Related-Key Attack on the Full HIGHT - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

From the arguments in Section 3.1, when we take ( Δ + K [ j 1 ] ,Δ + K [ j 2 ] ,Δ + K [ j 3 ])

), the 12-round related-key differential trail is valid only for a

quarter of the whole key space and its probability is lower bounded by 2 − 18 . 83008 .

0x10

0x68

0x10

4 Related-Key Rectangle Distinguisher for 24 Rounds of

HIGHT

4.1

Related-Key Rectangle Distinguisher

with an arbitrary key K can be represented by a composition of two sub-ciphers

E 0 K

A rectangle distinguisher assumes that a block cipher E K

{

0 , 1

}

→{

0 , 1

}

E 0 K ,where n is the bit-length of block. Our

approach to construct a related-key rectangle distinguisher is somewhat different

from previous works in the point that we use xor-difference for plaintexts or

ciphertexts and add-difference for keys.

Assume that we have two related-key differentials for E 0and E 1withthe

following probabilities

and E 1 K , i.e. E K

= E 1 K ◦

p =Pr[ E 0 K ( P )

⊕

E 0 K Δ + K ( P

⊕

ΔP )= ΔY ] ,

(1)

q =Pr[ E 1 K ( Y )

⊕

E 1 K ∇ + K ( Y

⊕∇

Y )=

∇

C ] .

(2)

We consider four encryption oracles with 4 related keys denoted by E K 1 , E K 2 ,

E K 3 ,and E K 4 and the relations between keys are as follows,

Δ + K,

K 2= K 1

K 4= K 3

+ K,

+ K.

K 3= K 1

∇

K 4= K 2

∇

For a plaintext quartet ( P 1 ,P 2 ,P 3 ,P 4 ) such that P 1 ⊕

P 2 = P 3 ⊕

P 4 = ΔP ,

let Y i = E 0 Ki ( P i )and C i = E Ki ( P i )= E 1 Ki ( Y i )for1

≤

4. If the event

Y 1 ⊕

Y 2 = Y 3 ⊕

Y 4 = ΔY and the event Y 1 ⊕

Y 3 =

∇

Y occur, we obtain

Y 2 ⊕ Y 4 = ∇Y because

Y 2 ⊕ Y 4 =( Y 2 ⊕ Y 1 )

⊕

( Y 1 ⊕ Y 3 )

⊕

( Y 3 ⊕ Y 4 )

= ΔY

⊕∇

⊕

ΔY =

∇

Therefore, for a randomly chosen plaintext quartet ( P 1 ,P 2 ,P 3 ,P 4 ) such that

P 1 ⊕

P 2 = P 3 ⊕

P 4 = ΔP ,wehave C 1 ⊕

C 3 = C 2 ⊕

C 4 =

∇

C with the probability

p 2

2 −n

q 2 , from (1) and (2). If there exist more than two values for ΔY and

∇

Y , the probability is amplified to

p 2 =

ΔY

q 2 =

∇Y

p 2

2 −n

q 2 ,

p 2

q 2 .

where

and

(3)

Our attack assumes more than two values for ΔP so our probability calculation

in the next section would be slightly differ from (3).

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home