Information Technology Reference
In-Depth Information
Fast Ciphers for Cheap Hardware:
Differential Analysis of SPECTR-H64
N.D. Goots, B.V. Izotov, A.A. Moldovyan, and N.A. Moldovyan
Specialized Center of Program System “SPECTR”
Kantemirovskaya str. 10, St. Petersburg 197342, Russia
nmold@cobra.ru
Abstract.
Performed security estimation has shown that twelve-round
cipher SPECTR-H64 is secure against differential attack and the ex-
tension box is a critical element of this cipher. A modified eight-round
version SPECTR-H64
+
is proposed.
Keywords.
Data-Dependent Permutations, SPECTR-H64, Differential
Analysis.
1
Introduction
Recently [3] the data-dependent permutations (DDP) has been proposed as cryp-
tographic primitive. The twelve-round cipher SPECTR-H64 [1,2] is an example of
the DDP-based ciphers suitable to cheap hardware implementation. This paper
presents differential analysis (DA) of SPECTR-H64 and shows that the exten-
sion box
E
E
is a critical part in its design. Modifying the
box the eight-round
version SPECTR-H64
+
has been proposed.
2
Security Estimation of SPECTR-H64
Trying different attacks against SPECTR-H64 (description of which one can
see in this volume [4]) we have found that the DA is the most ecient. Our
best variant of the DA corresponds to two-round characteristic with difference
the (
∆
0
,∆
1
), where
∆
k
denote the difference with arbitrary
k
active (non-
zero) bits corresponding to the vector
W
. Let
∆
k|i
1
,...,i
k
be the difference with
k
i
1
, ..., i
k
be the numbers of digits corresponding to active bits.
We shall also denote a difference at the input or output of the operation
active bits and
F
∆
0
,∆
1
) difference passes the first round with
probability 1 and after swapping subblocks it is transformed in (
δ
k
∆
k
as
or
, respectively. The (
∆
1
,∆
0
) (see
Fig. 1). In the second round the active bit passing through the left branch of
the cryptoscheme can form at the output of the operation
G
the difference
∆
j
j ∈{
,
,
,
,
,
}
. Only differences with even number of active bits
contribute to the probability of the two-round iterative characteristic. The most
contributing are the differences
, where
1
2
3
4
5
6
∆
2
|i,i
+1
. The most contributing mechanisms of
the formation of the two-round characteristic belong to Cases 1a, 1b, 1c, 2a, 2b,
3a, 3b, 4a, and 4b, where
i∈{
1
, ...,
32
}
, described below.
