Information Technology Reference
In-Depth Information
G
. Then we can reduce the possible key space of the 6-th round subkey to half
with 2
36
chosen plaintexts. So, we can find the 6-th round subkey with about 2
44
chosen plaintexts and 2
229
.
6
steps which are lower than the exhaustive search
2
256
.
This paper is organized in the following way. Section 2 describes the property
of
CP
-box and the algorithm of SPECTR-H64. Section 3 shows the linear prop-
erty of SPECTR-H64, section 4 explains some notions of degree of a Boolean
function and a higher order differential property of function
G
and section 5
shows how to find the 6th-round subkey. Finally, we present our attack results
reduced on 6 round SPECTR-H64.
2
Description of SPECTR-H64
In this section, we shortly describe the algorithm of SPECTR-H64 and the prop-
erty of
CP
-box performing data-dependent permutations. The detailed descrip-
tion of that is presented at [1].
CP
-Box (
P
32
/
80
and
P
−
1
2.1
)
This subsection describes notations and properties of
CP
-box.
CP
-box trans-
formation is represented in the following form:
Y
=
P
32
/
80
(
X, V
), where input
X
32
/
80
32
, output
Y
32
80
,
V
=(
V
1
∈{
0
,
1
}
∈{
0
,
1
}
and control vector
V
∈{
0
,
1
}
|
V
2
|
V
3
|
V
4
|
V
5
).
X=(x
1
, x
2
, ... , x
32
)
V
1,2,3
P
8/12
P
8/12
P
8/12
P
8/12
V
4,5
P
4/4
P
4/4
P
4/4
P
4/4
P
4/4
P
4/4
P
4/4
P
4/4
Y=(y
1
, y
2
, ... , y
32
)
Fig. 1.
Structure of the box
P
32
/
80
The output
Y
of
CP
-box is a rearrangement of the input
X
controlled by
the control vector
V
, so the Hamming weight of
Y
is equal to that of
X
. This
property is very important in our attack. Construction scheme of the box
P
32
/
80
is shown in Fig. 1.
