Cryptography Reference
In-Depth Information
4.2
Related-Key Rectangle Distinguisher of HIGHT
Related-key differential trail for
E
0 is based on a trail introduced in [10,11] but
significantly modified to avoid the flaw explained in Appendix A and changed
into truncated differential to reduce the data complexity. Related-key differential
trail for
E
1 includes three local collisions as described in Section 3.1.
We define
E
0and
E
1 by partial rounds from round 3 to round 10.5 and
round 10.5 to round 26, respectively(0.5 round implies computation of 2 round
functions out of 4 round functions in a round). The input and output bytes to
E
0and
E
1 and corresponding differences are described in Table 2, where the
A
,
B
,and
C
are defined by sets of hexadecimal values as follows,
A
=
{
14
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
ec
}
,
1c
24
2c
34
3c
54
5c
64
6c
74
7c
d4
dc
e4
B
=
{
14
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
,
fc
}
,
1c
24
2c
34
3c
54
5c
64
6c
74
7c
d4
dc
e4
ec
f4
C
=
{
10
,
30
,
70
,
f0
}
.
Table 2.
Byte positions and differences of both inputs and outputs for distinguishers
of
E
0and
E
1
Pos-
itions
Input (
X
3
[7]
,X
3
[6]
,X
3
[5]
,X
3
[4]
,X
3
[3]
,X
3
[2]
,X
3
[1]
,X
3
[0])
Output (
X
12
[7]
,X
11
[5]
,X
10
[3]
,X
10
[2]
,X
11
[2]
,X
12
[2]
,X
13
[2]
,X
13
[1])
Input (
0x0
,
0x0
, A,
0x80
,
0x0
,
0x0
,
0x0
,
0x0
)
Output (
0x0
,
0x0
,
0x0
, B,
0x80
,
0x0
,
0x0
,
0x0
)
Δ
+
K
(
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x80
,
0x0
)
Differ-
ences
E
0
Pos-
itions
Input (
X
12
[7]
,X
11
[5]
,X
10
[3]
,X
10
[2]
,X
11
[2]
,X
12
[2]
,X
13
[2]
,X
13
[1])
Output (
X
27
[7]
,X
27
[6]
,X
27
[5]
,X
27
[4]
,X
27
[3]
,X
27
[2]
,X
27
[1]
,X
27
[0])
Input (
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
, C
)
Output (
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
)
∇
+
K
(
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x0
,
0x10
,
0x0
,
0x0
,
0x0
,
0x68
,
0x0
,
0x0
,
0x0
,
0x10
,
0x0
)
Differ-
ences
E
1
The related-key differential trails for
E
0and
E
1 are depicted in the the fol-
lowing fig. 5 in Appendix C.
Probability of Related-Key Differential Trail for
E
0.
Our attack begins
with gathering plaintext pairs which satisfy
ΔX
3
[5]
∈A
,
ΔX
3
[4] =
,and
0x80
ΔX
3
[0
,
1
,
2
,
3
,
6
,
7] =
,where
i
=0
,
1
, ...,
15.
The number of pairs such that
ΔX
3
[5] =
a
i
is same to the number of pairs such
that
ΔX
3
[5] =
a
j
.Let
a
i
denote each element in
A
0x0
15. Let
u
i
denote the probabilities that
ΔX
3
[5] =
a
i
and
ΔX
4
[6] = 0 for
i
=0
,
1
, ...,
15, then
for all 0
≤
i, j
≤
u
i
=Pr[
ΔX
4
[6] = 0
|
ΔX
3
[5] =
a
i
]
×
Pr[
ΔX
3
[5] =
a
i
]
,
Search WWH ::
Custom Search