Information Technology Reference
In-Depth Information
nevertheless the ten-round and twelve-round variants of SPECTR-H64 are secure
against DA. Indeed, the difference (
∆
0
,∆
1
) passes ten and twelve rounds with
2
−
64
2
−
77
probability
P
(10)
≈
and
P
(12)
≈
1
.
2
·
(for random cipher we have
=2
5
2
−
64
=2
−
59
2
−
64
2
−
77
).
P
·
>
>
box is a critical part in the design of SPECTR-
H64 we have proposed the following variant of the
Taking into account that the
E
E
box:
V
1
=(
u
21
,u
26
,u
27
,u
24
,u
28
,u
27
,u
23
,u
24
,u
30
,u
26
,u
32
,u
22
,u
24
,u
30
,u
28
,u
22
),
V
2
=(
u
18
,u
19
,u
17
,u
29
,u
25
,u
20
,u
22
,u
25
,u
18
,u
19
,u
31
,u
23
,u
31
,u
21
,u
32
,u
17
),
V
3
=(
u
28
,u
20
,u
32
,u
25
,u
26
,u
29
,u
30
,u
29
,u
27
,u
20
,u
21
,u
17
,u
18
,u
19
,u
31
,u
23
),
V
4
=(
u
6
,u
7
,u
16
,u
9
,u
10
,u
11
,u
12
,u
13
,u
14
,u
15
,u
8
,u
1
,u
2
,u
3
,u
4
,u
5
),
V
5
=(
u
10
,u
11
,u
12
,u
13
,u
14
,u
15
,u
4
,u
9
,u
2
,u
3
,u
16
,u
5
,u
6
,u
7
,u
8
,u
1
),
where bits
u
i
corresponds to vector
U
=(
u
1
,u
2
, ..., u
32
) that is input of the
E
box and the output vector is
V
1
,V
2
, ..., V
6
). For the modified version (called
SPECTR-H64
+
) we have obtained
V
=(
2
−
22
. For SPECTR-H64
+
the
most ecient differential characteristic is the three-round one for which we have
get
P
(2)
≈
0
.
92
·
P
(3)=2
−
30
.
3
Conclusion
Comparative analysis of different attacks against SPECTR-H64 shows that DA
is the most ecient one. Investigating security of SPECTR-H64 we have shown
that security of the DDP-based ciphers depends significantly on the structure of
the
box. The presented DA shows that twelve-round SPECTR-H64 is secure,
some optimization of its structure is possible though. Optimized eight-round
version SPECTR-H64
+
has been proposed, for six rounds of which we have the
probability
E
2
−
59
. Therefore one can conservatively estimate that
eight round SPECTR-H64
+
is secure against DA. Thus, due to optimization of
the
(6)=2
−
60
P
<
box structure we have reduced the number of rounds from 12 to 8. This sig-
nificantly reduces the hardware implementation cost and increases performance
for some implementation architectures.
E
References
1. Goots, N.D., Izotov, B.V., Moldovyan, A.A., Moldovyan, N.A.: Modern Cryptog-
raphy: Protect Your Data with Fast Block Ciphers. Wayne, A-LIST Publishing
(2003) 400
2. Goots, N.D., Moldovyan, A.A., Moldovyan, N.A.: Fast Encryption Algorithm
SPECTR-H64. Int. Workshop MMM-ANCS'2001 Proc. LNCS, Vol. 2052, Springer-
Verlag, Berlin (2001) 275-286
3. Moldovyan, A.A., Moldovyan, N.A.: A Cipher Based on Data-Dependent Permu-
tations, Journal of Cryptology, Vol. 15,
1
(2002) 61-72
4. Youngdai Ko, Deukjo Hong, Seokhie Hong, Sangjin Lee, Jongin Lim: Linear Crypt-
analysis on SPECTR-H64 with Higher Order Differential Property. Int. Workshop
MMM-ANCS'2003 Proc. LNCS, this vol., Springer-Verlag, Berlin (2003)