On the Security of CS-Cipher

CS-Cipher is a block cipher which has been proposed at FSE 1998. It is a Markov cipher in which diffusion is performed by multipermutations. In this paper we first provide a formal treatment for differential, linear and truncated differential cryptanalysis, and we apply it to CS-Cipher in order to prove that there exists no good characteristic for these attacks. This holds under the approximation that all round keys of CS-Cipher are uniformly distributed and independent. For this we introduce some new technique for counting active Sboxes in computational networks by the Floyd-Warshall algorithm. Since the beginning of modern public research in symmetric encryption, block ciphers are designed with fixed computational networks: we draw a network and put some computation boxes on. The Feistel scheme [13] is a popular design which enables to make an invertible function with a random function. Its main advantage is that decryption and encryption are fairly similar because we only have to reverse the order of operations. Another popular (and more intuitive) design consists of having a cascade of computational layers, some of which implement parallel invertible transformations. (People inappropriately call it the “SPN structure” as for Substitution Permutation Network, as opposed to Feistel schemes. Referring to Adams’ Thesis [3], several Feistel schemes are also SPN ones.) For this we need two different implementations for encryption and decryption. Several such designs have been proposed to the Advanced Encryption Standard process: Serpent, Safer+, Rijndael and Crypton (see [2]). In this paper we focus on CS-Cipher [32] in order to investigate its security.1 The main general known attacks are Biham and Shamir’s differential cryptanalysis [8] and Matsui’s cryptanalysis [23,24]. Over their variants, Knudsen’s truncated differentials [18,19] have been shown to be powerful against Massey’s Safer block cipher [22], so we investigate it as well. In this paper we consider these attacks and we (heuristically) show that CS-Cipher is resistant against it. For this we use the well known active Sboxes counting arguments techniques. Here we first recall what can be formally proven under the intuitive approximation that all round keys are uniformly distributed and independent for 1 While this paper was presented, the owner of the CS-Cipher algorithm announced a “Challenge CS-Cipher”: a 10000 euros award will be given to the first person who will decrypt a message encrypted with a key which has been purposely limited to 56 bits. This is basically an exhaustive search race. See http://www.cie-signaux.fr/. L. Knudsen (Ed.): FSE’99, LNCS 1636, pp. 260–274, 1999. c © Springer-Verlag Berlin Heidelberg 1999 On the Security of CS-Cipher 261 differential and linear cryptanalysis. We contribute to a new similar analysis of truncated differential cryptanalysis. Then we apply these techniques to CSCipher. In particular we show how to count the minimal number of active Sboxes in a computational network with multipermutations by using some easy graph algorithms.