Linear Cryptanalysis on SPECTR-H64 with Higher Order Differential Property - Computer Network Security - page 302

Information Technology Reference

In-Depth Information

Table 1. Extended key

I T

R

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

F T

A 1 K 1 K 8 K 5 K 4 K 1 K 6 K 7 K 4 K 2 K 6 K 5 K 3

A 2 K 2 K 6 K 7 K 3 K 2 K 8 K 5 K 3 K 1 K 8 K 7 K 4

A 3 K 6 K 1 K 2 K 5 K 7 K 3 K 4 K 8 K 6 K 1 K 2 K 5

A 4 K 7 K 4 K 3 K 8 K 6 K 1 K 2 K 5 K 7 K 4 K 3 K 8

A 5 K 3 K 5 K 6 K 2 K 4 K 7 K 6 K 1 K 4 K 5 K 8 K 1

K 1

K 2

A 6 K 4 K 7 K 8 K 1 K 3 K 5 K 8 K 2 K 3 K 7 K 6 K 2

output of CP -box, respectively. Then we know that x 1 ⊕···⊕

x 32 = y 1 ⊕···⊕

y 32

with probability 1. We denote a 1 ⊕ ··· ⊕

a 32 by A [ all ] for convenience where

A =( a 1 , ..., a 32 ) is any 32-bit value. To begin with, let L i and R i be the left and

right inputs of i th-round and G i be the output of G in the i th-round.

We will explain the linear equations which always hold for full round

SPECTR-H64. Given plaintext P =( P L ,P R ), we obtain the following equa-

tion since IT ( P )=( L 1 ,R 1 ), i.e. L 1 and R 1 are the arrangement of P L and P R

xored with 0 x 55555555, respectively.

P L [ all ]= L 1 [ all ] ,P R [ all ]= R 1 [ all ]

Let C =( C L ,C R ) be the ciphertext corresponding to the plaintext P =( P L ,P R ).

Since FT is the inverse of the procedure of IT , we also obtain

C L [ all ]= R 13 [ all ] ,C R [ all ]= L 13 [ all ] .

In encryption procedures, we can know the following linear property of

SPECTR-H64 with probability 1 in each round (Fig. 5).

L i +1 [ all ]= R i [ all ]

A 4 [ all ]

G i [ all ]

⊕

⊕

If the above equation is xored only for every odd round, then we can find the

following linear equation with probability 1.

C L [ all ]

G 1 [ all ]

G 3 [ all ]

G 5 [ all ]

G 7 [ all ]

G 9 [ all ]

G 11 [ all ]

⊕

P R [ all ]

⊕

⊕

⊕

⊕

⊕

⊕

K 2 [ all ]

Similarly, for even round, we can also find the following linear equation with

probability 1.

C R [ all ]

= K 6 [ all ]

⊕

G 2 [ all ]

G 4 [ all ]

G 6 [ all ]

G 8 [ all ]

G 10 [ all ]

G 12 [ all ]

⊕

P L [ all ]

⊕

⊕

⊕

⊕

⊕

⊕

= K 1 [ all ]

⊕

K 5 [ all ],

4

Higher Order Differential Property

We introduce some notion of degree of a Boolean function and the higher order

differential attack [4] is based on the Proposition 2 shown by Lai [6]. We also

describe the differential property of CP -box and construct the fourth-order dif-

ferential structure using the property of function G , with a view to apply higher

order differential attack of SPECTR-H64.

Next Page

Computer Network Security

Search WWH ::

Custom Search

Home