TY - GEN

T1 - Low probability differentials and the cryptanalysis of full-round CLEFIA-128

AU - Emami, Sareh

AU - Ling, San

AU - Nikolić, Ivica

AU - Pieprzyk, Josef

AU - Wang, Huaxiong

PY - 2014

Y1 - 2014

N2 - So far, low probability differentials for the key schedule of block ciphers have been used as a straightforward proof of security against related-key differential analysis. To achieve resistance, it is believed that for cipher with k-bit key it suffices the upper bound on the probability to be 2-k. Surprisingly, we show that this reasonable assumption is incorrect, and the probability should be (much) lower than 2-k. Our counter example is a related-key differential analysis of the well established block cipher CLEFIA-128. We show that although the key schedule of CLEFIA-128 prevents differentials with a probability higher than 2-128, the linear part of the key schedule that produces the round keys, and the Feistel structure of the cipher, allow to exploit particularly chosen differentials with a probability as low as 2-128. CLEFIA-128 has 214 such differentials, which translate to 214 pairs of weak keys. The probability of each differential is too low, but the weak keys have a special structure which allows with a divide-and-conquer approach to gain an advantage of 27 over generic analysis. We exploit the advantage and give a membership test for the weak-key class and provide analysis of the hashing modes. The proposed analysis has been tested with computer experiments on small-scale variants of CLEFIA-128. Our results do not threaten the practical use of CLEFIA.

AB - So far, low probability differentials for the key schedule of block ciphers have been used as a straightforward proof of security against related-key differential analysis. To achieve resistance, it is believed that for cipher with k-bit key it suffices the upper bound on the probability to be 2-k. Surprisingly, we show that this reasonable assumption is incorrect, and the probability should be (much) lower than 2-k. Our counter example is a related-key differential analysis of the well established block cipher CLEFIA-128. We show that although the key schedule of CLEFIA-128 prevents differentials with a probability higher than 2-128, the linear part of the key schedule that produces the round keys, and the Feistel structure of the cipher, allow to exploit particularly chosen differentials with a probability as low as 2-128. CLEFIA-128 has 214 such differentials, which translate to 214 pairs of weak keys. The probability of each differential is too low, but the weak keys have a special structure which allows with a divide-and-conquer approach to gain an advantage of 27 over generic analysis. We exploit the advantage and give a membership test for the weak-key class and provide analysis of the hashing modes. The proposed analysis has been tested with computer experiments on small-scale variants of CLEFIA-128. Our results do not threaten the practical use of CLEFIA.

UR - http://www.scopus.com/inward/record.url?scp=84916618710&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-45611-8_8

DO - 10.1007/978-3-662-45611-8_8

M3 - Conference proceeding contribution

VL - 8873

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 141

EP - 157

BT - Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings, Part I

A2 - Sarkar, Palash

A2 - Iwata, Tetsu

PB - Springer, Springer Nature

CY - Heidelberg

ER -