Cryptography Reference
In-Depth Information
5 Related-Key Rectangle Attack for the Full Rounds of
HIGHT
In this section, we describe the attack for the full rounds of HIGHT by using the
24-round related-key rectangle distinguisher explained in Section 4.1 for round
3 to round 26. However, note that the distinguisher is valid only for a quarter of
the key space. So, we apply a related-key rectangle attack for a quarter of the
key space and an exhaustive key search for the other part of the key space. The
outline of our attack is as follows.
1.
Related-key rectangle attack
: We denote the set of the key quartets by
K
1
such that the 24-round related-key rectangle distinguisher in Section 4.1
is valid. Assuming that we are given a key quartet from
K
1
,weperforma
related-key rectangle attack which consists of the following phases.
(a)
Constructing the plaintext set
: We construct the plaintext set
for
extracting the plaintext quartets required for the related-key rectangle
distinguisher.
(b)
Guessing and filtering
:Let
Z
1
be required key bits to check whether
a plaintext quartet from the plaintext set
S
satisfies the input differences
of the distinguisher. We guess a value
z
1
for
Z
1
and select the plaintext
quartets from
S
satisfying the input differences of the distinguisher with
z
1
. Then, we discard the quartets whose ciphertext differences do not
match with the output differences of the distinguisher.
(c)
Counting and sorting
:Let
Z
2
be required key bits to check whether
a surviving quartet satisfies the output differences of the distinguisher.
For each candidate (
z
1
,z
2
)for(
Z
1
,Z
2
), we count the number of quartets
satisfying the output differences of the distinguisher and restore it to the
counter
t
(
z
1
,z
2
)
. We sort the list of (
z
1
,z
2
) according to
t
(
z
1
,z
2
)
.
(d)
Searching with the list
: We exhaustively search for the remained
key bits for candidates with remarkably high
t
(
z
1
,z
2
)
until a right key
quartet is found. If no right key quartet is found, go to (b)
Guessing
and filtering phase
.
S
2.
Exhaustive key searching
: We denote the key space of HIGHT by
K
and
let
K
1
in the way of the
related-key rectangle attack phase, we try to search it exhaustively for
K
2
=
K\K
1
. Unless we find a right key quartet in
K
2
in the way described in Appendix B.
5.1
Attack Procedure
D
,
E
,
F
G
Let sets
,and
be defined by
GF(2
8
)
D
=
{
x
∨
0x18
|∀
x
∈
}
,
E
=
{
0x00
,
0x20
,
0x40
,
0x60
,
0x80
,
0xa0
,
0xc0
,
0xe0
},
F
=
{
0x18
,
0x28
,
0x38
, ...,
0xf8
},
G
=
{
0x10
,
,
,
0xf0
}
.
0x30
0x70
Search WWH ::
Custom Search