Information Technology Reference
In-Depth Information
Indeed, the structure
S
(
x
) contains 2
32
fourth order differential structure of
G
.
Randomly numbering elements of the structure
S
(
x
), we rewrite it as follows.
S
(
x
)=
.
We acquire 2
36
ciphertexts corresponding to all plaintexts in the structure, obvi-
ously every plaintext and ciphertext pair satisfies (1) with probability 1. So, we
can have 2
36
computations of the linear equation. Xor sum of 2
36
computations
can be written as follows.
2
36
i
=1
C
L,i
[
all
]
{
P
1
,P
2
,
···
,P
2
36
}
⊕
2
36
⊕
2
36
⊕
2
36
⊕
2
36
i
=1
R
1
i
=1
G
1
i
=1
G
3
i
=1
G
5
[
all
]
[
all
]
[
all
]
[
all
]=0,
i
i
i
i
where
R
1
i
is the right half of th
i
-th plaintext
P
i
,
C
L,i
is the left half of the
i
-th
ciphertext and
G
i
is the output of
G
in
j
-th round corresponding to the
P
i
.
The reason that the right side of this equation is zero is that
K
3
[
all
]
⊕
K
6
[
all
]
⊕
K
7
[
all
] is constant. Now, we show that three terms
2
36
[
all
]
,
2
36
i
=1
R
1
i
=1
G
1
[
all
]
i
i
and
2
36
i
=1
G
3
[
all
] go to zero.
Firstly,
2
36
i
i
=1
R
1
[
all
] = 0 because that
R
1
i
occurs exactly 2
4
times for each
i
i
in the sum. Secondly,
2
36
i
=1
G
1
[
all
] = 0 because
G
1
i
's form 2
32
same the fourth
i
differential structure for
G
from plaintext structure
S
(
x
).
In other words,
2
36
[
all
]=
(
a,b
)
∈S
(
x
)
G
1
(
a
)
[
all
]=
b∈GF
(2)
32
a∈θ
(
x
)
G
1
(
a
)
[
all
]. Since
θ
(
x
) is the fourth order differential
structure of
G
for
x
,
a∈θ
(
x
)
G
1
(
a
) is zero, and thus
2
36
[
all
]=
2
36
i
=1
G
1
i
=1
G
1
i
i
i
=1
G
1
[
all
] is zero, too.
i
Finally, we show that
2
36
i
=1
G
3
[
all
] = 0. For each
a
∈
θ
(
x
), procedure
Crypt
i
is a permutation on
GF
(2)
32
in the first round. In the second round, we can
correspond each
L
2
i
to the fourth order differential structure of
G
,
θ
(
x
). We can
GF
(2)
32
are lin-
consider
L
4
=
x
⊕
θ
(
x
)as
Span
(
α, β, γ, δ
) where
α, β, γ
and
δ
∈
,
P
32
/
80
and
P
−
1
early independent. For fixed
L
2
i
32
/
80
transform
Span
(
α, β, γ, δ
)
to
Span
(
α
,β
,γ
,δ
) and
Span
(
α
,β
,γ
,δ
) respectively by proposition 2,
although
{α
,β
,γ
,δ
}
and
{α
,β
,γ
,δ
}
may not be linearly independent.
The other operations don't affect the structure of differences of
Span
(
α, β, γ, δ
),
Span
(
α
,β
,γ
,δ
), or
Span
(
α
,β
,γ
,δ
). For
y
=
L
2
i
, let
θ
y
(
x
) be the set
transformed from
θ
(
x
)by
y
and
Crypt
. So, we can rewrite
2
36
i
=1
G
3
[
all
] as fol-
i
lows:
2
36
i
[
all
]=
2
36
i
)
[
all
]=
y∈GF
(2)
32
a∈θ
y
(
x
)
G
(
a
)
[
all
]
.
=1
G
3
=1
G
(
L
3
i
i
Therefore
2
36
i
[
all
] is zero, since
a∈θ
y
(
x
)
G
(
a
) is zero. As a result, we can
have the following equation with probability 1.
2
36
=1
G
3
i
2
36
G
5
i
C
L,i
[
all
]
⊕
[
all
]=0
(2)
i
=1
i
=1
Now, we can attack on 6 round SPECTR-H64 using this equation. In this
equation, we can compute the term
2
36
i
=1
C
L,i
[
all
] from 2
36
left halves of ci-
phertexts. But we should know the subkey of
G
of the 5-th round in order to
