Security Evaluation of the SPECTR-128. Block Cipher

Transcription

1 pplied Mathematical Sciences, ol. 7,, no. 4, HIKI td, Security Evaluation of the SPECT-8 Block Cipher Manh Tuan Pham, am T. u Posts and Telecommunications Institute of Technology Hoang Quoc iet Street, Ha Noi, iet Nam tuanpm.9@gmail.com Moldovyan N.., Morozova E.. St. Petersburg Institute for Informatics and utomation of ussian cademy of Sciences 4 iniya, 9, St. Petersburg 9978, ussia Minh N.H., Cuong N.., and Manh T.C. e Quy Don Technical University Hoang Quoc iet, Ha Noi, iet Nam Copyright Manh Tuan Pham et al. This is an open access article distributed under the Creative Commons ttribution icense, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. bstract The evaluation of availability in resistant to differential and linear cryptanalytic attacks is essential in designing secure block ciphers. In this paper, we present evaluated results of security estimation for SPECT-8 block cipher. The results show that SPECT -8 (modified version of SPECT-8) is a highly-resistant to differential and linear cryptanalytic attacks. Keywords: Controlled permutations (CP), data-dependent permutations (DDP), internal key scheduling (IKS), differential cryptanalysis (DC), linear cryptanalysis (C).

2 6946 Manh Tuan Pham et al. Introduction SPECT-8 is a block cipher proposed by Moldovyan N. in []. The specification of SPECT-8 can be found in []. n overview of its architecture is given in Fig.. This cipher is based on extensive use of CP-box operations. The left data subblock is used to specify the permutations on the right data subblock and roundsubkey. The use of two mutually inverse DDP performed seuentially on the right subblock allows one to perform enciphering and deciphering with the same algorithm. single-layer CP-box is used to uickly change the key schedule while changing encryption mode for decryption one. peculiarity of SPECT-8 is the use of the data-dependent transformation of round subkeys (so called internal key scheduling [] - IKE). It is based on a combination of DDP and special fast operation G [, 4] in order to greatly reduce the effectiveness of differential and linear cryptanalysis. This paper provides the results of a cryptographic evaluation of SPECT-8 (SPECT -8). This paper is organized as follows. In Section, we briefly present 8-bit cipher SPECT-8. Sections and 4 present differential and linear cryptanalytic attacks of SPECT-8, respectively. Finally, we conclude in Section 5. Description of SPECT-8 SPECT-8 is a new -round block cipher with 8-bit input. The general encryption scheme is defined by the following formulas: C = Encr(M, K) and 8 M = Decr(C, K), where M is the plaintext, C is the cipher text ( M, C {, } ), K is 56 the secret key ( K {, } ), Encr is the encryption function, and Decr is the decryption function. In the block cipher SPECT-8 encryption and decryption ( e) functions are described by formula = F(, Q ), where ( e Q ) = H ( K, e) is the extended key (EK), the last being a function of the secret key K = ( K,..., K ) and of 4 the transformation mode parameter e (e = defines encryption, e = defines decryption). We have = M, for e = and = C for e =. EK is represented as ( e) ( e) ( e) ( e) ( e) ( e) ( e) 64 concatenation of 4 subkeys: Q = ( QIT, Q,..., Q, QFT ) where Q, Q {, } IT FT ( e) (, e) (4, e) ( he) 64 and =,..., j, Q = ( Q,..., Q ), where h=,..., 4, Q, {},. Output value j j j j is the ciphertext C in the encryption mode or the plaintext M in the decryption mode. The algorithm is designed as seuence of the following procedures []: ) initial transformationit, ) rounds with procedure Crypt, and ) final transformationft. Ciphering begins with the procedure IT: = IT (, Q e IT ( ) ). Then data

3 Security evaluation of the SPECT-8 block cipher 6947 block is divided into two 64-bit blocks and, i.e. (, ) =, where 64, {, }. Then twelve seuential rounds are performed with procedures ( ) Crypt in accordance with the formulas: = Crypt (,, Q e ); =, where j j j j j j ( ) j =,,. Then the final transformation FT is executed: = FT (, Q e FT ), where = (, ). The general encryption scheme is shown in Figure. Initial transformation IT Q (e) IT st round Crypt Q (e) nd round Crypt Q (e) th round Crypt Q (e) Final transformation FT Q (e) FT Figure. General structure of SPECT-8 The structure of the procedure Crypt is shown in Figure. 9 U <<< U <<<4 E () P 64/9 () U <<< 64 () E G () (4) () () (4) (4) () () E () () P 64/9 - P 64/9 Figure.Structure of the procedure Crypt This procedure has the form: = Crypt (,, (), (), () and (4) ) where,, (), (), (), (4) {,} 64. Thus, Crypt transforms the data subblock under

4 6948 Manh Tuan Pham et al. control of the data subblock and 56-bit extendedsubkey. This procedure uses the following operations: to-left cyclic rotation <<< by fixed number of bits, O operation, non-linear operation G, DDP operations P 64/9 and P 64/9, and extension operation E. For the block cipher SPECT-8 see more details in []. Differential Cryptanalysis. Some properties of the controlled operations W et Δ be the difference with arbitrary active (non-zero) bits corresponding to the vector W. et Δ be the difference with active bits and i i,..., i,,i be the numbers of digits corresponding to active bits. Note that Δ corresponds to one of the differences Δ, Δ,,Δ 64. et P( Δ F g ) Δ be the probability that input difference Δ transforms into output difference Δ g while passing some operation F. We shall also denote the event that at the output or input of the operation F we have the difference Δ as Δ F or Δ F respectively. Differential properties of the CP boxes with the given structure are defined by properties of the elementary switching element. Using the main properties of the last (see Figure ) it is easy to find characteristics of the P 64/9 -box. Table presents probabilities of different output differences corresponding to differences Δ and Δ with few active bits (, {,, } ). a) b) ( ) ( ) P / ( P / p( / ) = p( / ) = ) p( / ) = p( / ) = c) d) P p( / ) = - / p( / ) = - ( ) P / ( ) p( / ) = - p( / ) = - Figure.Properties of the elementary box P /

5 Security evaluation of the SPECT-8 block cipher 6949 Figure illustrates the case when some difference with one active bit Δ passes the left branch of the crypto scheme. The difference Δ can cause generation or annihilation of w pairs of active bits in the CP box. et consider the P 64/9 -box in right branch in the case =. The difference Δ is transformed by the extension box into Δ at the controlling input of P 64/9, i.e. one active bit in the left subblock influences three switching elements P / permuting six different bits of the right data subblock.depending on value of the permuted bits and input difference Δ of the P 64/9 -box the output differences Δ with different number of active g bits can be formed by this CP box. Table.alues of probability P 64/ 9 ( Δ P Δ )/ Δ g Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ Δ valanche effect corresponding to the operations G is defined by its structure that provides each input bit influences several (u) output bits (except the 64th input bit influences only the 64th output bit). Table presents the formulas describing avalanche caused by inverting the bit l i. et Δl i denote alteration of l i. We shall consider the case when the data and key are uniformly distributed random values. One can see that l i, where 7 i 55, causes deterministic alteration of the output bit y i and probabilistic alteration of the output bits y i+, y i+, y i+6,, y i+9 which change with probability p =.5 (for i 6 we have deterministic alteration of y i and y i+, since Δy i+ =Δl i l i-6 ). When passing through the operation G the difference Δ i can be transformed with certain probability to the output differences Δ i, Δ,..., Δ 7 (see Tables and 4).

6 695 Manh Tuan Pham et al. n E m=n k n P n/m s n P n/m P p( n/m / ) P / v v a) p( / ) = - k b) c) w p( / ) = - ( ) p( / ) = - ( ) w w s d) p( / ) = - n(n-) Figure 4.Some properties of the CP box: a - notation of the general case; b - zero difference passes the CP box; c - formation of two active bits; d - annihilation of two active bits. Table.Changing output bits caused by single bit alteration (Δl i =) at input of the operation G # Expression Probability y l i i Δ = Δ p( Δ y i = ) = (4) () (4) Δ y = Δl ( a a l a l l i+ i i i i 8 i i 5 i 8) p( Δ y ) = = / Δ y = p( Δ y ) = = 4 y ll i+ i i 6 Δ =Δ p( Δ y ) = = / 5 Δ y = p( Δ y ) 4 = = 4 6 Δ y = p( Δ y ) 5 = = 5 (4) 7 y l ( l l l a ) p( Δ y ) i+ 6 i i i i+ 5 i+ 5 = = / 6 () 8 y la i+ 7 i i+ 5 9 y ll i+ 8 i i+ () (4) y l ( l l a l l a i+ 9 i i+ 6 i+ 8 i+ 7 i+ i+ 8 i+ 8 Δ = Δ p( Δ y ) = = / 7 Δ = Δ p( Δ y ) = = / 8 Δ = Δ p( Δ y ) = = / 9

7 Security evaluation of the SPECT-8 block cipher 695 Table.alues of the probability Δ P i g ( G Δ ) Δ Δ...Δ...Δ...Δ...Δ...Δ...Δ i i i , Table 4.alues of the probability P ( Δ Δ ) i i, i i u Δ Δ...Δ...Δ...Δ...Δ...Δ i i, i+ ii,+ ii,+ 6 ii,+ 7 ii,+ 8,+ ii Differential analysis Our best variant of the differential cryptanalysis (DC) [5, 6] of SPECT-8 corresponds to two-round characteristic with difference ( Δ,Δ ). This difference passes two rounds in the following way (see Figure 5). It is easy to see that this difference passes the first round with probability and after swapping subblocks it transforms to ( Δ,Δ ). In the second round the active bit passing through the left branch of crypto scheme can form at the output of the operation G the difference Δ g, where g {,,,4,5,6,7}. Only differences with even number of active bits contribute to the probability of the two round iterative characteristic. The most

8 695 Manh Tuan Pham et al. contributing are the differences Δ ii,+ k. The most contributing mechanisms of the formation of the two-round characteristic belong to Cases,, and, where i {,, 64} and k {,,6,7,8,9}, described below. Case : Difference Δ is formed with probability ( ii,+ k ) p = Pr,+ ii k Δ /Δ G,+ ii k i at the output of the operation G. ( ii,+ k) P Difference Δ,+ ii k is formed with probability p Pr ( P = Δ /Δ ii k ) at the,+ output of the CP box P. Difference Δ is formed with probability ( P p Pr P = = Δ / Δ ) at the output of the CP box P. fter Oing differences Δ, Δ,+ ii k, and Δ we have zero difference,+ ii k Δ at the input of the P * -box. It passes this box with probability = = Pr 4 Δ P /Δ P. p One can denote Case as set of the following events: P P I( ) I( ) I G G P P P P,+ ii k i,+ ii k Δ /Δ Δ /Δ Δ /Δ Δ /Δ. Using such form of representation one can describe the following two cases: G Case : P P I,+ ii k i (,+ ii k ) I( ) I G Case : P P I( ) I( ) I G P P P P Δ /Δ Δ /Δ Δ /Δ Δ /Δ. G P P P P Δ /Δ,+ ii k i Δ /Δ Δ /Δ Δ /Δ,+ ii k. ( ii k) p,+, ( ii k p,+ ) ( ii k), and p,+ 4 alues are calculated in the similar way using the structure of the box P 64/9 and distribution of the controlling bits over elementary switching boxes P / (this distribution is defined by Table - and operation >>> ). For example, let us consider the mostly contributing difference Δ 4 while calculating ( ii k p,+ ) fter being rotated by bits this difference induces the. difference 9,, 8 Δ = Δ at the 9-bit controlling input of the CP box P 64/9 transforming the right data subblock. The 4d bit of controls one elementary box P / in each of three lower active layers of the CP box P 64/9, namely the 9th, d, and 8nd boxes P / (such elementary boxes can be called active). For i = 4 we have six variants of Δ : Δ, Δ, Δ, Δ, Δ, and Δ. i, j 444, 446, 449, 45, 45, 45, For the corresponding probabilities ( i j p, ) (4 44) we have zero value, except p, =. The last value takes into account that the 9th and d boxes P / do not generate non-zero output difference and the 8nd one generates two active bits.

9 Security evaluation of the SPECT-8 block cipher 695 Figure 5.Formation of the two-round differential characteristic in Case Taking into account the symmetric structure of the round transformation and symmetry of the boxes P 64/9 and P - 64/9 it is easy to see that P = P, where P and P are the contributions to the probability of the two-round differential characteristic corresponding to the first and third cases. Thus, it is sufficient to calculate P and the contribution P of the second case. Due to different rotations before extension boxes corresponding to CP-box operations P and P we have P P. Probability P can be calculated using the following formula: ( ii,+ k) ( ii,+ k) ( ii,+ k) ( ii,+ k) 4 where p(i) = -6 corresponds ik, ik, P = p() i p p p p = p p 5., to probability that after the first round active bit moves to the ith digit. The value (4 44) P is defined mainly by the digit i = 4 (about 7 %) for which we have p, =. bout 5% corresponds to digits i = and i = 4 and about 5% correspond to digits i =,7,8,,,5,6,,54. For all other digits we have zero contribution to P. Probability P can be calculated analogously to the case of P : P p ( ) ( ) () i p ii,+ k p ii,+ k p p = 5.. The digits contributing to P are only the ik, 4 (54 55) (57 6) 5 following: i = 54,57 ( p, = p, = ), and i = 9,,,44

10 6954 Manh Tuan Pham et al. ( p = p = p = p = p = p = p = ). Due to symmetry of the (9 5) (9 6) ( ) ( 6) ( 4) (44 45) (44 47) 7 boxes P and P * there are possible contributing events (analogous to Cases - ) including generation of the additional pair of active bits in P and annihilation of these bits in P *. The contribution of such events is P. -. For probability of the two-round characteristic we have P() P +P +P +P Modified version SPECT -8 Differential analysis has shown that the structure of the extension box (i.e. the table describing distribution of the bits of the left data subblock over elementary switching elements of the CP boxes) is a critical part of SPECT-8. It is easy to see that small change in the extension box leads to significant decrease or increase of the probability of two-round characteristic. Indeed, we can reduce the probability P() by factor 8 using the extension box described by the Table 5. Table 5.Distribution of bits of the vector U et call the modified version SPECT -8. For SPECT -8 cases,, and give zero contribution to the probability of two-round characteristic. fter modification of E-box the most contributing cases are the following ( i,t,ki,t {,,...,64}, k {,,6,7,8,9}, t i,andt i+k). P P I ( ) I ( ) I P P I ( ) I ( ) I P P I ( ) I ( ) I P I I ( ) I P I ( ) I I P P I ( ) I ( ) I G G P P P P,+ +,, G G P P P P,+, +, G G P P P P,+ +,, G G P P P P P,+, +, G G P P P P P,+ +,, G G P P P P,+, +, Case 4a : Δ / Δ Δ / Δ Δ / Δ Δ / Δ. ii k i i kt it Case 4b : Δ /Δ Δ /Δ Δ /Δ Δ /Δ. ii k i it i kt Case 5a : Δ /Δ Δ /Δ Δ /Δ Δ /Δ. ii k i i kt it Case 5b : Δ / Δ Δ / Δ Δ / Δ Δ / Δ. ii k i it i kt Case 6a : Δ /Δ Δ /Δ Δ /Δ Δ /Δ. ii k i i kt it Case 6b : Δ /Δ Δ /Δ Δ /Δ Δ /Δ. ii k i it i kt Calculating the total contribution of the cases 4a, 4b, 5a, 5b, 6a, and 6b we have obtained P()= Thus, after modification of the extension box the value P() has been significantly reduced. Now the three-round characteristic becomes the most efficient one. One of possible mechanisms of the formation of this characteristic is shown in Fig. 5. This characteristic does not depend on small modifications of the distribution table. In the most contributing mechanisms of the formation of the three-round characteristic in second and third rounds the operation G produces output difference exactly with one active bit.

11 Security evaluation of the SPECT-8 block cipher 6955 To calculate probability p = p Δ G i /Δ G i one should take into account its dependence on i. et p () i be the probability that the output difference of G has exactly one active bit corresponding to theith digit. Probability p () i is eual to -6 for i {7,...,55}, -5 for i = 56, -4 fori = 56, - for i = 58, - for i {59,6,6}, - for i {6,6}, for i = 64, and for i {,...,6}. For uniformly distributed random value i we have the average value p.9-4 while considering the operation G as individual unit. Probability that in the second round the P -box generates no pairs of active bits is p (i) = - for all i. The same probability corresponds to the individual boxes P and P *, however, because of their mutual symmetry one has to consider these two boxes as a single unit. Probability that they generate no pair of active bits at the output of the operation P * ( i ) 6 is p for 4, i {,,...,,54,...,64} and () i p. 5 for i {,,...,5}. The last value takes 4, into account the cases of including generation, and annihilation of the pairs of active bits in the boxes P and P *. If at the input of the first round we have the difference ( Δ,Δ ), then at the output of the second round we have the difference 6 ( i) ( i) ( i) n! ( Δ,Δ ) with probability p = p p p. 4., 4 i r! n r! ( ) In the third round the active bit passing the box P is Oed with the single output active bit of the operation G with probability p = -6 and no new active bits are formed by operations G, P, P, and P * with probability p.4 -. Thus, for probability of the three-round characteristic we get P()=p p. -. Contribution of the two-round characteristic to the value P () is P () () = P 6 () ( -7 ) 6 = -6. Contribution of the three-round characteristic is P () () = P 4 ().4-7 >> P () (). Probability to have at output of the random cipher the difference ( Δ,Δ ) is eual to - >>P () (). Thus, the cipher SPECT 8 with twelve encryption rounds is undistinguishable from a random cipher with the most efficient differential characteristic.

12 6956 Manh Tuan Pham et al. i=...64 p(i) = -6 i P Crypt P p = - p = - i p -4 G i P * p = - j=...64 j p -4 G p = - j P P P * j p = - p = -6 p = - Figure 6.Formation of the three-round differential characteristic (mechanisms including generation of the active bits in the CP boxes are not shown) 4 inear Cryptanalysis Comparison of the known results on security estimation of the DDP-based ciphers shows that linear cryptanalysis (C) [7, 8] appears to be less efficient to attack DDP-based ciphers as compared with DC. For example, to thwart the linear attack against SPECT-H64 (DDP-64) seven [9] (three []) rounds are sufficient whereas to thwart the differential attack on that cipher at least ten [] (eight []) rounds are reuired. Fixed permutations and the DDP operations are bijections that preserve the Hamming weight of the input vector, however to use this property in a linear attack one should apply masks having maximum weight. Such

13 Security evaluation of the SPECT-8 block cipher 6957 masks are note efficient due to non-linear operations used together with DDP. Detailed theory of the linear characteristics (C) of the CP-boxes is presented in [9]. et denote an input mask as M and the output mask as B. In that paper it has been shown that: i) Bias of arbitrary C for which ϕ(m) ϕ(b) is eual to zero; ii) For the CP-boxes of the order h for ϕ(m) = ϕ(b) the bias b of the DDP operation satisfies condition b n independently of the mask assigned to the controlling input of the CP-box (for the boxes P 64/9 we have b 7 ) ; the value b = n corresponds to the to the masks with weight. iii) inear attacks using masks (,,, ) are prevented efficiently with the G-like operations. Performing linear analysis of the round transformation of SPECT-8 we have found that the most efficient C corresponds to the masks with two active bits in the left utmost positions in each of two data subblock s. Such mask works well in the case of key in whichsubkeysk and K as well as K and K 4 contain eual bits in positions number 8, 5, 9, 5, 57. Probability to select such key is. et denote the mask corresponding to vector as M i,..., i, where is the number of active bits and i,..., i are the indices of the active bits. The C with input ( M, M ) and output ( M, M ) masks of the first round has bias b() 7. The last value is calculated as follows (see fig.7). Note that for considered particular case of keys the P * -box moves the left most input bit to the left most digit at the output, if the P -box moves the left most input bit to the left mostdigit at its output. Bias of the considered one-round C is b() = Pr ( M M M M = ). If the P -box moves the left umost input bit to the left umost digit at its output we have () σ = M M M M = l a z, wherez is the first bit of the vector Z at the output of the CP box P. Probability of this event is /n = 6 (). Probability that σ = l a is t/n, where t = ϕ( () ). If the P -box moves any other input bit to the left umost digit at its () output then we have σ = l a with probability ( /n) independently t σ = = + and n n t b() = Pr ( σ = ) = Pr ( σ = ) = + n n n. () of the value z. Thus, we have Pr ( l a )

14 6958 Manh Tuan Pham et al. M M l (4) P n/m r P n/m Pr(r =r )= -6 r =r z = Pr(z =) = t/n G y =l a () r P - n/m r * = r r =l M l * =l a () r z M Figure7.Formation of the one-round linear The bias gets maximum value for the cases ϕ( () ) = and ϕ( () ) =. For the full round SPECT-8 the C with input ( M, M ) and output ( M, M ) masks have bias 7 b() = ( b() ) =. n For eleven rounds we have b() 67. For the random cipher Cs have bias b 64 > b(). Therefore we can conclude that for the worst case of the secret key selection eleven rounds of SPECT-8 are sufficient to thwart linear attacks. In order to eliminate linear attacks based on the considered C we propose to use in the modified version SPECT -8 the constant C = ( ) instead of thesubkey () (earliersuch mechanism was used in DDP-64 [4]). Since in this case we have t = ϕ(c) = n/, the bias of the considered characteristic euals to zero, therefore an attacker should add at least one active bit in used masks and this will reduce sharply the bias value due to both the variable permutations and the G operation.

15 Security evaluation of the SPECT-8 block cipher Conclusion Security of the 8-bit block cipher SPECT-8 is based on the use of DDP performed with P 64/9 -boxes, specially designed extension boxes, and the nonlinear operation G. Some remarks should be given about IKS. ctually it is a part of the round data transformation only. It introduces no delay, since it is executed in parallel with some data ciphering operations. Notion IKS corresponds to the part of encryption procedure related to the data-dependent transformation ofsubkey (orsubkeys) executed in parallel with the transformation of data. The internal key scheduling used in SPECT-8 is not complex, but it changes from one data block to another, making the avalanche effect faster and crypto scheme significantly more secure against differential and linear cryptanalysis. In one round of SPECT-8 the left data subblock is kept constant, however this data subblock participates in round transformation influencing transformation of the right data subblock. Our DC of SPECT-8 has shown that the structure of the extension boxes is a critical part of the DDP-based ciphers. Presenting the modified version SPECT -8 we have shown the small modifications in the table describing the extension box significantly change the probability of the differential characteristics. Our preliminary C shows that SPECT-8 secure against linear attacks, although much more work on C of this cipher is to be done. Because of the use very simple key scheduling there are possible weak keys having the structure K = (K, K, K, K 4 ) = (,,, ), their portion ( -8 ) is negligible though. n interesting way to avoid weak keys is the use of the switchable (e-dependent) operations, one can use some complex key scheduling though (weak we call the keys for which encryption function is involution). The aim of the description and discussion of the SPECT ciphers is to illustrate the design of the DDP-based ciphers and to show that such ciphers represent a suitable model for calculation of the differential characteristics and security estimations. We estimate that introducing small changes if the structure of the operation G one can easy reduce the probability of the three-round differential characteristic and design secure ten-round or eight-round SPECT-like cryptosystem. For example it is easy to compose a G-like function G for which two output bits change deterministically when an input bit flips. Use of the operation G in SPECT reduces drastically the probability of the two-round and three-round differential characteristics as well as the bias of linear characteristics. Detailed design of the SPECT-like cryptosystem with reduced number of rounds appears to be a subject of separate consideration. eferences [].. Moldovyan, N.. Moldovyan, Innovative Cryptography, Charles iver Media, 7, 96p.

16 696 Manh Tuan Pham et al. [].. Moldovyan, N.. Moldovyan, cipher based on data-dependent permutations, Journal of Cryptology vol. 5, no. (), pp [] Izotov, B.., Moldovyan,.., Moldovyan, N.., Fast Encryption lgorithm Spectr-H64,MMM-CNS, NCS 5, pp , Springer-erlag. [4] Goots, N.D., Izotov, B.., Moldovyan,.., Moldovyan, N.., Fast Ciphers for Cheap Hardware: Differential nalysis of SPECT-H64,MMM-CNS, NCS 776, pp , Springer-erlag. [5] E. Biham and. Shamir, "Differential Cryptanalysis of DES-like Cryptosystems", Journal of Cryptology, vol. 4, no., pp. -7, 99. [6] E. Biham and. Shamir, Differential Cryptanalysis of the Data Encryption Standard,Springer-erlag, New ork, 99. [7] M. Matsui, inear cryptanalysis method for DES cipher, In T. Helleseth, editor, dvances in Cryptology Eurocrypt '9, volume 765 of ecture Notes in Computer Science, pages 86{97, 994. Springer-erlag. [8] E. Biham, "On Matsui s inear Cryptanalysis", dvances in Cryptology - EUOCPT 94 (ecture Notes in Computer Science no. 95), Springer- erlag,pp. 4-55, 995. [9].Ko, D.Hong, S.Hong, S.ee, J.im, inear Cryptanalysis on SPECT-H64 with Higher Order Differential Property, International Workshop, Methods, Models, and rchitectures for Network Security Proc. NCS, vol. 776 (), pp [] N.. Moldovyan,.. Moldovyan, N.D. Goots, ariable Bit Permutations:inear Characteristics and Pure BP-based Cipher, Computer Science Journal of Moldova. 5. vol., No (7). P [].. Bodrov,.. Moldovyan, P.. Moldovyanu, DDP-based Ciphers:Differential nalysis of SPECT-H64, Computer Science Journal of Moldova. 5. ol., Number (9), pp [] B..Izotov,..Moldovyan, and N..Moldovyan, Fast information protection methods based on controlled operations, vtomatika i telemehanika, Moscow: ussian cademy of Sciences, no 6, pp (in ussian). [] B..Izotov,..Moldovyan, and N..Moldovyan, Controlled operations as a cryptographic primitive, Proceedings of the International workshop, Methods, Models, and rchitectures for Network Security. ect. Notes Comput. Sci. Berlin: Springer-erlag, vol. 5 (), pp. -4. [4] N.. Moldovyan, P.. Moldovyanu, D.H. Summerville, On Software Implementation of Fast DDP-Based Ciphers, International Journal of Network Security. 7. vol. 4, no.. P eceived: October,