A Differential Cryptanalysis of Yen-Chen-Wu Multimedia Cryptography System (MCS)

Page 1

NOTICE: This is the author’s version of a work that was accepted to Journal of Systems and
Software in 2009. Changes resulting from the publishing process, such as peer review, editing,
corrections, structural formatting, and other quality control mechanisms may not be reflected in
this document. Changes may have been made to this work since it was submitted for publication.
A definitive version has been published in Journal of Systems and Software, vol. 83, no. 8, pp.
1443–1452, 2010, Elsevier. DOI: 10.1016/j.jss.2010.02.039.
A differential cryptanalysis of Yen-Chen-Wu multimedia cryptography
system
Chengqing Li∗,a, Shujun Li∗,b, Kwok-Tung Loa, Kyandoghere Kyamakyac
aDepartment of Electronic and Information Engineering, The Hong Kong Polytechnic University, Hong Kong,
China
bFachbereich Informatik und Informationswissenschaft, Universit¨ at Konstanz, Fach M697, Universit¨ atsstraße 10,
78457 Konstanz, Germany
cUniversit¨ at Klagenfurt, Institut f¨ ur Intelligente Systemtechnologien, Universit¨ atsstraße 65-67, 9020 Klagenfurt,
Austria.
Abstract
Recently, Yen et al. presented a new chaos-based cryptosystem for multimedia transmission named
“Multimedia Cryptography System” (MCS). No cryptanalytic results have been reported so far.
This paper presents a differential attack to break MCS, which requires only seven chosen plaintexts.
The complexity of the attack is O(N), where N is the size of plaintext. Experimental results are
also given to show the real performance of the proposed attack.
Key words: chaos, cryptanalysis, differential attack, encryption, multimedia, security
1. Introduction
The prevalence of multimedia data makes its security become more and more important. How-
ever, traditional cryptosystems can not protect multimedia data efficiently due to the big differences
between texts and multimedia data, such as the bulky sizes and strong correlation between neigh-
boring elements of uncompressed multimedia data. In addition, multimedia encryption schemes
have some special requirements like high bitrate and easy concatenation of different components of
the whole multimedia processing system. So, designing special encryption schemes protecting mul-
timedia data becomes necessary. To meet this challenge, a great number of multimedia encryption
schemes have been proposed in the past two decades [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]. Due to the
subtle similarity between chaos and cryptography, some of multimedia encryption schemes were
∗Corresponding authors.
Email address: zjulcq@gmail.com (Chengqing Li)
URL: www.hooklee.com (Shujun Li)
Preprint submitted to Journal of Systems and SoftwareJune 3, 2010

Page 2

designed based on one or more chaotic systems [3, 4, 5, 8, 9, 11]. Meanwhile, a lot of cryptanalytic
work has also been reported, showing that many encryption schemes were not designed carefully
and are prone to various kinds of attacks [12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23].
In the past decade, a series of encryption schemes were proposed by Yen and Guo’s research
group [24, 25, 26, 27, 28]. The main idea of these schemes is to combine some basic encryption
operations, under the control of a pseudorandom bit sequence (PRBS) generated by iterating
a chaotic system. Unfortunately, most of Yen-Guo multimedia encryption schemes have been
successfully cryptanalyzed [29, 30, 31, 32, 33].
This paper reports a security analysis of MCS (Multimedia Cryptography System) – the latest
multimedia encryption scheme proposed by Yen et al. [28]. Another hardware implementation of
MCS was proposed in [34]. Compared with other earlier designs, such as RCES [26] and TDCEA
[27], which have been cryptanalyzed in [33, 29], MCS combines more encryption operations of
different kinds in a more complicated manner, in the hope that the security can be effectively
enhanced. This paper shows that MCS is still vulnerable to a differential chosen-plaintext attack.
Only seven chosen plaintexts (or six specific plaintext differentials) are enough to break MCS, with
a divide-and-conquer (DAC) strategy.
The rest of this paper is organized as follows. Section 2 briefly introduces how MCS works.
The proposed differential attack is detailed in Sec. 3 with experimental results. Finally the last
section concludes the paper.
2. Multimedia Cryptography System (MCS)
MCS encrypts the plaintext block by block, and each block contains 15 bytes. As the first
step of the encryption process, each 15-byte plain-block is expanded to a 16-byte one by adding
a secretly selected byte. Then, the expanded block is encrypted with the following four different
operations: byte swapping (permutation), value masking, horizontal and vertical bit rotations,
which are all controlled by a secret PRBS.
Denote the plaintext by f = (f(i))N−1
loss of generality, assume that N can be exactly divided by 15. Then, the plaintext has N/15
blocks: f = (f(15)(k))N/15−1
k=0
, where f(15)(k) = (f(15)(k,j))14
the ciphertext by f?= (f?(i))(N/15)·16−1
i=0
(f?(16k + j))15
described as follows.
i=0, where f(i) denotes the i-th plain-byte.Without
j=0= (f(15k+j))14
, where f?(16)(k) = (f?(16)(k,j))15
With the above notations, MCS can be
j=0. Similarly, denote
= (f?(16)(k))N/15−1
k=0
j=0=
j=0denotes the expanded cipher-block.
• The secret key includes five integers α1, α2, β1, β2, Secret, and a binary fraction x(0),
where 1 ≤ α1< α1+ β1≤ 7, 1 ≤ α2< α2+ β2≤ 7,1Secret ∈ {0,...,255} and x(0) =
?64
• A PRBG (pseudorandom bit generator)
A pseudorandom number sequence (x(i))N/15+9
i=0
tion from x(0):
x(i + 1) = T?(419/28) · (x(i) ⊕ H(x(i))) mod 264?,
j=−64x(0)j· 2j, x(0)j∈ {0,1}.
is generated by iterating the following equa-
(1)
1In [28] Yen et al. didn’t exclude the possibility of αi = 0 and βi = 0, but to achieve the effect of encryption they
should not be equal to 0.
2

Page 3

where x(i) =?64
x−(x mod 2−64) and ⊕ denotes bitwise XOR. Then, the controlling PRBG (b(i))129N/15−1
derived from (x(i))N/15+9
i=10
by extracting the 129 bits from each x(i+10). The above PRBG is
a special case of the second class of chaos-based PRBG proposed in [35], with the parameters
p = 419, m = 8, M = k = 64.
j=−64x(i)j·2j, x(i)j∈ {0,1}, H(x(i)) =?64
j=−64
??−1
k=−64x(i)k
?
·2j, T(x) =
i=0
is
• The initialization process
1) run the above PRBG to generate the controlling PRBS (b(i))129N/15−1
Secret.
i=0
; 2) set temp =
• The encryption procedure
For each plain-block f(15)(k), do the following operations consecutively:
– Step a) Data expansion
Add temp to the 15-byte plain-block to get an expanded 16-byte block
f(16)(k) = (f(16)(k,j))15
j=0= (f(15)(k,0),...,f(15)(k,14),temp),
and then set temp = f(16)(k,l(k)), where l(k) =?3
Define a pseudorandom byte swapping operation, Swapb(129k+l)(f(16)(k,i),f(16)(k,j)),
which swaps f(16)(k,i) and f(16)(k,j) when b(129k + l) = 1. Then, perform the byte
swapping operation for the following 32 values of (i,j,l) one after another: (0,8,4),
(1,9,5), (2,10,6), (3,11,7), (4,12,8), (5,13,9), (6,14,10), (7,15,11), (0,4,12), (1,5,13), (2,6,14),
(3,7,15), (8,12,16), (9,13,17), (10,14,18), (11,15,19), (0,2,20), (1,3,21), (4,6,22), (5,7,23),
(8,10,24), (9,11,25), (12,14,26), (13,15,27), (0,1,28), (2,3,29), (4,5,30), (6,7,31), (8,9,32),
(10,11,33), (12,13,34), (14,15,35). Denote the permuted 16-byte block by f∗(16)(k).
– Step c) Value masking
Determine two pseudo-random variables, Seed1(k) =?15
i=16
masking operation for j = 0 ∼ 7:
f∗∗(16)(k)j= f∗(16)(k)j⊕ Seed(k,j),
where f∗(16)(k)j and f∗∗(16)(k)j are composed of the j-th bits of the 16 elements of
f∗(16)(k) and f∗∗(16)(k), respectively,


and B(k,j) = 2 · b(129k + 36 + 2j) + b(129k + 37 + 2j).
3
i=0b(129k + i) · 2i.
– Step b) Byte swapping
i=0
??3
t=0b(129k + 4i + t)
?
·
2iand Seed2(k) =?31
??3
t=0b(129k + 4i + t)
?
· 2i−16, and then do the following
(2)
Seed(k,j) =









Seed1(k),
Seed1(k),
Seed2(k),
Seed2(k),
B(k,j) = 3,
B(k,j) = 2,
B(k,j) = 1,
B(k,j) = 0,
(3)

Page 4

– Step d) Horizontal bit rotation
Construct an 8×8 matrix M1by assigning M1(i,j) as the j-th bit of f∗∗(16)(k,i). Then,
perform the following horizontal bit rotation operations for i = 0,...,7 to get a new
matrix?
which shifts M1(i,:) (the i-th row of M1) by r1,k,i elements (bits) to the left when
p1,k,i= 1 and to the right when p1,k,i= 0. The values of the two parameters are as
follows: p1,k,i= b(129k + 65 + 2i), r1,k,i= α1+ β1· b(129k + 66 + 2i). Equivalently, the
above process can be rewritten in the following way:
M1:
?
M1(i,:) = RotateXp1,k,i,r1,k,i(M1(i,:)),
?
M1(i,:) = RotateX0,r1,k,i(M1(i,:)),
where
r1,k,i=
?
α1+ β1· b(129k + 66 + 2i),
8 − (α1+ β1· b(129k + 66 + 2i)),
In the following, we will use the latter form to simplify our further discussion.
In a similar way, construct another 8 × 8 matrix M2by assigning M2(i,j) as the j-th
bit of f∗∗(16)(k,8 + i). Then, perform similar horizontal bit rotation operations on M2
to get a new matrix?
where
?
8 − (α1+ β1· b(129k + 98 + 2i)),
After the above horizontal bit rotation operations, represent the i-th byte in the 16-byte
block as follows
??7
p1,k,i= b(129k + 65 + 2i) = 0,
p1,k,i= b(129k + 65 + 2i) = 1.
M2:
?
M2(i,:) = RotateX0,r2,k,i(M2(i,:)),
r2,k,i=
α1+ β1· b(129k + 98 + 2i),p2,k,i= b(129k + 97 + 2i) = 0,
p2,k,i= b(129k + 97 + 2i) = 1.
f?(16)(k,i) =
j=0?
M1(i,j) · 2j,
j=0?
0 ≤ i ≤ 7,
8 ≤ i ≤ 15.
?7
M2(i − 8,j) · 2j,
– Step e) Vertical bit rotation
For j = 0,...,7, do the following vertical bit rotation operations on?
which shifts?
s1,k,j=
8 − (α1+ β1· b(129k + 82 + 2j)),
M1to get?
M1
?
M1(:,j) = RotateY0,s1,k,j(?
M1(:,j)),
M1(:,j) (the j-th column of?
?
M1) by s1,k,jelements (bits) downwards. The
value of the parameter is as follows:
α1+ β1· b(129k + 82 + 2j),q1,k,j= b(129k + 81 + 2j) = 0,
q1,k,j= b(129k + 81 + 2j) = 1.
Similar vertical bit rotations are performed on?
M2to get?
M2as follows:
?
M2(:,j) = RotateY0,s2,k,j(?
M2(:,j)),
4

Page 5

where
s2,k,j=
?
α1+ β1· b(129k + 114 + 2j),
8 − (α1+ β1· b(129k + 114 + 2j)),
q2,k,j= b(129k + 113 + 2j) = 0,
q2,k,j= b(129k + 113 + 2j) = 1.
Finally, the cipher-block f?(16)(k) = (f?(16)(k,i))15
follows:
i=0is derived from?
M1(i,j) · 2j,
j=0?
M1 and?
M2 as
f?(16)(k,i) =
??7
j=0?
0 ≤ i ≤ 7,
8 ≤ i ≤ 15.
?7
M2(i − 8,j) · 2j,
• The decryption procedure is simply the inverse of the above encryption procedure.
To show real performance of the above encryption scheme, a 512 × 512 plain-image “Peppers”
and the corresponding cipher-image are shown in Fig. 1, where the randomly selected secret key
is as follows: α1 = 2, β1 = 5, α2 = 3, β2 = 4, Secret = 20, and x(0) = 0.251. Note that the
cipher-image is 1/16 higher than the plain-image due to the data expansion. To show how MCS
works more clearly, encryption process of the second 15-byte block of the image shown in Fig. 1a)
is shown in Table 1.
a)
b)
Figure 1: The plain-image “Peppers” and the corresponding cipher-image: a) the plain-image; b) the cipher image.
3. Cryptanalysis
First of all, we point out that the subkey Secret has no influence on the plaintext recovered
from the decryption process. It is because Secret is only used to determine the expanded byte, and
never used to change the value of any other byte in the plaintext. In fact, if we use a different value
of Secret for the decryption process, the plaintext can still be correctly recovered. Furthermore,
the probability that Secret becomes the expanded byte of f(16)(k) is (15/16)k, which decreases
exponentially with respect to k. As a consequence, we can simply ignore the (statistically tiny)
influence of Secret on the encryption process after k become sufficiently large. As a whole, Secret
should be excluded from the key. In the rest of this paper, we will not consider Secret as a subkey.
5

Page 6

Table 1: Encryption process of the second 16-byte block of the image shown in Fig. 1a.
f(16)(1) 174,184,185,191,188,190,191,185,
f∗(16)(1)191,184,189,190,189,187,191,185,
f∗(16)(1)184,191,190,191,185,189,189,187,

0,1,0,1,1,0,1,0
1,1,1,0,1,1,1,0
0,1,1,1,0,0,0,1
1,0,1,0,1,1,1,0
1,0,1,0,1,1,1,0
1,1,0,0,1,1,1,0
f∗∗(16)(1)163,136,90,119,142,117,117,115,
r1,1,i, r2,1,i
1,2,2,6,6,6,7,6

1,0,0,1,0,1,1,0
1,0,1,1,1,0,1,1
1,1,0,0,0,1,0,1
1,0,1,1,1,0,1,0
0,1,0,1,1,1,0,1
0,0,1,1,1,0,1,1
f?(16)(1)71,34,105,221,163,93,186,220,
s1,1,i, s2,1,i
1,3,5,3,5,3,5,3

0,0,1,1,1,0,1,1
1,1,0,0,1,0,0,0
1,1,1,0,1,1,1,0
1,0,1,1,0,1,1,0
1,0,0,1,0,0,0,1
0,1,0,0,0,1,1,1
f
92,171,220,19,119,109,137,226,
191,190,189,190,189,187,183,113
174,190,185,191,188,190,183,113
113,185,174,190,183,190,188,191

1,0,1,0,1,1,0,1
1,0,0,1,0,0,0,1
1,1,0,0,1,0,1,0
1,0,0,1,0,0,0,1
1,1,1,0,0,1,0,1
0,0,1,0,0,1,0,1
106,113,181,137,83,137,167,164
1,2,6,2,2,6,1,6

1,0,1,1,0,1,1,0
0,1,1,0,0,1,0,0
1,0,1,1,0,0,1,0
0,1,0,0,0,1,1,0
1,1,1,1,0,0,1,0
1,0,0,1,0,1,0,0
212,197,109,38,77,98,79,41
7,3,1,3,3,1,7,7

0,0,1,1,0,0,0,0
1,0,1,0,1,1,1,0
0,0,1,0,0,1,1,0
1,0,1,1,0,0,1,0
1,1,0,0,0,1,0,0
0,0,1,1,0,0,1,1
227,79,12,117,100,77,35,204
M1,M2


1,1,0,0,0,1,0,1
0,0,0,1,0,0,0,1





0,1,0,1,0,1,1,0
1,0,0,0,1,1,1,0



?
M1,?
M2


1,1,1,0,0,0,1,0
0,1,0,0,0,1,0,0





0,0,1,0,1,0,1,1
1,0,1,0,0,0,1,1



?
M1,?
M2


0,0,1,1,1,0,1,0
1,1,0,1,0,1,0,1





1,1,0,0,0,1,1,1
1,1,1,1,0,0,1,0



?(16)(1)
6

Page 7

3.1. Some properties of MCS
Define the XOR-differential (“differential” in short hereinafter) of two plaintexts f0and f1as
f0⊕1= f0⊕ f1. When f0and f1are encrypted with the same secret key, it is easy to prove the
following three properties of MCS, which will be the basis of the proposed attack.
Property 1. The random masking in Step c) cannot change the differential value, i.e., ∀ k,j,
f∗∗(16)
0⊕1
Proof : It is a straightforward result of the following property of XOR: (a ⊕ x) ⊕ (b ⊕ x) = a ⊕ b.
?
(k,j) ≡ f∗(16)
0⊕1(k,j).
Property 2. Each expanded plain-block f(16)
0⊕1(k) is independent of the sub-key Secret.
Proof :
for the j-th byte of the first 16-byte block,
This can be proved with mathematical induction on k. When k = 0 and 0 ≤ j ≤ 15, i.e.,
f(16)
0⊕1(0,j) =
?
f(15)
Secret ⊕ Secret = 0,
0⊕1(0,j),
0 ≤ j ≤ 14,
j = 15,
which is obviously independent of the value of Secret. Now assume the property holds for the first
k − 1 blocks. Then, for the k-th 16-byte block,
?
f(16)
f(16)
0⊕1(k,j) =
f(15)
0⊕1(k − 1,l(k − 1)),
0⊕1(k,j),
0 ≤ j ≤ 14,
j = 15,
which is also independent from Secret according to the assumption. Thus, this property is proved.
?
Property 3. The byte swapping in Step b) cannot change each differential value, but its position
in the 16-byte block.
Property 4. Both the horizontal bit rotation in Step d) and the vertical bit rotation in Step e)
cannot change each differential bit itself, but its position in the binary presentation of the 8-byte
block.
The proofs of the above two properties are straightforward, so we omit them here.
3.2. The differential attack
Based on the above properties of MCS, the data expansion in Step a), the first eight byte
swapping operations in Step b), the vertical bit rotation in Step e), the horizontal bit rotation in
Step d), the other unkown byte swapping operations in Step b) and the value masking in Step c)
can be broken in order with a number of chosen plaintext differentials.
7

Page 8

3.2.1. Breaking the secret data expansion in Step a)
To facilitate the following discussion, let us denote the Hamming weight of a byte or a block
x, i.e., the number of 1-bits in x, by |x|. From Properties 3 and 4, and the proof of Property
2, one can see that there are 8 · 15 = 120 binary bits of f?(16)
eight bits come from f(15)
k = 0). Since all the other steps do not change the Hamming weight of each 16-byte block, we
can get
in the last 15-byte block f(15)
sidering
in each 15-byte block have the same Hamming weight. So, the value of l(k − 1) may not be
uniquely determined sometimes. To make the unique determination of l(k − 1) possible, we can
choose two plaintext differentials f0⊕1and f0⊕2(i.e., differentials of three chosen plaintexts f0, f1
and f2) to fulfill the following two requirements: 1) ∀k,j1?= j2,
????f(15)
?
(|f0⊕2(i)|)N−1
With the above chosen plaintexts, it is obvious that the value of l(k − 1) can always be uniquely
determined, except when
0⊕1(k) come from f(15)
0⊕1(k) and other
0⊕1(k − 1,l(k − 1)) for k ≥ 1 (the eight expanded bits are all 0-bits when
??? =
0⊕1(k − 1,l(k − 1))
???f(15)
0⊕1(k − 1,l(k − 1))
???f
?(16)
0⊕1(k)
??? −
???f(15)
0⊕1(k)
???. In case
???f(15)
0⊕1(k − 1,l(k − 1))
??? is unique
0⊕1(k − 1), we can uniquely determine the value of l(k − 1). Con-
??? ∈ {0,...,8} but l(k − 1) ∈ {0,...,15}, at least two plain-bytes
???f(15)
????f(15)
0⊕1(k,j1)
?= (0,0). For example, the two
???,
???f(15)
0⊕2(k,j1)
???
?
?=
0⊕1(k,j2)
plaintext differentials can be chosen to have the following Hamming weights:
???,
???f(15)
0⊕2(k,j2)
???
?
; 2) ∀k,j,
????f(15)
0⊕1(k,j)
???,
???f(15)
0⊕2(k,j)
???
?
(|f0⊕1(i)|)N−1
i=1
=
=
(
(1,2,3,4,5,6,7,8,0,1,2,3,4,5,6,7,8,...,0,1,2,3,4,5,6,7,8,...)
9×9−1=80 elements
???
0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,...,8,8,8,8,8,8,8,8,8,...)
i=1
????f(15)
0⊕1(k − 1,15)
???,
???f(15)
0⊕2(k − 1,15)
???
?
∈
14
?
j=0
????f(15)
0⊕1(k − 1,j)
???,
???f(15)
0⊕2(k − 1,j)
???
?
.
(4)
The exception (4) occurs when l(k−n0+1) ?= 15 and l(k−n0+1) = l(k−n0+2) = ··· = l(k−1),
where n0= ?80/15?−1 and k ≥ n0−1. Assuming that the secret bits controlling l(k−n0+1), ...,
l(k − 1) distribute uniformly over {0,1}, the occurrence probability of the exception is less than
15
16
uniquely determine the value of l(k−1) for less than 1.4305×10−5×512×512/16 ≈ 0.2344 blocks
in an average sense. In other words, the value of l(k − 1) can be uniquely determined for almost
all blocks. Note that breaking l(k − 1) implies breaking 4 controlling bits (b(129(k − 1) + i)))3
3.2.2. Breaking the first eight byte-swapping operations in Step b)
From Properties 3, 4, one can see that all the 8·16 = 128 bits of each 16-byte expanded plain-
block f(16)
that their locations may change. Observing how the bit locations are changed in the whole encryp-
tion process, we can see the following eight byte-swapping operations are the only encryption opera-
tions moving bits from one 8-byte half-block to another: Swapb(129k+i+4)(f(16)(k,i),f(16)(k,i+8)),
when i = 0,1,2,3,4,5,6,7. Apparently, when the controlling bit is 1, each byte-swapping operation
swaps the locations of one byte in the first half-block and the other byte in another half-block.
This fact means that, by choosing the differences between the Hamming weights of the eight
8
16·?1
??80/15?−1≈ 1.4305 × 10−5. For a 512 × 512 image, this means that we will not be able to
i=0.
0⊕1(k) are the same as the ones of the corresponding 16-byte cipher-block f?(16)
0⊕1(k), except

Page 9

bytes in the two half-blocks properly, we will be able to derive the values of the controlling bits
(b(129k + i + 4))7
one byte with a different Hamming weight from the corresponding byte in the other half-block. If
we assume all the values of (l(k))N/15−2
k=0
have been recovered, which happens with high probability
as shown in the previous subsection, the first 15 bytes in f(16)
f(15)
Fortunately, this has no influence on the process of breaking the first eight byte-swapping opera-
tions, because what is chosen for the last byte is
be able to choose f(16)
from that of f(16)
ling bit, which controls the possible swapping of the two bytes (in two half-blocks, respectively)
with different Hamming weights. We need eight chosen plain-blocks (thus eight chosen plaintext
differentials) to determine the values of all the eight controlling bits.
While eight chosen plaintext differentials are enough to recover all the bits controlling the first
eight byte-swapping operations, we actually need only two chosen plaintext differentials to achieve
this goal. To see how it is possible, denote the difference between the Hamming weights of the two
????
∆
f?(16)
i=0
????
=
i=0. The simplest tactic is to choose f(16)
0⊕1(k) such that each half-block has only
0⊕1(k) can be freely chosen by choosing
0⊕1(k,15) may not be chosen, if it is equal to Secret.
??f(16)(k,15)??−??f(16)(k,7)??. Although we may not
0⊕1(k) will be able to derive the value of one control-
0⊕1(k). The last byte in each 16-byte block f(16)
0⊕1(k,15), we can always choose f(16)
0⊕1(k,7). One chosen-block f(16)
0⊕1(k,7) to have a different Hamming weight
half-blocks of the k-th cipher-block by ∆
?
f?(16)
0⊕1(k)
?7
?7
?7
i=0
????. Then, we have the following equation:
f?(16)
i=0
????−
????
?
0⊕1(k)
?7
????
=
????
?
?
7
f?(16)
0⊕1(k,i)
i=0
????−
????
?
????
0⊕1(k,i + 8)
?7
?7
?
????
=
f∗(16)
0⊕1(k,i)
?
7
?
i=0
?
0⊕1(k,i + 8)
f∗(16)
0⊕1(k,i + 8)
???f∗(16)
0⊕1(k,i)
i=0
????
i=0
????f∗(16)
b±(k,i)
0⊕1(k,i)
??? −
???
=
i=0
????f(16)
?
??? −
???f(16)
0⊕1(k,i + 8)
???
?
,
where
b±(k,i) = 1 − 2b(129k + i + 4) =
????f(16)
1,
−1,
???
b(129k + i + 4) = 0,
b(129k + i + 4) = 1.
By choosing the values of
nonzero number can not be represented as a linear combination of other numbers in the set, the
controlling bits corresponding to the nonzero numbers can be determined uniquely. For instance,
to determine the values of b±(k,0),...,b±(k,3), we can choose a plaintext differential such that
???f(16)
•
The above chosen plaintext differential leads to the following result:
????
0⊕1(k,i)
??? −
???f(16)
0⊕1(k,i + 8)
?7
i=0to be a set of numbers such that every
•
0⊕1(k,i)
???f(16)
??? −
???f(16)
0⊕1(k,i + 8)
???f(16)
?
??? = ±4,±5,±6,±8 for i = 0,1,2,3, respectively;
0⊕1(k,i)
??? −
0⊕1(k,i + 8)
??? = 0 for i = 4,5,6,7.
?7
∆
f
?(16)
0⊕1(k)
i=0
????∈ {±23,±15,±13,±11,±7,±5,±3,±1}.
9

Page 10

The 16 possible values of ∆
????
?
f
?(16)
0⊕1(k)
?7
i=0
????correspond to the 16 possible values of (b(129k + 4 +
??? = 0 for i = 0,1,2,3;
i))3
i=0. Choosing another plaintext differential such that
???f(16)
•
we will be able to uniquely determine the other four controlling bits (b(129k+4+i))7
with only two chosen plaintext differentials, we can uniquely determine all the eight controlling
bits (b(129k + 4 + i))7
•
0⊕1(k,i)
???f(16)
??? −
???f(16)
0⊕1(k,i + 8)
???f(16)
0⊕1(k,i)
??? −
0⊕1(k,i + 8)
??? = ±4,±5,±6,±8 for i = 4,5,6,7, respectively,
i=4. As a whole,
i=0.
3.2.3. Breaking the other part of MCS
For the k-th block, denote the intermediate result of the first eight byte-swapping operations
by f∗(16)(k). Knowing b(129k + 4) ∼ b(129k + 11) allows us to choose f∗(16)
f(16)
swapping operations, the value masking, and the horizontal/vertical bit rotations.
Different from the first 8 byte-swapping operations, the 9th to 35th ones in Step b) only shuffle
the locations of the eight bytes inside each half-block. We found these byte-swapping operations
cannot be uniquely determined, because some equivalent but different encryption operations exist.
Roughly speaking, if we add an overall circularly byte shift operation to Step b) and all the other
steps afterwards, we will get an encryption scheme equivalent to but different from the real one.
Therefore, in this sub-subsection we turn to find such an equivalent encryption scheme. To facilitate
our discussion, in the following, we use the acronym “EES” to denote the equivalent encryption
scheme that has the same encryption performance as all the four kinds of encryption operations to
be further broken. The EES is also composed of four parts, which correspond to the four different
kinds of encryption operations, respectively. Once again, we use a divide-and-conquer tactic to get
all the four pars of an EES.
0⊕1(k) by manipulating
0⊕1(k). The other encryption operations to be further broken include the 9th to 35th byte-
Obtaining the vertical bit-rotation part of the EES. To get the vertical bit-rotation part, we need
to cancel the horizontal bit-rotation part and the byte-swapping part. The horizontal bit rotations
can be done by choosing all bytes in f∗(16)
are identical (either 0 or 1). The byte-swapping operations cannot be fully canceled. To minimize
its interference with the vertical bit-rotation part, we can choose each half-block such that there
is only one 0 or one 255. Without loss of generality, we choose one plaintext differential such that
both half-blocks of each 16-byte block f∗(16)
0⊕1(k) to be either 0 or 255, i.e., all the bits in M1and M2
0⊕1(k) contains only one 255-byte but seven 0-bytes, i.e.,
?15
0⊕1(k,a) is moved to f∗(16)
?
f∗(16)
0⊕1(k,i)
?7
i=0
=
?
f∗(16)
0⊕1(k,i)
i=8
= (
a zeros
? ?? ?
0,...,0,255,0,...,0).
After the byte-swapping operations, assume f∗(16)
a) to f∗(16)
celed, by comparing (f∗(16)
is performed for the j-th bit of f∗(16)
that RotateY0,s2,k,j?e s2,k,ais performed for the j-th bit of f∗(16)
0⊕1(k,? s1,k,a) and f∗(16)
0⊕1(k,8+
0⊕1(k,8+? s2,k,a), where ? s1,k,a,? s2,k,a∈ {0,...,7}. Since the horizontal bit rotations are can-
0⊕1(k,0). Similarly, for the second half-block, we can observe
0⊕1(k,i))7
i=0and (f?(16)
0⊕1(k,i))7
i=0, we can observe that RotateY0,s1,k,j?e s1,k,a
0⊕1(k,8).
10

Page 11

Obtaining the horizontal bit-rotation part of the EES. Now, we need to cancel the byte-swapping
operations and the vertical bit rotations. The byte-swapping operations can be canceled by choos-
ing a second plaintext differential such that all the bytes in each half-block are identical. To
distinguish the horizontal bit shifts, we should choose the byte x ∈ {0,...,255} to satisfy the
following property: a1 ?≡ a2 (mod 8) ⇔ (x ≫ a1) ?= (x ≫ a2), or equivalently, a1 ≡ a2
(mod 8) ⇔ (x ≫ a1) = (x ≫ a2).
When f(16)(k,15) = temp, either f∗(16)
possible to obtain the horizontal bit-rotation part for this byte. Fortunately, this does not influ-
ence the decryption process, because the expanded byte is actually redundant and will be finally
discarded. The vertical bit rotations cannot be canceled, since they are performed after the horizon-
tal bit rotations. Since we have obtained the vertical bit-rotation part of the EES, we can apply
it to (f?(16)
compare (f?(16)
is performed for f∗(16)
Similarly, we can observe RotateX0,¯ r2,k,(i?e s2,k,a)is performed for
f∗(16)
The simplest choice of x is 2i, where i ∈ {0,...,7}.
0⊕1(k,7) or f∗(16)
0⊕1(k,15) will always be 0, so it will not be
0⊕1(k,i))7
0⊕1(k,i ? ? s1,k,a))7
0⊕1(k,8 + i).
Obtaining the byte-swapping part of the EES. After obtaining the horizontal/vertical bit-rotation
parts of the EES, we can apply the inverse horizontal/vertical bit rotations to (f?(16)
get (f∗(16)
eight bytes of each half-block are different from each other, we will be able to obtain the following
byte-swapping part of the EES. For the first half-block, the real byte-swapping operation moves
f∗(16)
where ˙ − denotes subtraction modulo 8. Similarly, for the second half-block, the real byte-swapping
operation moves f∗(16)
it to f∗(16)
i=0to get (f?(16)
0⊕1(k,i ? ? s1,k,a))7
i=0, where ? denotes addition modulo 8. Then,
0⊕1(k,i))7
i=0with (f∗(16)
i=0, one can observe that RotateX0,¯ r1,k,(i?e s1,k,a)
0⊕1(k,i).
0⊕1(k,j))15
j=0to
0⊕1(k,? s1,k,a?i))7
0⊕1(k,i) to f∗(16)
i=0and (f∗(16)
0⊕1(k,8+(? s2,k,a?i)))7
i=0. If we choose f∗(16)
0⊕1(k) such that all the
0⊕1(k,? s1,k,i), the one we obtained for the EES will move it to f∗(16)
0⊕1(k,8 + (? s2,k,i˙ −? s2,k,a)).
we can get {f∗(16)(k,i ? ? s1,k,a)}7
get {f∗∗(16)(k,i ? ? s1,k,a)}7
steps. Note that the value masking performed in Step c) can be rewritten as the equivalent form:
for i = 0,...,15,
f∗∗(16)(k,i) = f∗(16)(k,i) ⊕ Seed∗(k,i),
where Seed∗(k,i) =?7
Similarly, by XORing {f∗(16)(k,8+(i? ? s2,k,a))}7
Observing the above four results, we can see all the fours parts of the ESS are related to the
unknown parameters ? s1,k,aand ? s2,k,a. If we choose different value of a in Sec. 3.2.3, we may have
scheme), so we can use any of them to decrypt any ciphertext encrypted with the same key, as
long as the size of the ciphertext is not larger than N. In the next subsection, we will show the
11
0⊕1(k,? s1,k,i˙ −? s1,k,a),
0⊕1(k,8 + i) to f∗(16)
0⊕1(k,8 + ? s2,k,i), the one we obtained for the EES will move
Obtaining the value-masking part of the EES. After obtaining the byte-swapping part of the EES,
i=0and {f∗(16)(k,8 + (i ? ? s1,k,a))}7
do not need to choose more plaintexts, but can simply reuse any chosen plaintext used in previous
i=0from any known plain-
text. In addition, after obtaining both the horizontal and vertical bit-rotation parts, we can
i=0and {f∗∗(16)(k,8 + (i ? ? s1,k,a))}7
i=0from any known ciphertext. We
(5)
j=0Seed(k,j)i· 2jand Seed(k,j)iis the i-th bit of Seed(k,j). Then, by
XORing {f∗(16)(k,i? ? s1,k,a)}7
(Seed∗(k,8 + (i ? ? s2,k,a)))7
a a different ESS. All the possible EESs are equivalent to each other (and to the real encryption
i=0and {f∗∗(16)(k,i? ? s1,k,a)}7
i=0, we can get (Seed∗(k,i? ? s1,k,a))7
i=0.
i=0and {f∗∗(16)(k,8+(i? ? s2,k,a))}7
i=0, we can get
i=0.

Page 12

values of ? s1,k,aand ? s2,k,acan be uniquely determined if the sub-keys α1, α2, β1and β2satisfy some
3.2.4. Performance of the differential attack
To sum up, the differential attack outputs the following items as an equivalent key:
requirements.
• for data expansion: (l(k−1))1≤k≤N/15−1, which is equivalent to (b(129(k−1)+i))1≤k≤N/15−1
0≤i≤3
;
• for the first eight byte-swapping operations: (b(129k + i))0≤k≤N/15−1
• for the vertical bit rotations:
?RotateY0,s1,k,j+e s1,k,a?
• for the horizontal bit rotations:
0≤k≤N/15−1
0≤j≤7
• for the 9th to 35th byte-swapping operations:
?
?
• for the value masking:
(Seed∗(k,(i ? ? s1,k,a)))0≤k≤N/15−1
ciphertexts encrypted with the same secret key. The (equivalent) encryption operations performed
on some expanded bytes f(16)(k,15) may not be recovered, but which does not influence the
effectiveness of the differential attack, since those expanded bytes will finally be discarded.
The total number of chosen plaintexts is the sum of the following: a) two differentials for break-
ing the data expansion; b) two differentials for breaking the first eight byte-swapping operations;
c) four differentials for obtaining the EES. Note that the plaintext differential needed in Sec. 3.2.3
can be replaced by the two differentials in Sec. 3.2.1. So, we only need two more differentials for
obtaining the EES. As a whole, the differential attack requires 2+2+2 = 6 plaintext differentials,
or seven plaintexts, to break MCS.
The complexity of the differential attack is also very small. In each step, the equivalent sub-key
can be directly derived from the plaintext and the ciphertext, so the complexity is proportional to
the size of the plaintext, N. With 6 chosen plaintext differentials, the computational complexity of
the attack is just O(6N) = O(N), which is the same as that of the normal encryption/decryption
process of MCS.
4≤i≤11
;
0≤k≤N/15−1
0≤j≤7
and?RotateY0,s2,k,j+e s2,k,a?
?
?
0≤i≤7
0⊕1(k,8 + (? s2,k,i˙ −? s2,k,a))
and (Seed∗(k,8 + (i ? ? s1,k,a)))0≤k≤N/15−1
0≤k≤N/15−1
0≤j≤7
;
?
RotateX0,r1,k,(i?e s1,k,a)?
and
RotateX0,¯ r2,k,(i?e s2,k,a)?
0≤k≤N/15−1
0≤j≤7
;
f∗(16)
0⊕1(k,i) → f∗(16)
0⊕1(k,? s1,k,i˙ −? s1,k,a)
0≤k≤N/15−1
and
f∗(16)
0⊕1(k,8 + i) → f∗(16)
?
0≤k≤N/15−1
0≤i≤7
;
0≤i≤70≤i≤7
.
All the above items form an encryption system equivalent to MCS and can be used to decrypt any
3.3. Breaking some sub-keys and more controlling bits
The differential attack described in the previous subsection outputs an equivalent key, which
include some controlling bits (b(129k+i))11
subsection, we show we may further derive more controlling bits and the following four sub-keys:
α1, β1, α2and β2. Although we have not found a way to break the underlying pseudorandom bit
12
i=0, but does not include any part of the secret key. In this

Page 13

generator (PRBG) and then break the subkey x(0), breaking more controlling bits makes it easier
to analyze more potential weaknesses of the PRBG and opens the door to a successful cryptanalysis
in future.
We first try to break the two sets R1= {α1,8 − α1,α1+ β1,8 − (α1+ β1)} and R2= {α2,8 −
α2,α2+ β2,8 − (α2+ β2)}. Then, we may be able to further determine sub-keys α1,β1,α2,β2,
? s1,k,a, ? s2,k,a, and more controlling bits.
In the differential attack, what we have obtained for the horizontal bit rotations are
?
and r1,k,iare determined, it is obvious that
3.3.1. Breaking R1and R2
RotateX0,r1,k,(i?e s1,k,a)?
0≤k≤N/15−1
0≤j≤7
and
?
RotateX0,¯ r2,k,(i?e s2,k,a)?
0≤k≤N/15−1
0≤j≤7
. According to how r1,k,i
R1,k= {r1,k,(i?e s1,k,a)}7
i=0⊆ R1and R2,k= {r2,k,(i?e s2,k,a)}7
i=0and (r2,k,i)7
i=0⊆ R2.
Assuming the secret bits controlling (r1,k,i)7
p = 1/2 and n = 8 · N/15 in Proposition 1, we can get

0≤k≤N/15−1
0≤i≤7
i=0distribute uniformly over {0,1}, set
Prob

R1?=
?
?
r1,k,(i?e s1,k,a),8 − r1,k,(i?e s1,k,a)
?


 =1
2
8·N/15
+ (1 −1
2)8·N/15= 1/28N/15−1
and
Prob


R2?=
?
0≤i≤7
0≤k≤N/15−1
?
r2,k,(i?e s2,k,a),8 − r2,k,(i?e s2,k,a)
?


 = 1/28N/15−1.
Since 8N/15−1 is generally very large, the above two probability is extremely small, which means
that R1and R2can be uniquely determined with very high probability.
Proposition 1. Assume 1 ≤ β ≤ 7, 1 ≤ α < α+β ≤ 7 and R = {α,8−α,α+β,8−(α+β)}. If
for i = 1,...,n, random variable ri∈ Z satisfies Prob(ri∈ {α,8 − α}) = p, then
?
i=1

Proof : When 2α + β = 8, we can get α = 8 − (α + β) and 8 − α = α + β, which leads to
R = {α,8 − α} = {α + β,8 − (α + β)}. Hence, we can immediately get {ri,8 − ri} = R and then
?n
8 − α ?= 8 − (α + β), there are only the following?4
• α = 8 − α: α = 4 ⇒ 1 ≤ β ≤ 3 and R = {4,4,4 + β,4 − β} ⇒ #(R) = 3;
• α + β = 8 − (α + β): α + β = 4 ⇒ 1 ≤ α ≤ 3 and R = {α,8 − α,4,4} ⇒ #(R) = 3.
13
Prob
R ?=
n?
{ri,8 − ri}
?
=




0,
1,
pn+ (1 − p)n,
2α + β = 8,
2α + β ?= 8 and n = 1,
2α + β ?= 8 and n ≥ 2.
i=1{ri,8 − ri} = R. This means that Prob(R ?=?n
i=1{ri,8 − ri}) = 0.
?− 4 = 2 pairs of elements that may be equal
When 2α + β ?= 8, we have α ?= 8 − (α + β) and 8 − α ?= α + β. Since α ?= α + 8 and
2
to each other to make #(R) < 4, where #(·) denotes the cardinality of a set:

Page 14

In case no any two elements in R are equal to each other, it is obvious that #(R) = 4. As a whole,
we have #(R) ≥ 3. Then, when n = 1, the proposition is obviously true since #({ri,8 − ri}) <
3 ≤ #(R). When n ≥ 2, we can see there are only two ways to make R ?=?n
•
•
As a whole, we have Prob(R ?=?n
3.3.2. Determining sub-keys α1, β1, α2and β2
After getting R1 and R2, the four sub-keys α1, β1, α2 and β2 may be uniquely determined.
Following a similar process of the proof of Proposition 1, we consider the following three cases for
m = 1,2:
i=1{ri,8 − ri}:
?n
i=1{ri,8 − ri} = {α,8 − α}, which occurs with probability pn;
?n
Combining the above three different cases, the proposition is thus proved.
i=1{ri,8 − ri} = {α + β,8 − (α + β)}, which occurs with probability (1 − p)n.
i=1{ri,8 − ri}) = pn+ (1 − p)n.
?
• #(Rm) = 2: This case happens only when 2αm+ βm = 8. There are three possible sets
Rm= {1,7},{2,6},{3,5}, which corresponds to (αm,βm) = (1,6),(2,4),(3,2), respectively.
Apparently, knowing Rmallows us to uniquely determine the values of αmand βm.
• #(Rm) = 3: This case happens when αm= 8 − αm= 4 or αm+ βm= 8 − (αm+ βm) = 4.
There are only three possible sets Rm, each of which corresponds to two possible values of
(αm,βm):
– Rm= {4,1,7}: (αm,βm) = (4,3) or (1,3);
– Rm= {4,2,6}: (αm,βm) = (4,2) or (2,2);
– Rm= {4,3,5}: (αm,βm) = (4,1) or (3,1).
It can be seen that αmand βmcannot be uniquely determined in this case.
• #(Rm) = 4: This case includes three possible sets Rm, each of which corresponds to four
different values of (αm,βm):
– Rm= {1,2,6,7}: (αm,βm) = (1,1), (1,5), (2,5) or (6,1);
– Rm= {1,3,5,7}: (αm,βm) = (1,2), (1,4), (3,4) or (5,2);
– Rm= {2,3,5,6}: (αm,βm) = (2,1), (2,3), (3,3) or (5,1).
3.3.3. Determining ? s1,k,aand ? s2,k,a
?
According to how s1,k,j and s2,k,j are determined in the encryption process, we can get S1,k =
{s1,k,j? ? s1,k,a}7
Comparing S1, S2with R1, R2, we may be able to determine the values of ? s1,k,aand ? s2,k,a. There
14
In the differential attack, what we have obtained for the vertical bit rotations are
RotateY0,s1,k,j+e s1,k,a?
0≤k≤N/15−1
0≤j≤7
and
?
RotateY0,s2,k,j+e s2,k,a?
0≤k≤N/15−1
0≤j≤7
.
j=0⊆ S1= {α1? ? s1,k,a,8 − α1? ? s1,k,a,α1+ β1? ? s1,k,a,8 − (α1+ β1) ? ? s1,k,a} and
are four different cases:
S2,k= {s2,k,j?? s2,k,a}7
j=0⊆ S2= {α2?? s2,k,a,8−α2?? s2,k,a,α2+β2?? s2,k,a,8−(α2+β2)?? s2,k,a}.

Page 15

• Sm,k⊂ Sm: If Sm,kdoes not contain all elements in Sm, it is generally impossible to uniquely
determine ? sm,k,a. From Proposition 1, the occurrence probability of this case is 2/28= 1/27.
determined. When ? sm,k,a= 0 or 4, it is impossible to distinguish one value from the other.
value of ? sm,k,acan always be uniquely determine.
One can only determine which of the following two sets ? sm,k,abelongs to: {0,2,4,6} and
Assuming the value of ? sm,k,adistributes uniformly over {0,...,7}, the probability that each ? sm,k,a
more different values of a in Sec. 3.2.3 to decrease this probability, but the probability has a lower
bound 1/27+ (1 − 1/27)(4/21) ≈ 0.1968. We can see this probability is always not sufficiently
small, so we will not be able to uniquely determine the value of ? s1,k,aor that of ? s2,k,afor quite a
3.3.4. Determining the secret bits controlling the 9th to 35th byte-swapping operations
In case ? s1,k,aand ? s2,k,acan be uniquely determined, we will be able to uniquely recover the 9th
Note (? s1,k,i)7
has a strong pattern: 12 byte-swapping operations for the first half-block and the other 12 ones
for the second half-block, and each group of 12 byte-swapping operations can be divided into three
phases. For the 12 byte-swapping operations performed on the first half-block, the three phases
are as follows:
• Sm,k = Sm and Rm = {2,6}: When ? sm,k,a ∈ {1,2,3,5,6,7}, its value can be uniquely
• Sm,k= Smand Rm= {1,7},{3,5},{4,1,7},{4,2,6},{4,3,5},{1,2,6,7} or {2,3,5,6}: The
• Sm,k = Sm and Rm = {1,3,5,7}: The value of ? sm,k,acan never be uniquely determined.
{1,3,5,7}.
cannot be uniquely determined is 1/27+(1−1/27)((1/21)(2/8)+4/21) ≈ 0.2086. We may choose
lot of blocks.
to 35th byte-swapping operations, i.e., we can determine the values of (? s1,k,i)7
the 9th to 35th byte-swapping operations in Step b), one can notice that the permutation maps
i=0and (? s2,k,i)7
i=0.
i=0and (? s2,k,i)7
i=0actually define two permutation maps over {0,...,7}. Observing
• Phase 1: (i,j,a) = (0,4,12),(1,5,13),(2,6,14),(3,5,15);
• Phase 2: (i,j,a) = (0,2,20),(1,3,21),(4,6,22),(5,7,23);
• Phase 3: (i,j,a) = (0,1,28),(2,3,29),(4,5,30),(6,7,31).
Apparently, Phase 1 swaps the bytes in the two 4-byte quarter-block of the first 8-byte half-block,
and Phases 2 and 3 only permute the bytes with each 4-byte quarter-block. Then, for i = 0,1,2,3,
we can check in which quarter-block f(∗16)(k,i) belongs to after the byte-swapping operations. In
other words, we check if ? s1,k,i∈ {0,1,2,3} or {4,5,6,7}, which corresponds to b(129k+12+i) = 0
Phase 1. Then, we can derive a new permutation map represented by (? s∗
3, we can derive the following rule to break the 4 controlling bits involved in Phase 2:
?
1,
? s∗
• when i = 2,3: b(129k + 20 + i) =
1,
? s∗
and 1, respectively. This allows us to completely determine (b(129k + 12 + i))3
i=0, i.e., to break
i=0, which consists of
1,k,i)7
only Phases 2 and 3. Then, according to the byte swapping operations involved in Phases 2 and
• when i = 0,1: b(129k + 20 + i) =
0,
? s∗
? s∗
1,k,i∈ {0,1},
1,k,i∈ {2,3};
?
0,
1,k,i∈ {4,5},
1,k,i∈ {6,7}.
15