Related-Key Attack on the Full HIGHT - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

- X [ i 1 ,i 2 , ..., i n ] : concatenation of X [ i 1 ], X [ i 2 ], ..., and X [ i n ]

- MSB i ( X ) : the most significant i bits of a string X

- LSB i ( X ) : the least significant i bits of a string X

- ( ΔX, ΔY )

( x

y )= ΔZ ,where x

x = ΔX

→

ΔZ :aneventthat( x

y )

⊕

y = ΔY

and y

⊕

HIGHT takes a 64-bit plaintext P and a 128-bit key K , and its 32-round en-

cryption procedure produces a 64-bit ciphertext C .Fromnowon,wepresent

any 64-bit variable A and any 128-bit variable B as a tuple of eight bytes

( A [7] , ..., A [1] ,A [0]) and a tuple of sixteen bytes ( B [15] , ..., B [1] ,B [0]).

The key schedule produces 128 8-bit subkeys SK[0] , ..., SK[127] from a 128-bit

key K =( K [15] , ..., K [0]): for 0

≤

7and0

≤

SK[16 i + j ]

← K [ j − i mod 8]

δ [16 i + j ] ,

SK[16 i + j +8]

←

K [( j

−

i mod 8) + 8]

δ [16 i + j +8] ,

where δ [0] , ..., δ [127] are public constants.

Let X i− 1 =( X i− 1 [7] , ..., X i− 1 [0]) and X i =( X i [7] , ..., X i [0]) be the input and

output of the round i

32, respectively, where 'round i ' denotes

the ( i + 1)-th round(i.e. round 0 implies the first round).

The encryption procedure of HIGHT is as follows.

−

1for1

≤

1. Initial Transformation:

X 0 [0]

←

P [0]

K [12]; X 0 [2]

←

P [2]

⊕

K [13];

X 0 [4]

←

P [4]

K [14]; X 0 [6]

←

P [6]

⊕

K [15];

X 0 [1]

←

P [1]; X 0 [3]

←

P [3]; X 0 [5]

←

P [5]; X 0 [7]

←

P [7] .

2. Round Iteration for 1

≤

32:

X i [0]

←

X i− 1 [7]

⊕

( F 0 ( X i− 1 [6])

SK[4 i

−

1]);

X i [2]

←

X i− 1 [1]

( F 1 ( X i− 1 [0])

⊕

SK[4 i

−

2]);

X i [4]

←

X i− 1 [3]

⊕

( F 0 ( X i− 1 [2])

SK[4 i

−

3]);

X i [6]

←

X i− 1 [5]

( F 1 ( X i− 1 [4])

⊕

SK[4 i

−

4]);

X i [1]

←

X i− 1 [0]; X i [3]

←

X i− 1 [2]; X i [5]

←

X i− 1 [4]; X i [7]

←

X i− 1 [6] ,

where bijective linear functions F 0 and F 1 are defined by

F 0 ( x )= x ≪ 1

x ≪ 2

x ≪ 7 ,

⊕

F 1 ( x )= x ≪ 3

x ≪ 4

x ≪ 6 .

⊕

3. Final Transformation:

C [0]

K [1];

C [4] ← X 32 [5] K [2]; C [6] ← X 32 [7] ⊕ K [3];

C [1] ← X 32 [2]; C [3] ← X 32 [4]; C [5] ← X 32 [6]; C [7] ← X 32 [0] .

←

X 32 [1]

K [0]; C [2]

←

X 32 [3]

⊕

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home