KEY. Schneier (1996) there are four general types of cryptanalytic attacks. All these attacks assume that the cryptanalyst has complete knowledge of the encryption algorithm used.

Ciphertext-Only Attack
In this type of attack, the cryptanalyst has the Ciphertext of a number of messages, all of these messages are encrypted with same encryption algorithm. The job of the cryptanalyst is to recover the plaintext from all available Ciphertext or as many as possible.

Known-Plaintext Attack
In such kind of attack, the cryptanalyst has the Ciphertext of numerous messages as well as their plaintext also. So his job now is to deduce the key used to encrypt the messages or algorithm, so that any other messages encrypted with the same key can also be decrypted.

Chosen-Plaintext Attack
In this type of attack, the cryptanalyst has access to the Ciphertext and their associated plaintext for a number of messages, but also he chooses the plaintext which gets encrypted.

Adaptive-Chosen-Plaintext Attack
This type of attack is a special case of chosenplaintext attack. In such kind of attack, the cryptanalyst can choose the plaintext that is being encrypted and he can also amend his choice based on the outcomes of the previous encryption.

CRYPTANALYSIS OF TEA
Some of the attacks on TEA are mentioned below: • Moon et al. (2002) showed impossible differential cryptanalysis of TEA on reduced rounds. They exploited the design simplicity of TEA and XTEA on the reduced rounds • Saarinen (1998) did cryptanalysis of Block TEA.
This attack was characterized as a differential attack • Andem (2003) Reddy found some of the weaknesses of TEA. But encryption with more than six rounds shows resistance against cryptanalytic attacks and his research also concludes that TEA is a best fit algorithm for small devices • Hernandez and Isasi (2004) had shown that TEA with less than five rounds is not robust against the proposed distinguisher and should not be used for cryptographic purposes

PROPOSED METHOD
We presented a novel bit sum attack Geetha and Bagga (2011) and is same is reproduced here for the better understanding of the paper: a.
Choose a cipher to be investigated. b.
Loop i. For cipher under investigation, we will encipher a fixed message M with N different keys ii. Calculate the correlation of the bitsums of the cipher texts produced with the bitsums of the corresponding keys. End Loop c. We will keep track of which message yields the best correlation between bitsums of ciphertext and key. d. Conclusions will be drawn on the basis of this record.
We applied the above Bitsum attack on XOR cipher Bagga and Geetha (2012). The results we obtained encouraged us to proceed further. We applied to TEA of key size 64 bits and the results were amazing. We concluded in Amandeep and Geetha (2012) that, if bit sum of the key is less than 14 or greater than 50, then there is strong correlation between the bitsum of the ciphertext and the bitsum of the key.
In same lines we continued to attack TEA with 128 bit key size. The results we obtained are presented are in this study.

IMPLEMENTATION
TEA is the Cipher to be investigated. We enciphered at around 10000 messages and around 50000 records were generated to be analysed. The random key was generated to encipher the message. We tried to find the correlation between the BitSum of the cipher Text and BitSum of the Key. We got the values of correlation coefficient for each and every message.
While doing the analysis of the data, we realized that there is a pattern of the key, for which value of the BitSum of the Ciphertext remains constant for every plaintext. Then to find the fact we kept the key constant and changed the plaintext several times. It was seen that result is true for some specific patterns of the key. In this research, we deduced a set of keys: For example, let's say the key:

JCS
The resulting values are listed in the Table 1.
From the above example we can see that, when we have a constant value of the bitsum of the Ciphertext, then we can guess the pattern of the key. It may belong to the set of the keys which we deduced.
Values of XTEA are listed in the Table 2.

RESULTS
We got specific patterns of the key for which Bitsum of the Ciphertext remains constant. Those patterns of the keys are shown below: M1, M2……Mn are the messages to be encrypted. K1, k2…..Kn are the keys. C1, C2,…Cn are going to be the BitSum of the Ciphertext.

Case 1:
Key pattern K1: The set of randomly generated messages are encrypted with TEA encryption routine. When all these messages were encrypted using K1, then we found that Bitsum of the Ciphertext produced C1 was constant. This result is depicted in the Fig. 1 below.

Case 2:
To analyse the results further we took another key of the same type. Then again the messages were generated randomly and were encrypted with K2 (the next key pattern). Again we got same kind of results i.e., the bitsum of the Ciphertext (C2) was constant. Results are depicted in the

Case n:
We analysed all such patterns of the key and got same kind of results. The Fig. 3 below is showing the results for Key pattern Kn.
After doing this experimentation, we tried on the keys having such a pattern in the reverse order. By reversing the order of placing of all the 1's, the results of this experiment remained same. We are showing these results in the following diagrams.

Case 1:
We again generated the random messages and encrypted those messages with the Key pattern K1. Results are shown in the diagram below

Case n:
This experiment was also conducted for all such patterns of the keys and we found similar results for all such keys. Now at the end, the results for Key pattern Kn are shown below Fig. 6.
Whenever we get a pattern of the key where we get some number of 1s together and all other bits are 0s, then also we get constant bitsum of the Ciphertext.
For example, M1, M2……Mn are the messages to be encrypted and C is a constant, which is representing bitsum of the Ciphertext.
Then encrypt all such messages with the Key of such a pattern, the bitsum of the Ciphertext remain same. This is also depicted in the Fig. 7 below.
We know that for a symmetric encryption, Equation: ( ) ( )

JCS
Where: ALG e = Encryption routine of TEA or XTEA ALG d = The decryption routine of TEA C BS = The Bitsum of the CipherText

CONCLUSION
We presented Bitsum Attack on TEA and XTEA. Results were found based on the bitsum of the ciphertext and bitsum of key. There is a strong correlation between bitsum of the key with a particular pattern and bitsum of the corresponding ciphertext. Our experiment had shown that a set of keys in TEA and XTEA is not secure under Bitsum Attack. In future we will experiment this attack on other block ciphers, preferably which are using XOR in their functioning.