Information Technology Reference
In-Depth Information
compute the value of
2
36
i
[
all
], so we will guess
K
7
and
K
6
, the subkey of
G
of the 5-th round in order to compute it. However, according to the key sched-
ule of SPECTR-H64, we can observe the fact that
K
7
and
K
6
are also used in
6-th round(As you see, Table 1). Thus, we guess a 192-bit subkey of 6-th round
and get 1-round decryptions of 2
36
right halves of ciphertexts,
C
R,i
,uptothe
position of
G
in the 5-th round. Then we can compute the value of
2
36
=1
G
5
i
i
=1
G
5
[
all
]
i
from guessing the 6-th round subkey
K
(
K
6
,K
8
,K
3
,K
1
,K
7
and
K
5
).
If the value of
2
36
[
all
] satisfies the equation (2) for each 192-bit
K
,
then we accept
K
as a candidate of right 192-bit subkey, otherwise we discard
it. This method reduces the key-space to half. Thus, if we try again the above
procedure with another structure
S
(
x
), then the key-space is reduced to half,
too. We repeat this method until the key-space is suciently small for other
S
(
x
)'s (i.e, we need about 2
8
structures of
S
(
x
), in order to reduce the key space
to 1).
Therefore, 2
36
i
=1
G
5
i
2
8
(
2
44
) chosen plaintexts and (1
.
5
2
36
)(2
192
+2
191
+
×
≈
×
2
229
.
6
) steps enable us to find the right 6-th round subkey(The value
1
.
5 means that the decryption procedures up to the 5-th round and operations
of function
G
in the 5-th round).
+2
1
)(
···
≈
6
Conclusion
This paper shows some cryptographic weaknesses of SPECTR-H64 which arise
from properties of
CP
-box and function
G
. The linear equation which is derived
from the property of
CP
-box, always satisfies full 12 round SPECTR-H64. But
this linear equation is not available for conventional linear cryptanalysis on block
cipher because the terms of
G
contain subkey bits. However we can construct
the characterstic which enables us to attack on 6 round SPECTR-H64, using the
linear equation and the fact that function
G
has a low algebraic degree which
is vulnerable to higher order differential attack. In order to attack on 6 round
SPECTR-H64, we need about 2
44
chosen plaintexts and 2
229
.
6
steps which is
lower than the exhaustive search 2
256
.
References
1. Goots, N.D., Moldovyan, A.A., and Moldovyan, N.A.:
Fast Encryption Algorithm
SPECTR-H64
. In: V.I. Gorodetski, V.A. Skormin, L.J. Popyack(Eds.), Information
Assurance in Computer Networks:Methods,Models,and Architectures for Network
Security. Lecture Notes in Computer Science, Vol. 2052, Springer-Verlag (2001)
275-286
2. Changhoon Lee, Deukjo Hong, Sungjae Lee, Sangjin Lee, Hyungjin Yang, Jongin
Lim:
A Chosen Plaintext Linear Attack on Block Cipher CIKS-1
. Volume 2513, pp
456-468 Lecture Notes in Computer Science
3. Mitsuru Matsui:
Linear Cryptanalysis Method for DES Cipher
. Volume 0765, pp
0386 Lecture Notes in Computer Science