EURASIP Journal on Applied Signal Processing 2005:12, 1923–1927 c ○ 2005 Hindawi Publishing Corporation Cryptanalysis of the Two-Dimensional Circulation Encryption Algorithm

We analyze the security of the two-dimensional circulation encryption algorithm (TDCEA), recently published by Chen et al. in this journal. We show that there are several flaws in the algorithm and describe some attacks. We also address performance issues in current cryptographic designs.


INTRODUCTION
In symmetric-key cryptography, two parties share a secret key K to encrypt messages using a cipher. Symmetric encryption techniques are used to efficiently encrypt data. Two common types of ciphers are commonly used nowadays: block ciphers and stream ciphers.
Block ciphers encrypt blocks of data (typically 64 or 128 bits) in a fixed key-dependent way. The design of block ciphers is a well-studied area of research. The best known block ciphers are the Data Encryption Standard (DES) [2] and the Advanced Encryption Standard (AES) [3]. In the past decade, many new attacks on block ciphers have emerged, the most important ones being differential [4] and linear [5] cryptanalysis. Differential cryptanalysis is an example of a chosen-plaintext attack, while linear cryptanalysis is a known-plaintext attack. A good design should at least be resistant to these attacks.
Stream ciphers, on the other hand, generate a pseudorandom key stream independent of the plaintext. This key stream is then used to encrypt the plaintext character per character in a time-varying way.
In this paper, we will study the security of the recently published two-dimensional circulation encryption algorithm (TDCEA) [1]. This design can be seen as a block cipher, but it also has some properties of a stream cipher. It encrypts blocks of 64 bits at a time by combining each block with the secret key.
The outline of this paper is as follows. In Section 2, we briefly describe TDCEA. In Section 3, we study the security of TDCEA. We show several flaws in the algorithm and describe a known-plaintext attack that breaks the cipher in less than 10 seconds on a 1.5 GHz PC. We also explain why we believe that it will not be possible to improve the design to be cryptographically sound, as TDCEA lacks many of the desirable properties of a state-of-the-art symmetric encryption algorithm. In Section 4, we address the tradeoffs that need to be made between performance and security of a design. We then discuss the use of concepts from chaos theory in cryptography in Section 5, and conclude in Section 6.

BRIEF DESCRIPTION OF TDCEA
In this section, we give a brief description of TDCEA. For a full description, we refer to [1]. The secret key of TDCEA consists of a 17-bit value µ (3 < µ < 4), a 17-bit initial state x(0) (0 < x(0) < 1), and two 3-bit values α and β. 1 The plaintext is encrypted in blocks of 64 bits, which corresponds to eight pixels. For every block p(i) (i = 0, 1, . . .), we calculate a new value for the internal state x(0) with the following logistic map: The ciphertext c(i) is then obtained by arranging p(i) in a matrix, and performing rotations on all rows and columns of this matrix. By how many positions each row and column is rotated is dependent on α, β, and x(i).

Flaws of TDCEA
In this section, we list several flaws of TDCEA.
The key of TDCEA is too short The effective length of the secret key (µ, x(0), α, β) is only 40 bits. Our unoptimized implementation of TDCEA runs at about 1 million encryptions per second on a 1.5 GHz PC. This means that exhaustive search (trying all possible keys until the right key is found) takes only about 12 days on a single PC. On a large cluster of computers, the key can be found in few minutes. A secret key of at least 80 bits is nowadays the minimum requirement for security against exhaustive search. To make matters worse, TDCEA only uses 23 bits (α, β, and x(i)) to encrypt a plaintext block p i , which makes divide-and-conquer attacks on the key space possible.

TDCEA only permutes the plaintext
According to the principles of confusion and diffusion introduced by Shannon [6], a strong cipher should use a combination of substitutions and permutations. This can be found in two popular schemes for block ciphers, namely Feistel networks (such as DES) and substitution-permutation networks (such as AES). However, TDCEA only permutes the values of 8 consecutive pixels. It is easy to see that only permuting an image will not hide all of its properties. For instance, an entirely white image will remain entirely white after encryption. Especially pictures with low entropy will still be recognizable after encryption. We have tried to encrypt such pictures and in many cases they are still very recognizable after encryption.
TDCEA is noniterative When we consider TDCEA as a block cipher, we see that it consists of operations such as multiplications and rotations, which are commonly used in block ciphers. In order to resist cryptanalytic attacks, a strong block cipher is built out of many iterations of the same function. For instance, DES consists of 16 rounds, and AES consists of 10, 12, or 14 rounds of the same function, every time with a different round key. TDCEA only consists of one round, which means there is little hope it will resist linear and differential cryptanalysis.
The key distribution of TDCEA is weak In a good key distribution system, compromise of one session key should not compromise the master key. In TDCEA, a session key is encrypted by an exclusive or with the master key (see the full description of TDCEA in [1]). This means that compromise of one single session key will also compromise the master key, and thus all previous and future session keys.

The logistic map is not a good pseudorandom number generator
The sequence x(i) becomes quickly periodic. Especially for small values of µ, this is a problem as the period will be very small and an attacker will observe repetition in the permutation used in different blocks. For instance, for µ between 3 and 3.45, the logistic map will oscillate between just two values.

Known-plaintext attack on TDCEA
The authors claim that TDCEA resists a known-plaintext attack. We will now show that this is not correct by describing an algorithm that breaks TDCEA with only 24 knownplaintext bytes, which is equivalent to three known-plaintext blocks.
The attacker has at his disposal three plaintext blocks p 0 , p 1 , and p 2 , and the corresponding ciphertexts c 0 , c 1 , and c 2 . We use the fact that TDCEA only uses 23 bits (α, β, and x(i)) to encrypt a plaintext block p i (cf. Section 3). The attacker now proceeds as follows to recover the plaintext.
Step 1. The attacker encrypts the plaintext p 0 by trying all values for α, β, and x(0). This means trying 2 23 ≈ 8 400 000 possibilities, which requires a few seconds on a PC. He then checks whether the obtained ciphertext is equal to the actual ciphertext c 0 . If this is the case, he has found a valid guess α g , β g , and x(0) g . One typically obtains very few valid guesses: 4 is a typical value.
Step 2. For the valid guesses α g , β g obtained in Step 1, the attacker now tries all values of x(1) to find those for which p 1 encrypts to c 1 . Again a very small list of possibilities α g , β g , and x(1) g is obtained.
Step 3. For the guesses α g , β g valid in both Steps 1 and 2, the attacker now tries all values of x(2) to find those for which p 2 encrypts to c 2 . Again a very small list of possibilities α g , β g , and x(2) g is obtained.
Step 4. The attacker now exhaustively searches the small list obtained in Steps 1 through 3 for values (x(0) g , x(1) g , x(2) g ) for which α g and β g are the same and for which the following equation holds: Considering (1), one can easily see that the guesses (x(0) g , x(1) g , x(2) g ) for which the above equality holds are with high probability the correct values used in TDCEA, that the corresponding α g and β g are also the correct values, and that the fraction in (2) is equal to the secret µ. We have thus obtained the whole secret key of TDCEA.
This algorithm has been implemented in C on a Xeon 1.5 GHz. It breaks TDCEA in less than 10 seconds.

Further comments on the security of TDCEA
We have investigated whether the basic structure of TDCEA can be improved so that the algorithm becomes secure.
A first thing that should be done is to increase the key size of the algorithm to prevent the simple known-plaintext attack described above. This implies a substantial increase in the size of the multiplier, which will also affect the speed and the area required by the encryption algorithm.
However, even a huge secret key will not make the cipher secure. An essential flaw of TDCEA is the fact that it only permutes the plaintext as noted above. This problem will remain the same irrespective of the key size. Besides the visible problems of the algorithm, it is also easy to recover the secret key. For instance, one can mount a chosen-plaintext attack as follows: encrypt 8 pixels such that only 1 bit in the circulation matrix is one and all other bits are zero. In the ciphertext, we can see where this bit ended up and thus we know how it has been rotated. As this rotation is directly dependent on the key, this gives us information on the secret key. Working in this way, it will be easy to collect enough information to recover the entire key.
As explained in Section 3.1, many other problems will need to be overcome in order to make the security of TD-CEA acceptable. We do not believe that it will be possible to make a secure and efficient algorithm out of the basic building blocks of TDCEA. We will discuss this further in the next section.

ON THE TRADEOFF BETWEEN PERFORMANCE AND SECURITY
It is clear that a minimal requirement for a good symmetrickey algorithm is that it should be secure, as there is no point in using an insecure encryption algorithm. In practice, it is required that the algorithm have a sufficiently large secret key and that there is no attack on the algorithm faster than exhaustive search. For instance, the five block ciphers selected for the final of the Advanced Encryption Standard (AES) development effort [7] fulfill this requirement for 128-bit, 192bit, and 256-bit keys.
To be used in practice, an algorithm should also have a good performance in various applications. In software, this is expressed in the number of cycles the processor needs to encrypt a byte of plaintext (cycles/byte). In hardware, good performance is a combination of high throughput and low gate count.
Rijndael, the algorithm that has been selected as the AES, achieves very good performance in both software and hardware. Moreover, the design can be implemented in hardware either with a very low gate count and with a more than reasonable throughput (e.g., [8] describes an ASIC implementation using 5400 gates and encrypting 300 Mbps) or optimized for speed and thus heavily pipelined (e.g., [9] describes an ASIC implementation using 173 000 gates and encrypting 2290 Mbps). The AES is a cost-effective practical solution that can be used in most applications, certainly including multimedia data transmission.
In some rare cases where a very low gate count combined with a high throughput is required, it may not be possible to use AES. In these cases, as noted in [10], a stream cipher may achieve a better tradeoff between throughput, gate count, and security. An interesting question is whether the building blocks of TDCEA could provide a solution in such cases. TDCEA has two main building blocks, a multiplication and key-dependent rotations. We will now explain why these building blocks will not achieve a better tradeoff between throughput, gate count, and security than Rijndael.
Multiplications are not the best choice in hardware. For the AES finalists, it has been shown that the block ciphers using multiplication had a significantly longer critical path and also needed more area than those not using multiplication operations; see [11].
The key-dependent rotations of the matrix also will not offer a good tradeoff. The horizontal and vertical rotations have to be performed sequentially, which will make the execution of the algorithm slow compared with other diffusion methods. Moreover, one can note that depending on the secret key, a different number of cycles are performed. This fact will make the system vulnerable to side-channel attacks such as timing and power analysis; see [12,13].

ON CHAOS THEORY AND CRYPTOGRAPHY
In the past years, many new cryptographic algorithms based on chaotic concepts have been published. According to Kocarev [14], "despite a huge number of papers published in the field of chaos-based cryptography, the impact that this research has made on conventional cryptography is rather marginal." Indeed, most of these new designs are too slow or insecure. Often they are both insecure and slow. We believe that this is due to an insufficient knowledge of the state of the art in cryptanalysis by the designers of such systems, as their designs do not resist the most basic of cryptanalytic attacks.
However, it is possible to use chaotic concepts to build ciphers that seem to do well on both security and performance. For example, the stream cipher Rabbit [15] has a good performance on a Pentium and the first analysis indicates that it has sufficient resistance against cryptanalytic attacks [16].

CONCLUSION
We have shown several flaws of the TDCEA algorithm and implemented an attack that breaks the cipher with 24 bytes of known plaintext. The attack runs in less than 10 seconds on a PC. TDCEA is thus highly insecure and should not be used. We have also explained why we believe that the building blocks of TDCEA are not suitable to achieve a good tradeoff between security and performance in a state-of-the-art symmetric encryption algorithm.
We recommend the use of standard encryption algorithms, such as the Advanced Encryption Standard or the block ciphers in the NESSIE [17] portfolio, in practical applications. These standards have undergone an extensive security analysis, achieve very good tradeoffs between performance and security, and can be used in almost all applications.

ACKNOWLEDGMENTS
This work has been supported by the Concerted Research Action (GOA) Mefisto. The first author is an FWO Research Assistant, sponsored by the Fund for Scientific Research-Flanders. The second author's research is financed by a Ph.D. grant of the Institute for the Promotion of Innovation through Science and Technology in Flanders (IWT-Vlaanderen).