Improved RC6 Block Cipher Based on Data Dependent Rotations

This paper introduces an Improved RC6 (IRC6) cipher for data encryption based on data-dependent rotations. The proposed scheme is designed with the potential of meeting the needs of the Advanced Encryption Standard (AES). Four parameters are used to characterize the proposed scheme. These parameters are the size of the word (w) in bits, the number of rounds (r), the length of the secret key (b) in bytes, and the size of the block (L) in bits. The main feature of IRC6 is the variable number of working registers instead of just four registers as in RC6, resulting in a variable block size for plaintext and ciphertext. The IRC6 cipher is designed to improve the robustness against attacks by increasing the diffusion for each round and providing greater security with fewer rounds. The effectiveness of the proposed IRC6 scheme is verified against theoretical attacks. The proposed IRC6 scheme depends on full diffusion and confusion mechanisms regardless of the utilized block size. The proposed IRC6 scheme saves 70% of the encryption time and 64%of the decryption time of RC6. The simulation results prove that the IRC6 achieves a better encryption/decryption time compared to the traditionalRC6. Therefore, the proposed IRC6 is anticipated to fulfill the market needs and system security requirements.

communication system. Later, authorized parties may reverse the process to reconstruct and reveal the original data [1]. Fig. 1 depicts a data security model [2]. The source message is described as a plaintext (X ) and transformed into a ciphertext (Y ) through the encryption process [3]. This encryption process is applied by performing an algorithm with a secret key K. The encryption produces different outputs based on the secret key. For decryption, the ciphertext can be converted to the plaintext again via performing the decryption algorithm using the same key employed for encryption. The cryptanalysis process tries to discover the plaintext or/and key by creating a plaintext value (Xe) or/and the secret key value (Ke) [1][2][3]. Some of the almost widely used traditional ciphers involve RC5 [4][5][6][7] and RC6 [8][9][10][11][12]. The RC5 employs the ideas of data-dependent rotation, word size variation, variation of the number of rounds, and secret key length variation. RC6 may be considered as an extension of RC5, where it uses four running registers instead of two running registers, in addition to integer multiplication [9][10][11][12]. With multiplication, the diffusion spread per round can be significantly increased, increasing security, reducing rounds, and increasing throughput. Since declaration of the proposals of RC5 and RC6, many studies have improved the understanding of how structures and operations contribute to security [4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]. Such investigations offered a theoretical attack depending on the fact that RC5 rotations do not rely on each bit in the register.
The proposal introduces a data encryption algorithm based on data-dependent rotations (IRC6). Unlike RC6, the proposed IRC6 relies on four variables. w denotes the word size in bits, r is the number of non-negative rounds, b is the length of the secret key in bytes, and L is the block size. The number of working registers m can be found by dividing L by w. The employment of integer multiplication extremely enhances the diffusion spread accomplished per round and can provide enhanced security. The IRC6 consists of two major components, the cipher algorithm and the confusion/diffusion network, which depends on the XOR operation between permuted bytes, called ''Permuted XORed Bytes" (PXB). Fig. 2 shows the general description of the proposed encryption/decryption process of IRC6.
These proposed modifications offer the advantages of enhancing the number of rotations for each round and utilizing further data bits to evaluate the number of rotations for each round. Therefore, integer multiplication can be considered as an effective diffusion primitive and can be utilized to calculate the number of rotations in the proposed IRC6. Consequently, the proposed IRC6 shows an increase in the diffusion spread compared with all other block ciphers. In addition, the IRC6 can run with less rounds with an efficient increase in security and throughput. The work presented in this paper offers several significant contributions to the security field as follows: (a) A detailed survey of the RC6 encryption algorithm is presented. It is noticed that RC6 cannot provide full confusion and diffusion properties to the encrypted data. (b) A proposed cipher (IRC6), which is an advanced version of RC6, is introduced. This cipher has a variable block length, which makes it more flexible. (c) The proposed algorithm achieves full diffusion and confusion, and it is divided into two parts. The first one is the PXB network, which mixes the bytes of the data. If there are any small changes in the plaintext, they result in changes in all bytes of the ciphertext, and these changes are magnified in the cipher, resulting in full diffusion and confusion properties regardless of the block size. (d) The proposed cipher has good flexibility and effectiveness. This appears in the variable block size and the high throughput. (e) A good comparative analysis is introduced. This is achieved by performing a comparison of the proposed algorithm with RC6 for theoretical attacks.
The rest of the paper is organized as follows. Section 2 provides the RC6 literature overview. Section 3 presents the functional and design parameters of the proposed IRC6. Section 4 explores the architecture of the proposed IRC6. The implementation issues are given in Section 5. Section 6 introduces theoretical attacks on the proposed IRC6 cipher. A comparative analysis of the proposed IRC6 and the state-of-the-art RC6 is introduced in Section 7. The conclusion is given in Section 8.

The RC6
The RC6 is characterized as an encryption algorithm that belongs to the fully-parameterized family [4][5][6][7][9][10][11][12]. RC6 is a version of block ciphers specified as RC6-ww/rr/bb, where ww denotes the word size in bits, rr denotes the number of rounds, and bb denotes the length in bytes of the key. These parameters are shown in Tab. 1. In all variants, RC6-ww/rr/bb works in units of four wbit words input/output (plaintext/ciphertext), It may be considered as a word-oriented algorithm. The RC6 has three processes: the key schedule algorithm, encryption, and decryption algorithms. Secret key length in bytes 1, 2, 3,. . ., 255

Key Schedule Routine
The key schedule routine extends the secret key K to fill the extended key array SS. So, SS is similar to a random binary array of words tt = 2rr + 4 specified by KK. The key schedule routine utilizes two magic constants [4][5][6][7] and has three algorithmic parts: converting, initializing, and mixing, respectively. • • Initializing: The array SS is initialized with a specific fixed pseudo-random bit pattern based on modulo 2 w using the two magic constants P w and Q w .
• Mixing: This stage starts by mixing the user's secret key into SS and LL arrays. More accurately, because SS and LL can have unequal sizes, the larger array is processed for one time, and the other is processed three times. end.

RC6 Encryption/Decryption Processes
The RC6 encryption is explored and detailed as follows. It is assumed that the input block is provided to the four ww-bit registers AA, BB, CC and DD, and the output is stored in AA, BB, CC, and DD registers. [1] for ii := 1 to rr do begin kk = (BB*(2BB + 1) <<< log 2 (ww),

Features and Design Parameters of IRC6
The IRC6 consists of two parts, the cipher algorithm and the Permuted-XORed Bytes Network (PXB).

Cipher Algorithm
Similar to RC5 and RC6 ciphers, the IRC6 is a family of fully-parameterized cryptographic algorithms. The proposed IRC6 is more precisely designated as IRC6-w/r/b/L; in which w denotes the word size in bits, r denotes the number of rounds, L denotes the encryption key length in bytes and b is the block size. IRC6-w/r/b/L works in m units of w-bit words, where m is the number of working registers. The IRC6 works with m-word input/output (plaintext/ciphertext). So it may be considered as a word-oriented algorithm. As seen, we have input with w-bit words and output with all computational operations. So, the IRC6 first design parameter is w. The normal selection for w is 32 bits, and IRC6 operates on 32 * m bits of plaintext and ciphertext block size (L). For simplicity, only values of 16, 32 and 64 are suggested [9][10][11][12].
The second IRC6 design parameter is the number of rounds r. An extended key table S is derived from the secret key provided by the user. Table S with size t depends on the number of rounds r with t = m 2 (r + 2) words. If m 2 (r + 2) is too large (i.e., >352), which represents four times the size of S in RC6, the size t of the table S will be too large, consuming processing time and memory. So, a constant size t of 352 will be adopted. The keys will be reused in the encryption/decryption process. There are different versions of the algorithm based on selecting the values of the parameters w and r.
The IRC6 third design parameter is the secret key length determined by b and K parameters. The parameter b denotes the secret key number of bytes for Block size is the fourth design parameter of IRC6. The variable block size comes from using a variable number of registers in the encryption/decryption process, unlike RC6, resulting in more flexibility. The test results show that with the increase in the number of working registers, the security and throughput are improved, and the dependency between the data increases.

Primitive Operations of IRC6-w/r/b/L
The proposed IRC6-w/r/b/L block cipher uses the following primitive operations as shown in Tab. 2. log 2 (x) represents the x base-two logarithm.

The Permuted-XORed Bytes Network
The Permuted-XORed Bytes (PXB) is the network of substitution-transposition that is responsible for providing the confusion/diffusion mechanism of the IRC6. The proposed PXB is utilized to increase the confusion/diffusion characteristics of IRC6 by mixing bytes of data. First, the XOR chain operations are performed between the plaintext bytes. K 1 is the sub-key that acts as the first XORing initial key and results in a XORing with the next block until reaching the end of the plaintext. Then, all blocks resulting from this XOR series are transposed bit by bit, as illustrated in Fig. 1. After that, a block-based transposition is employed. Finally, another XOR chain is employed starting from the sub-key K 2 . The advantage of the PXB is that one round is fair enough to make a complete confusion/diffusion of the plaintext and it does not consume too much time.

Architecture and Implementation of IRC6
The IRC6 algorithm, likes RC6, has three processes: the key expansion process, the encryption processes, and the decryption processes. These processes are shown in the following subsections.

IRC6 Encryption/Decryption
In the encryption process, the plaintext is firstly processed by PXB, and then it is delivered to the IRC6 cipher. The IRC6 has m w-bit registers W i with i = 1, 2, 3,. . ., m. The registers include the initial input of the plaintext and output ciphertext of the encryption. The initial byte of either plaintext or ciphertext is put in W 1 , and the final byte is put in W m . A parallel assignment is performed and this can be expressed as (W l , W 2 , W 3 ,. . ., W m-1 , W m ) = (W 2 , W 3 , W 4 , W m-1 , W m , W 1 ).

Key Expansion Algorithm for IRC6
The main schedule of IRC6 is substantially the same as the main key schedule of RC5 and RC6, using the magic constants P w , Q w . The difference in IRC6 is the number of w-bit words generated for the addition round key t = m 2 (r+ 2) and stocked in the S[0,. . ., t − 1] array.
If the block size is large, i.e., ( m 2 (r + 2) > 352), the number of additive round keys will be large resulting in consumption in both memory and processing time. So, a key re-usage mechanism is used to update the keys in the encryption/decryption processes.
The key re-usage function is used to update table S with new values in the encryption/decryption processes resulting in more security. The equation of the update is

end;
And in the decryption process: 13) end;

Implementation Issues
The IRC6-w/r/b/L uses m 2 (r + 2) words generated from the key schedule and minimal additional memory. To calculate the m 2 (r + 2) words in the key schedule, the key setting process only needs a secondary array of approximately an equivalent size as the key provided by the user. Also, since the key scheduling has just t words, the key schedule process for hundreds of keys can be pre-computed and performed. After that, the pointer is needed to switch only to the relevant key, and hence key agility is kept. The main goal of security is that the transform function f (x) = x(2x+ l) (mod 2 w ), which determines the amount of data-dependent rotation, must depend on every bit of the input word, and the transform has to provide an effective mix between words.
For the previous block cipher and the modified cipher, the selected transform is the left rotation by the function f (x) followed by the log 2 (w) bit position (log 2 (w) = 5 for w = 32). The f (x) function is a one-to-one modulo 2 w , and f (x) bits with a higher-order estimate of the rotation amount are highly dependent on every bit of x [9][10][11][12]. The rotation is performed by the log 2 (w) bits, but taking into account the hardening differential and linear cryptographic analysis.
Another issue is that in the decryption process, the key must be prepared first before beginning the decryption process by applying the key re-usage function of the encryption process along the length of the ciphertext to get the value of S[t − 1]. This disadvantage results in a slight increase in the decryption time compared to the encryption one.

Basic Cryptanalytic Attack
The brute-force attack is the most commonly employed for IRC6 cryptographic analysis via searching the encryption key space for the b-bytes encryption key. Hence, if the key provided by the user is long, the search focuses on the extending round key array [20]. A meet-in-themiddle attack, which is resource-intensive, can decrease the number of operations to min {28b, min {2 (8m(r+2)) , 2 (5632) }}. Otherwise, the number of operations is min {2 8b , min {2 (16m(r+2)) , 2 (11264) }} [20]. However, the AES-specific key size weakens the effect of brute-force attacks [21].

Confusion/Diffusion Mechanism
A desirable property of the proposed encryption system is that it is susceptible to small changes in plaintext (just one plaintext bit changes). Usually, the other party can make minor changes, like changing just only 1 byte of the source plaintext and notifying the result modification. Through this technique, one can figure out a meaningful relationship between plaintext and ciphertext. However, this attack would be practically useless and inefficient if the ciphertext could be changed drastically due to minor changes in the plaintext [22].
In Shannon's original definitions, confusion means complicating the relationship between the key and the ciphertext. The main purpose of the confusion is to make the key hard to be determined, even when there are many plaintext-ciphertext pairs generated with the same key. So, each ciphertext bit has to depend differently on the whole key and the other bits in the key. Specifically, if we change just one key bit, the ciphertext must be changed completely [22].
In the IRC6 cryptosystem, due to PXB and the variable working registers (m), one can encrypt a huge amount of data (ex: 1GB) by processing the data with the PXB network, and then dividing it into m working registers. These registers are all encrypted with each other in each round, giving a complete self-diffusion mechanism. Furthermore, the key re-usage function can generate new values of keys in the encryption/decryption processes, resulting in full dependence of the data on the key.

Comparative Analysis
A comparative analysis is held between IRC6 and RC6 to assess the encryption/decryption procedures. The effect of the number of rounds on the encryption quality is investigated for IRC6 and compared with that on RC6 in different modes of operation at r = 20, which gives the best encryption quality in RC6 [20][21][22]. The measurement for normalized throughput of encryption/decryption is also considered. The analysis of confusion/diffusion properties is presented. The results are explained in sections 7.1 to 7.4.

The Effect of Number of Rounds on Encryption Quality
Let F and F denote the plaintext and ciphertext, respectively, each of size L bytes, and denote H(F) as the occurrence number of each byte value from 0 to 255 in the plaintext and H(F ) as the number of occurrences of each byte value from 0 to 255 in the ciphertext. So, the encryption quality can be expressed as: (1) The test was made on data with a size of 256 KB using IRC6−32/r/16/256 K, i.e., the data was treated as one block. The encryption quality of RC6 in ECB, CBC, and OFB modes at r = 20 is shown in Tab. 3. From Tab. 3 and Fig. 3, we can see that: (1) The best result of IRC6 is at r = 2 with a value of 737.1875.
(2) Comparing these results with those of RC6, one can see that with only two rounds of IRC6, the encryption quality is better than that of RC6.

Encryption/Decryption Throughput
The encryption/decryption throughput (Th) can be estimated as the encryption or decryption amount of data per time unit (MB/Sec). In addition, the throughput normalization is tested on data with a size of 64 KB and computed for RC6-32/20/16 and IRC6-32/2/16/64 K. The results show that IRC6 takes only 30% of the encryption time of RC6, but in decryption, the percentage is increased to 36% of the decryption time of RC6. This is attributed to the key preparation process before decryption.

Diffusion
The diffusion of an algorithm can be tested by two factors: the Number of Pixels Changing Rate (NPCR) and the Unified Average Change Intensity (UACI) [23][24][25]. Considering the two ciphers, C 1 and C 2 , whose plaintexts have only one-bit difference. Also, let C 1 (i) and C 2 (i) represent C 1 and C 2 at ith byte. Assume a bipolar array, D of equivalent size as C 1 and C 2 . Hence, the values of C 1 (i) and C 2 (i) give D(i). If C 1 (i) = C 2 (i), then D(i) = 0; otherwise, D(i) = 1. The NPCR can be computed as: where L is C 1 or C 2 length. The NPCR detects the percentage of different bytes between the two ciphers.
The UACI can be computed as: which estimates the difference in average intensity between the two ciphers. The test was made on data of 64 KB. The results are shown in Tab. 4. From these results, one can see that: (1) The best mode that makes the most significant diffusion in RC6 is the CBC mode.
(2) The IRC6 has the best results compared to all other RC6 modes.

Confusion
We have tested the confusion by ciphering a 64 KB plaintext with two different keys. The first is key1 = '0000000000000000'16 and the second is key2 = '0000000000000001'16. The correlation between these two ciphers is calculated. For IRC6-32/2/16/64 K, the correlation is −0.0013 indicating a high deviation between these two ciphers due to a one-bit change in the key.

Conclusions
This paper introduced an IRC6, which is considered as an improved extension of RC5 and RC6 ciphers. Its salient feature is the utilization of a variable number of working registers instead of constant four registers in the RC6 round resulting in varying plaintext/ciphertext block size resulting and more flexibility. The processes of IRC6 include encryption, decryption and key expansion. Experiments have been conducted to demonstrate that the proposed encryption algorithm is robust against theoretical attacks. Furthermore, the IRC6 is verified as a full diffusion/confusion mechanism regardless of the block size. Finally, the comparative analysis for the IRC6 was considered, and its results were compared to those of RC6. The obtained results demonstrate that IRC6 has less encryption/decryption times and higher throughput compared to RC6 in other modes of operation. Using this architecture, the IRC6 w/r/b/L provides a compact, simple, and dynamic block cipher that satisfies the Advanced Encryption Standard and the computer security developers' goals.