Cryptography Reference
In-Depth Information
2
n
Precisely speaking, the distribution of
y
j
z
j
is not uniform on
{
0
,
1
}
since
E
is a keyed permutation. However, since Pr[
y
j
∈{
y
1
,...,y
j−
1
]
}
]
≤
Pr[
y
j
∈
{
y
1
,...,y
j−
1
]
}
], the probability of multicollision is smaller in this case.
≤
q
≤
2
n−
2
,
Thus, for 1
q
Adv
col
C
[
E
]
+
(
A
)
≤
(Pr[
Ea
i
]+Pr[
Eb
i
]+Pr[
Ec
i
]+Pr[
Ed
i
])
i
=1
2
n
nq
2
2
n
q
2
2
2
n
q
≤
q
+
q
+
.
−
−
n
!
·
2
n
The upper bound exceeds 1 for
n
≥
4and
q>
2
n−
2
.
C Other Attacks on Block Ciphers
C.1 Higher Order Differential and Interpolation Attack
The higher order differential attack [32] can be mounted if the bits in the in-
termediate state of the cipher are expressed by Boolean polynomials of degree
most
d
which is a reasonably small value. In the case of Lesamnta-LW, we found
that every output bit of the S-box can be expressed as a Boolean polynomial of
degree 7 in terms of input bits. Our experiments confirmed that the degree of
such polynomials with 19 rounds reaches to the required degree 256. Therefore,
we expect that Lesamnta-LW is secure against higher order differential attacks.
The interpolation attack [27] can bemountedifthenumberoftermsina
polynomial expression for a cipher over some field is reasonably small. Lesamnta-
LW uses the AES S-box which can be expressed as a polynomial of degree 254
over GF(2
8
). Our experiments have confirmed that after the 16th round, each
byte in the intermediate state of the mixing function depends on all the 32
variables while this is not the case just after the 15 rounds. We expect that the
number of coecients grows fast after the 16th round due to the high degree of
the S-box and that the full Lesamnta-LW is secure against interpolation attacks.
C.2 Slide and Related-Key Attacks
The round constants introducing randomness into the key scheduling function
preclude slide attacks [9] which exploit the similarity between rounds.
Regarding the related-key attacks, we can show that the maximum differential
characteristic probabilities for 24 rounds of the key scheduling function are less
than 2
−
128
as we did in Sect 5.1. Hence, we expect that it is unlikely to apply
related-key attacks to Lesamnta-LW.
Trademarks
-
Renesas
R
and H8
R
are registered trademarks of Renesas Technology Cor-
poration.
-
Intel
R
is a registered trademark of Intel Corporation in the United States
and/or other countries.
Search WWH ::
Custom Search