Information Technology Reference
In-Depth Information
Linear Cryptanalysis on SPECTR-H64
with Higher Order Differential Property
Youngdai Ko, Deukjo Hong, Seokhie Hong, Sangjin Lee, and Jongin Lim
Center for Information Security Technologies(CIST)
Korea University, Anam Dong, Sungbuk Gu, Seoul, Korea
{
carpediem,hongdj,hsh,sangjin,jilim
}
@cist.korea.ac.kr
Abstract.
In this paper, we find linear equations of SPECTR-H64 us-
ing the property of controlled permutation boxes. Also, we construct
the fourth-order differential structure using the property that the alge-
braic degree of the function
G
is 3, which is the only non-linear part of
SPECTR-H64. These linear equations and structures enable us to attack
the reduced 6 round SPECTR-H64. So, we can recover the 6-th round
subkey with about 2
44
chosen plaintexts and 2
229
.
6
steps which are lower
than the exhaustive search 2
256
.
Keywords:
Linear equation, SPECTR-H64, Controlled Permutation,
Higher order differential, Algebraic degree.
1
Introduction
SPECTR-H64 is a 12 round block cipher, which was designed by N. D. Goots,
Alexander A. Moldovyan and Nick A. Moldovyan [1]. It is a 64-bit block cipher
with 256-bit symmetric key, which is composed of non-linear function
G
, vari-
ants of controlled permutations boxes (
CP
-boxes) and some simple operations.
Function
G
is the only non-linear part in SPECTR-H64, which has a low alge-
braic degree.
CP
-box is used to perform both data transformation and the data-
dependent transformation of round subkeys. Such
CP
-box can be constructed
as a superposition of the standard elementary
P
2
/
1
-boxes shown in Fig. 2(a).
P
2
/
1
-box is controlled by one bit
v
.If
v
= 1, it swaps two input bits otherwise (if
v
= 0), does not, i.e, the output bits of
CP
-box is rearrangement of input bits
by the controll vector. Therefore
CP
-box has the property that the Hamming
weight of its input is equal to that of its output, so any algorithm, which uses the
method mixing
CP
-box and rarely weak substitution or weak non-linear func-
tion, may reveal some weakness.The block cipher CIKS-1 [5], holding a similar
structure with SPECTR-H64, is a proper example. CIKS-1 uses 16 parallel 2-bit
additions, so it is taken the attack found in [2].
In this paper, we describe a linear property of SPECTR-H64 and a method
to find the linear equation with probability 1, using a like fashion of [2]. Also,
we briefly introduce some notions of degree of a Boolean function and higher
order differential attack, and construct a fourth-order differential structure for
the purpose of applying to our attack scenario using the property of function
