Known and Chosen Key Differential Distinguishers for Block Ciphers - Information Security and Cryptology-ICISC 2010 - page 48

Cryptography Reference

In-Depth Information

1. for the first and the second round:

K 1 [ i ]= E [ i ]

⊕

C [0]

⊕

MC i

K 2 = E [ i +4]

⊕

C [1]

⊕

MC i

for i =0 , 1 , 2 , 3 ,

2. for the remaining eleven rounds ( r =2 ,..., 12) two steps are executed alter-

natively:

(a) for r even:

}←{E [1] 12 ,E [2] 8 ,E [3] b 3 ,E [0] b 3

{E [0] ,E [1] ,E [2] ,E [3]

},

K r [ i ]= E [ i ]

⊕

C [ r ]

⊕

MC i ,

(b) for r odd:

E [7] b 1 ,E [4] b 1 ,E [3] 4 ,E [0] 8

{

E [4] ,E [5] ,E [6] ,E [7]

}←{

}

,

K r [ i ]= E [ i +4]

⊕

C [ r ]

⊕

MC i ,

for i =0 , 1 , 2 , 3 ,

mod 2 16

where C [0] =

,C [ k ]= C [ k

−

1] +

for k =1 ,..., 12, MC 0 =

f53a

f372

,MC k = MC b 1

k− 1 for i =0 , 1 , 2 , 3and b a represents bit-left-rotation by a

bits within each four-bit nibble.

Example of a differential trail for mCrypton:

acac

i

A [ i ]

D [ i ]

D γ [ i ]

D π◦γ [ i ] D τ◦π◦γ [ i ]

K [ i ]

i

A [ i ]

D [ i ]

D γ [ i ]

D π◦γ [ i ] D τ◦π◦γ [ i ]

K [ i ]

0 1 d 3

7 7 0 1

1 b 6 5

e a 3 b

6 1 b 9

e 7 1 f

4 b b 3

c f 4 5

c 0 0 0

c 0 0 0

8 0 0 0

4 0 0 0

c 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

c 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

9 8 2 2

e 6 1 5

a 7 a 2

d d 3 4

0 0 0 5

0 0 6 6

0 0 0 0

7 2 3 0

1 e c 5

f e 1 1

d 6 4 3

a b d 2

e 8 2 7

c a 6 e

a 2 6 d

6 a 4 b

e a 6 f

0 0 0 0

0 0 0 0

0 0 0 0

e 0 0 0

a 0 0 0

6 0 0 0

f 0 0 0

9 e 0 c

8 a e a

b 0 4 6

b f b 1

1

6

1 1 a c

9 1 3 7

5 9 d 2

e 7 1 4

c 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

9 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

8 0 0 0

9 0 0 0

9 0 0 0

1 0 0 0

8 9 9 1

0 0 0 0

0 0 0 0

0 0 0 0

e 0 8 d

c a 4 2

a 5 4 1

2 b c 7

d e 7 f

b 7 3 7

0 d 4 d

3 3 0 2

e 0 0 0

a 0 0 0

6 0 0 0

f 0 0 0

e 0 0 0

c 0 0 0

a 0 0 0

6 0 0 0

e 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

e 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

3 e 4 0

1 7 8 d

1 f 6 c

5 e 4 7

2

7

7 9 5 2

c a 2 8

6 a 3 d

6 8 a 0

8 9 9 1

0 0 0 0

0 0 0 0

0 0 0 0

9 a f d

0 0 0 0

0 0 0 0

0 0 0 0

8 8 b 5

9 a 7 c

9 2 e d

1 a d 9

8 9 9 1

8 a 2 a

b 7 e d

5 c d 9

3 5 3 4

b 8 b 0

c 8 1 9

e 2 9 a

1 b 5 0

f 0 e c

1 7 1 2

9 2 4 7

e 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

6 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

6 0 0 0

4 0 0 0

2 0 0 0

6 0 0 0

6 4 2 6

0 0 0 0

0 0 0 0

0 0 0 0

9 8 c 2

d a b 9

4 0 a 9

5 0 a 7

3

8

6 c b 1

a d 6 f

f 9 b 8

1 6 8 2

8 9 9 1

8 a 2 a

b 7 e d

5 c d 9

d 5 4 b

5 e 9 3

1 1 4 2

d b 2 4

d 4 5 1

1 e a d

1 1 f c

9 a b e

d 1 1 9

4 e 1 a

5 a f b

1 d c e

5 9 5 7

c e d 2

f 3 6 0

d b 2 4

7 7 3 d

e e e d

0 0 2 a

b b c 0

6 4 2 6

0 0 0 0

0 0 0 0

0 0 0 0

f 9 c c

0 0 0 0

0 0 0 0

0 0 0 0

e 9 8 4

d 9 4 c

b 1 c c

7 8 c 8

e d b 7

9 9 1 8

8 4 c c

4 c c 8

3 3 3 4

e 6 8 0

6 b 9 2

5 b 9 9

4

9

8 6 f 0

e 0 d 0

0 0 7 0

0 d 0 7

d 1 1 9

4 e 1 a

5 a f b

1 d c e

1 6 a 7

b c 4 8

e 9 b 4

2 2 9 5

1 f d a

e e 6 b

c 1 4 d

5 1 3 2

1 e c 5

f e 1 1

d 6 4 3

a b d 2

3 d 5 0

3 8 e a

5 4 4 0

b f 1 7

8 5 d 0

9 0 2 6

9 e 5 2

5 e a 9

e d b 7

9 9 1 8

8 4 c c

4 c c 8

7 2 9 9

a 8 d d

1 c f e

6 2 7 1

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

0 0 0 0

1 3 c 3

8 2 0 9

8 8 3 a

8 c 1 e

5

10

Fig. 8. The columns in the table represent: i - round number, A [ i ]-valueofthestate

in round i , D [ i ] - difference between two states in round i , D γ [ i ] - difference between

two states after γ in round i , D π◦γ [ i ] - difference between two states after π ◦γ in round

i , D τ◦π◦γ [ i ] - difference between two states after τ ◦ π ◦ γ in round i , K [ i ] - subkey in

round i . The trail was obtained for K = 679ff202d5834e529d9cf7013a4d8218 .

Next Page

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home