The New Variable-Length Key Symmetric Cryptosystem

: Problem statement: In this study, we proposed a new 64-bit block cipher that accepted a variable-length key up to 512 bits, which was suitable for implementation in a variety of environments. Approach: The cipher algorithm was a 16-round Feistel network with a bijective function f and was made up of two key-dependent 16×16 S-boxes, bitwise rotations, and a carefully designed key schedule. Results: The block cipher, what we called NBC08, was designed to perform under the powerful operations supported in today’s computers, resulting in an improved security/performance tradeoff over existing block ciphers. Conclusion: The study concluded the differential, linear and algebraic cryptanalysis on the NBC08 and showed that the cipher cannot be analyzed by any cryptanalytic attack. The statistical test results for NBC08 did not indicate a deviation from random behavior.


INTRODUCTION
We describe NBC08 a new block cipher supporting 64-bit blocks and variable key size, ranging from 192 to 512 bits. The "cryptographic core" of the NBC08 cipher is a Feistel structure, consisting of sixteen rounds. It is surrounded by two Non-Feistel keyed transformations, and thus, the algorithm structure is non-homogeneous [1] . These transformations in the first part and the last part are inverse of each other. These transformations increase the complexity of attacks on NBC08, resulting in improved security. The round function in the main core of encryption process is designed on the basis of this theory: The provable security against both linear and differential attacks [2] . This algorithm is used in all the standard modes of operation for block ciphers.
In this study, we describe the design principles of NBC08. It covers the high-level structure of the cipher, initial and final transforms, and used functions in NBC08. The key schedule is included the key expansion and the sub keys generation.
The statistical randomness tests investigate to existence of special weaknesses in algorithm. If an algorithm is accepted in all of statistical tests, then it doesn't have known weaknesses. The results show that these tests do not identify any deviation from random behavior.
NBC08 uses key dependent S-boxes, round dependent function and the rotation based on sub key value. This creates suitable shield against both linear and differential cryptanalysis.

Specification:
The basic operations of NBC08: NBC08 cipher uses a variety of operations on 16-bit words. It combines exclusive-ors (XORs), additions, subtractions, rotations and S-box lookups. We describe these operations in Table 1.
The first three operations are used to "mix together" data values and key values (on 16-bit words), which are done very fast on modern processors.
Also, we use a left-rotation by y, for a 16-bit word x, inside the round function. Here y is viewed as a 4-bit integer, and the rotation amount (between 0 and 15) is specified by it. S: S function is a 16×16 (keyed) S-box, which is made by two S-boxes (S7 and S9). Similarly, S −1 is the inverse of S, which is made by S7 −1 and S9 −1 .
f: f is the round function in the encryption process and the cryptographic strength depends only on the properties of this function.
High-level structure of the cipher: The cipher consists of three parts: Initial Transform, Main Core and Final Transform. The main core is a Feistel structure, consisting of sixteen rounds. The general structure of NBC08 cipher is depicted in Fig. 1. This process uses a total of 1792 bits of sub key material, for encryption and decryption procedures. These sub keys are derived from the master key using the key schedule: Below, we describe the block cipher in details: Initial transform: The operations of initial transform are shown in Fig. 2. This transformation is formed by the same four rounds. First, 64-bit input data block is divided into 4 16-bit sub blocks X1∼X4. Then, it is repeated four rounds on 16-bit sub blocks.
The operations for the first round of Initial Transform are depicted in Fig. 2 [9], which mid operations , ⊕ and S function make the round operations. In the next rounds, the sub keys FK [1]∼FK [3] are used.
Final transform: These operations are the inverse of initial transform, such that if the same key is used for these two transformations, then the operations thwart each other. This transformation is depicted in Fig. 3.
The 160-bit sub key LK [3] is used in the first round of final transform and sub keys LK[0]∼LK [2] are used in the next rounds of final transform.
The round function f: Figure 4 shows the round function f in the encryption process of NBC08. First, 32-bit half block input is divided into 2 16-bit sub blocks left and right. Also, the input sub key of function f in the ith round, RK[i], is divided identically into RK[i][0] and RK[i] [1].
In this function, the operations are done over all the 16-bit sub blocks. First, the input sub key of the function is combined with 2 input data sub blocks through a nonlinear process. Then, these 2 16-bit sub blocks create a 32-bit half block output duration of operations (3 rounds) with using of S function.

S function and its inverse S
In the function f, S function is a 16×16 (keyed) S-box. For implementation, the dimensions of S-box are as a big called table. So, we choose the structure of Fig. 5 for S functions [3] .
As Fig. 5 shows, the 16-bit input to S is divided into two parts, 9-bit and 7-bit. This non-identical division causes more resistance of algorithm against linear and differential attacks, because the bijective functions with odd dimensions are better than the functions with even dimensions, from the viewpoint of the provable security against both linear and differential attacks [4] .  Fig. 5, two S-boxes S7 and S9 are used with 7bit and 9-bit input, respectively. These S-boxes are objective and designed by the nonlinear functions [5][6][7][8] . When S9 output bits are XORed with 7-bit data, it is expanded to 9-bit by adding two zero bits to the left and when S7 output is XORed with 9-bit data, it is decreased to 7-bit by truncating from the left.
The perfect nonlinear functions in GF (2 9 ) and GF(2 7 ) are used for generating of substitution tables (S-boxes) S9 and S7, respectively.
As a result, these S-boxes provide good resistance against linear and differential attacks [9] . The functions used are: S7 and S9 are not keyed and are used as fixed tables. In Fig. 5, it uses XOR operation for making S, which is dependent on the key. As noticed, 16-bit key K is divided into 7-bit K7 and 9-bit K9, which are 7-bit from right and 9-bit from left, respectively. The interference of key K in S structure increases the complexity of system.
The function S −1 is the inverse of S function. The inverses of S7 and S9 are used in this function, namely S7 −1 and S9 −1 . The tables S7 −1 and S9 −1 are obtained easily from S7 and S9, respectively. The operations of S −1 are depicted in Fig. 6.

Key schedule:
The key schedule has been chosen according to the following criteria: • The main key is from 192 to 512 bits • The bits in each sub key should depends on the all bits in the master key • There are no specific relations between the sub keys Since the conditions above are satisfied, the algorithm NBC08 has no weak keys.
For generating of required sub keys in the encryption process, we mainly utilize the round function in 3-round Feistel structure using CBC mode.
Key expansion: In our study, the master key length increases to 512-bit. We use 2 512-bit arrays consisting of 32 16-bit words EK and SK. These arrays and the bits numbering manner are depicted in Fig. 7.
The master key bits settle in the array EK. The first bit of master key is bit 0 in EK. The remaining bits of EK are completed by bit 0. SK is a fixed key array consisting of random binary sequence 512-bit. This vector is constant for an algorithm; actually it plays the user key role. The information about SK contents is not important because it satisfies the random conditions. Below we define SK. , 0xc9ac, 0xfb36, 0x7a45, 0xa1ab, 0x146d, 0xfb96, 0x36f8, 0xea17, 0x183c, 0xc200, 0xaddc, 0x9099, 0xd956, 0x4fe2, 0x1c1c, 0x2afe, 0xc694, 0x1fc0, 0xbb5b, 0x1e89, 0x5f4c, 0x6e6f, 0x8da7, 0x7c98, 0xe31e, 0xdb92, 0x3076, 0x4245, 0xeb86, 0x90a5, 0x7678 }; For the expanding of master key length to 512-bit, we add the SK contents to EK using accumulation manner. The following C program is used for this purpose, Sub keys generation: We use the structure shown in Fig. 8, for the sub keys generation: As seen in Fig. 8 The output of the first step with CBC creates the first 64-bit sub key. So, for generating the required sub keys, the structure of Fig. 8 should perform 28 times.
The elements of EK array are used in quadric sets as the inputs of CBC method. When this array ended, the elements, again as quadric sets settle in the input.
The sub keys in the encryption process are generated by the outputs of the sub key generation algorithm as follows: FK[0] is fulfilled by the first 160-bit and also FK [3] by the fourth 160-bit. Afterward, the next generated 32-bit is used as RK[0] and continues till RK[15] is also fulfilled. The remaining bits are used for LK[0]∼LK [3].

Statistical analysis:
The NBC08 block cipher is tested using sixteen statistical tests [10,11] . We used 500 samples of about 10 6 bit sequences for each test. Table 2 shows results of the NIST statistical test suite for NBC08. In Table 2, the parenthesis beside the name of the statistical test shows the input parameters used in the test. From the Table 2 we see that the statistical test results for NBC08 do not indicate a deviation from random behavior. These tests are essential but not sufficient for security. Differential and linear cryptanalysis: NBC08 uses key dependent S-boxes, round dependent function and the rotation based on sub key value. This creates suitable shield against both linear and differential cryptanalysis.
Suppose that we have a set of n pairs of plaintexts/ciphertexts, and then the attacker will try to find differential or linear property between the plaintext/ciphertext pairs with a high probability to utilize it in extracting some bits of the master key. In the proposed algorithm, the attacker will not be able to know the sequences of the operations and the rotations used in the algorithm since the order of the sequences and operations depends on the master key.   In this algorithm, we have 6 different operations, and 32 different rotations. The permutation of the operations is 6! and the permutation of the rotation is 32!. This provides us 6!×32!≈2 127 different sequences. It means that the attacker should try 2 127 different cases. For every case, the attacker has to find the linear or differential properties, and then uses the available pairs of plaintexts/ciphertexts to find some bits of the key. However, this attack is more effective than the exhaustive key search.
Moreover, with having n pairs of plaintexts/ciphertexts, attacker should use all the pairs to extract ℓ bits from the key, and apply plaintexts/ciphertexts n(2 127 ) times depending on the different sequences. These operations are considered better than the exhaustive key search.
For a 192-bit key length, the operations are O (2 192 ). By considering that the attacker has extracted ℓ bits, then the operations are n(2 127 ), and the exhaustive search for the rest of the remaining bits is 2 192-ℓ . Therefore, the attack will be better than exhaustive key search if 2 192 >2 192−ℓ (n)2 127 , namely 2 ℓ >n(2 127 ). However this is so difficult to attain. For example, if the attacker has n = 50 plaintexts, then he/she should extract more than 130 bits from the user key to be able to achieve the attack faster than the exhaustive key search, that is ℓ>130 bits. With n = 50 plaintexts, it is very difficult to extract these bits from the input user key faster than the exhaustive key search. The same case can be performed for other key lengths.
Algebraic cryptanalysis: In performing algebraic attack [12] to block ciphers, we have to derive an overdefined system of algebraic equations. Since the fullround NBC08 has a high degree as a vector Boolean function, so it is impossible to convert any equation system in NBC08 into an over-defined system.

CONCLUSION
The cipher algorithm NBC08 is designed to perform the encryption and decryption processes over 64-bit data blocks. The key length is from 192 to 512 bits. It is used in all the standard modes of operation for block ciphers. NBC08 is easy and fast. The implementation NBC08 is done with less volume, high speed and is optimum over the 8, 16 and 32-bit processors, since the operations are done on 16-bit words. The current implementation is written in C and runs at rates of about 64 M bit sec −1 , on an 800MHz Pentium with the Windows XP operating system. NBC08 is used as "building blocks" in the design of other cryptographic algorithms, such as stream ciphers, Message Authentication Codes (MACs) and hash functions.
The statistical test results for NBC08 do not indicate a deviation from random behavior: NBC08 has provable security against both linear and differential attacks. This algorithm is resistant against exhaustive key search. The other known attacks over block ciphers are not practical on the NBC08.