Information Technology Reference
In-Depth Information
GF
(2)
32
.
G
(
x
)=0
,
for any w
∈
x∈w⊕L
4
We denote
θ
(
w
)
L
4
. This notation will be useful in the next section.
Differential property of
CP
-box is explained in the proposition 2 which is
also useful in the next section.
Proposition 2.
(
P
1
,P
2
) and (
P
3
,P
4
) be input pairs of any
CP
-box, whose dif-
ference are same, i.e,
P
1
⊕
≡
w
⊕
P
4
. Let the control vector
V
of
CP
-box
be fixed. Then (
P
1
,P
2
) and (
P
3
,P
4
), output difference pairs of
CP
-box, are also
same, i.e,
P
1
⊕
P
2
=
P
3
⊕
P
4
.
Proof.
If the control vector
V
is fixed, then
CP
-box becomes a linear operation
for xor. Therefore
P
1
⊕
P
2
=
P
3
⊕
P
2
=
CP
(
P
1
)
⊕
CP
(
P
2
)=
CP
(
P
1
⊕
P
2
)=
CP
(
P
3
⊕
P
4
)=
CP
(
P
3
)
P
4
.
We describe the proposition 2 as Fig. 6
⊕
CP
(
P
4
)=
P
3
⊕
P
1
P
2
=
P
3
P
4
=
V
V
CP-box
CP-box
P'
1
P'
2
=
P'
3
P'
4
=
Fig. 6.
Proposition 2
5
Attack on 6 Round SPECTR-H64
In this section, we explain the attack on 6 round SPECTR-H64 regardless of
IT
and
FT
. The linear equations in section 3, are not available for conventional
linear cryptanalysis on block ciphers because the terms of
G
contain subkey bits.
Thus, we exploit the higher order differential property of
G
which is mentioned
in section 4, in order to vanish the terms of
G
in the linear equations.
The linear equation which is used for attack on 6 round SPECTR-H64 is as
follows.
R
1
[
all
]
G
1
[
all
]
G
3
[
all
]
G
5
[
all
]=
K
7
[
all
]
C
L
[
all
]
⊕
⊕
⊕
⊕
⊕
K
3
[
all
]
⊕
K
6
[
all
] (1)
We extend the notion
θ
(
x
)
≡
x
⊕
L
4
as follows.
.
Then, we can represent the plaintext structure for
X ∈ GF
(2)
32
, which is used
for our attack.
ϕ
(
x, y
)=
{
(
z, y
)
|
z
∈
θ
(
x
)
}
S
(
x
)=
y∈GF
ϕ
(
x, y
)
.
(2)
32