# The improved 32nd-order differential attack on 8 rounds of MISTY2 without FL functions.

1 INTRODUCTIONRecently various cryptographic systems and subsystems have been proposed [1], [2], [3], [4], [5]. Among them, MISTY2 is a 64-bit block cipher with a 128-bit secret key designed by Matsui of Mitsubishi Electric Corp. in 1996 [6]. The designer recommends using 12 rounds of FO function and 14 sets of FL function. Because FL is a linear function as far as a secret key is fixed, FL does not determine provable security against a differential attack and a linear attack. On the other hand FO determines the security because it is a nonlinear function. Therefore we analyze the security against a higher-order differential attack [7] on MISTY2 without FLs.

Table 1 shows data complexity and computational complexity of a higher-order differential attack on MISTY2 without FLs. Sugita reported a 5-round attack with the 7th-order differential, [2.sup.7] blocks of chosen plain text, and [2.sup.39] times of FO operation [8]. We previously reported a 7-round attack with 7th-order differential, [2.sup.11] blocks of chosen plain text, and [2.sup.83] times of FO operation [9]. This time we found the new characteristics of MISTY2 without FLs, which is that the 32nd-order differential of the upper 23 bits out of the 32-bit input to [FO.sub.8] function becomes zero. We show a simple 8-round attack with the 32nd-order differential we found, [2.sup.35] blocks of chosen plain text, and [2.sup.81.4] times of FO operation. This is the first 8round attack on MISTY2. Moreover we reduce the number of times of FO operation required for the attack by exploiting a modulo 2 occurrence distribution (MOD), which is derived by a partial sum technique proposed by Ferguson et al. We apply this distribution to the intermediate data of encryption function, and show that the number of times of FO operation can be reduced to [2.sup.57.4]

2 EIGHT ROUNDS OF MISTY2 WITHOUT FLS

In this section we show the 8-rounds data-mixing part of MISTY2 without FLs, and show its components [FO.sub.i], and [FI.sub.ij] (i = 1, 2, ... 7, 8. j = 1, 2, 3). Next we study the equivalent modification of [FI.sub.ij] for reducing computational complexity of an attack.

2.1 Data-Mixing Part of MISTY2 without FLs

Fig. 1 shows 8-round data-mixing part of MISTY2 without FLs. Both an input plain text P and an output cipher text C are 64 bits. [P.sub.L] and [P.sub.R] are the upper and the lower 32 bits of P, respectively. CL and CR are the upper and the lower 32 bits of C, respectively. P = [P.sub.L] [parallel] [P.sub.R], C = [C.sub.L] [parallel] [C.sub.R] where the symbol "[parallel]" denotes concatenation of two data. MISTY2 consists of XOR ([direct sum]) and [FO.sub.i]. We call the component with 64-bit input/output (I/O) including one [FO.sub.i], and the following XOR "round."

Fig. 2 shows [FO.sub.i], (i = 1, 2, ..., 8). Both an input data and an output data are 32 bits. It consists of XOR and [FI.sub.ij] (i = 1, 2, ..., 8.j = 1, 2, 3). [KO.sub.ij] (i = 1, 2, ..., 8.j = 1, 2, 3, 4) represents a 16-bit extended key.

Fig. 3 shows [FI.sub.ij] (i = 1, 2, ..., 8.j = 1, 2, 3). Both an input and an output are 16 bits. It consists of XOR and two kinds of S-boxes [S.sub.9] and [S.sub.7]. [S.sub.9] represents an S-box with 9-bit I/O, and [S.sub.7] represents an S-box with 7-bit I/O. [KI.sub.ij1] and [KI.sub.ij2] represent a 7-bit and a 9-bit extended key, respectively.

2.2 Equivalent Modification

We study the equivalent modification of [FI.sub.8j] to reduce the total number of bits of the extended keys attacker has to analyze, which reduces the computational complexity of an attack.

Since XOR operators of the extended key can be freely moved unless they jump over S-boxes in Fig. 2 and 3, we move them in order to integrate as many extended as possible. We call such a modified [FI.sub.8j] an equivalent [FI.sub.8j] shown in Fig. 4. [Kl'.sub.8jk] (j = 2, 3. k = 1, 2, 3) is called an equivalent key that is an integration of some extended keys given

by

[ki.sub.821]' = [KI.sub.822] (1)

[KI.sub.822] = [([KI.sub.822]).sup.R7] [direct sum] [KI.sub.821], [direct sum] [([KO.sub.83] [direct sum] [KO.sub.84]).sup.L7], (2)

[KI'.sub.823] = (00[parallel][([KO.sub.83] [direct sum] [KO.sub.84]).sup.L7]) [direct sum] [([KO.sub.83] [direct sum] [KO.sub.84]).sup.R9], (3)

[KI'.sub.831] = [KI.sub.832] (4)

[KI'.sub.832] = [([KI.sub.832]).sup.R7] [direct sum] [KI.sub.831] [direct sum] [([KO.sub.84]).sup.L7], (5)

[KI'.sub.833] =(00 [parallel] [([KO.sub.84]).sup.L7]) [direct sum] [([KO.sub.84]).sup.R9]. (6)

[(x).sup.Li] denotes the upper i bits of data x. [(x).sup.Ri] denotes the lower i bits of data x. For example, the first term of the right side of (6) is 9-bit data, whose upper 2 bits are 00 and the lower 7 bits are the upper 7 bits of [KO.sub.84]. Because [KO.sub.83] and [KO.sub.84] in Fig. 2 are integrated into [KI.sub.822]', [KI'.sub.823], [KI'.sub.832], and [KI'.sub.833], they are removed from Fig. 2.

The total number of bits of extended keys is 64 as shown in the right side of (1)--(6); [KI.sub.822], [KI.sub.823], [KI.sub.832], [KI.sub.833], [KO.sub.83], [KO.sub.84] before the equivalent modification. On the other hand, the total number of bits of equivalent keys is 50 as shown in the left side of (1)--(6) after the modification. It is reduced by 14 bits. Note that the characteristics of [FI.sub.8j] do not change by the equivalent modification. For the rest of this article we study a higher-order differential attack by focusing on the equivalent [FI.sub.8j] and the equivalent keys.

3 HIGHER-ORDER DIFFERENTIAL

In this section, we describe the definition of higher-order differential and some of its properties [7] related to this article, and we describe an attack equation using these properties. Next we show the new 32nd-order differential characteristics of MISTY2 we found, and describe the attack equation using the found characteristics

3.1 Definition, Property, and Attack Equation

Fig. 5 shows a block diagram of an encryption process. [E.sub.1] and [E.sub.2] represent components of an encryption process. [K.sub.1] [member of] GF[(2).sup.p] and [K.sub.2] [member of] GF[(2).sup.q] represent p bits and q bits of the extended keys used in [E.sub.1] and [E.sub.2], respectively. P = ([p.sub.1], [p.sub.2], ..., [p.sub.n]) and [DELTA]P [member of] GF[(2).sup.n] represent n bits of input plain text and input difference, respectively. H [member of] GF[(2).sup.m] represents m bits of the output of [E.sub.1] C(P [direct sum] [DELTA]P) [member of] GF[(2).sup.l] represents l bits of the output cipher text corresponding to P [direct sum] [DELTA]P. We assume [V.sup.(i)] as an ith-order subspace of GF[(2).sup.n] consisting of i sets of linear independent vector in GF[(2).sup.n] (i [less than or equal to] n), and call it an input differential. The ith-order differential of [E.sub.1](P; [K.sub.1]) with respect to [V.sup.(i)] is defined by [[DELTA].sup.(i)] [E.sub.1](P; [K.sub.1]) as follows

[A.sub.(i)] [E.sub.1](P; [K.sub.1]) [equivalent to] [[summation over [DELTA]P[member of][V.sup.(i)]].sup.[direct sum][E.sub.1](P[direct sum][DELTA]P; [K.sub.1]). (7)

[[summation].sup.[direct] sum]denotes a summation in XOR. If the algebraic degree of [E.sub.1](P; [K.sub.1]) with respect to P is N ([less than or equal to] n), the (N + 1)th-order differential of [E.sub.1](P; [K.sub.1]) becomes zero regardless of P and [K.sub.1] as follows

[[DELTA].sup.(N + 1)] [E.sub.1](P; [K.sub.1]) = 0. (8)

Moreover, if Boolean polynomial of [E.sub.1](P; [K.sub.1]) does not include the jth-order term of [p.sub.t] (1 [less than or equal to] t [less than or equal to] n), jth-order differential of [E.sub.1](P; [K.sub.1]) with respect to [V.sup.(j)], which corresponds to the jth-order term of [p.sub.t], becomes zero regardless of P and [K.sub.1] as follows

[[DELTA].sup.(j)] [E.sub.1](P; [K.sub.1]) = 0. (9)

Since [E.sub.1](P; [K.sub.1]) = [E.sup.-1.sup.2](C(P); [K.sub.2]), which is the inverse function of [E.sub.2], (8) and (9) can be rewritten as

[[DELTA].sup.(N + 1)] [E.sub.2.sup.-1](C(P); [K.sub.2) [equivalent to] [[summation over [DELTA]P[member of][V.sup.(N + 1)]].sup.[direct sum]] [E.sup.-1.sub.2](C(P[direct sum][DELTA]P); [K.sub.2]) = 0 (10)

and

[[DELTA].sup.(J)] [E.sup.-1.sub.2](C(P); [K.sub.2]) = 0. (11)

(10) or (11) is always correct if [K.sub.2] is correct, while they are stochastically correct if [K.sub.2] is incorrect. This is why attacker can estimate [K.sub.2] and can check the correctness of [K.sub.2] by (10) or (11). The incorrect [K.sub.2] can be eliminated by solving some sets of (10) or (11) whose plain texts P are different from each other. Actually, attacker has to solve at least [??]q/m[??] different sets of (10) or (11). Such attack using (10) or (11) is called a higher-order differential attack, and (10) and (11) are called attack equations.

3.2 The 32nd-Order Differential Characteristics and Attack Equation of MISTY2 without FLs

In this subsection, we describe the higher-order differential characteristics of MISTY2 without FLs and the attack equation exploiting the characteristics.

We show the two higher-order differential characteristics in Fig. 1. One has been known previously [9], and the other is found in this time. Previously, the 7th-order differential is put into the lower 7 bits of plain text P, while the remaining 57 bits are arbitrary constants. Namely, all [2.sup.7] kinds of data from 0x00 to 0x7f are put into the lower 7 bits where the symbol "0x" represents that its following value is hexadecimal. In this case it has been known that the 7th-order differential of the lower 7 bits out of 32 bits becomes 0x6d at the point G in Fig. 1. This time, we put the 32nd-order differential into the upper 32 bits of plain text, while the lower 32 bits are arbitrary constants. Then we experimentally found the characteristic, which is that the 32nd-order differential of the upper 23 bits out of 32 bits becomes zero at the point H in Fig. 1. By exploiting the characteristics we can derive the following equation corresponding to (10) or (11), and then can analyze the equivalent key KV8jk used in the equivalent [FO.sub.8].

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (12)

([C.sub.L] [parallel] [C.sub.r]) = C(P[direct sum][DELTA]P) (13)

where [FO.sub.8.sup.-1] represents an inverse function of [FO.sub.8]. Attacker has to analyze total 75 bits of equivalent keys used in [FI.sub.8j] and compute the 32nd-order differential at the points [H.sub.1] and [H.sub.2] in Fig. 2 to solve (12) because of H = ([H.sub.1][parallel][H.sub.2]). On the other hand, attacker only has to analyze 50 bits of equivalent keys used in [FI.sub.82] and [FI.sub.83] and compute the 32nd-order differential at the point [H.sub.2] if we focus on the lower 7 bits of (12), which is given by

[[summation over [DELTA]P[member of][V.sup.(32)]].sup.[direct sum]][{[FI.sup.-1.sub.82](I[direct sum][x.sub.3]; [KI'.sub.82k]}.sup.L7] = 0 (14)

where

I = [FI.sup.-1.sub.83][([x.sub.3] [direct sum] ([C.sub.L][direct sum][C.sub.R]).sup.R16]; [KI'.sub.83k]), [X.sub.3] = [([C.sub.L] [direct sum][C.sub.R]).sup.L16]. (15)

[FI.sub.82.sup.-1] and [FI.sub.83.sup.-1] represent inverse functions of [FI.sub.82] and [FI.sub.83], respectively. The variable I in (15) corresponds to data I in Fig. 2. We intend to solve (14) and (15) in the next section.

4 COST ESTIMATION OF THE ATTACK

In this section we estimate the number of blocks of chosen plain text and the number of times of FO operation required to solve (14) by an exhaustive search.

Because (14) is 7 sets of Boolean equation, it is satisfied with probability [2.sup.-7] even if an estimated key is false. There are [2.sup.50] candidates of the key since its total bit size is 50. Therefore attacker needs to solve 8 sets of (14) with different P in order to identify the true key where the probability that a false key survives is [2.sup.-6] (= [([2.sup.-7]).sup.8] x [2.sup.50]). Because attacker has to compute the 32nd-order differential to prepare one set of (14), the number of blocks of chosen plain text to prepare 8 different sets of (14) is given by D as follows:

D = 8 x [2.sup.32] = [2.sup.35]. (16)

Next we study the number of times of [FO.sub.i] operation required to solve 8 different sets of (14). If attacker solves the first set of (14) for all [2.sup.50] candidates of the key, the number of candidates is reduced to [2.sup.43] (= [2.sup.50] x [2.sup.-7]). And then he solves the second set of (14) for the remaining [2.sup.43] candidates. Its number is reduced to [2.sup.36] (= [2.sup.43] x [2.sup.-7]). By solving 8 different set of (14), the last remaining key will be the true key. (14) includes two functions ([FI.sub.82.sup.-1] and [FI.sub.83.sup.-1]). It is natural to assume that the computational complexity of [FI.sub.82.sup.-1] and [FI.sub.83.sup.-1] is equal to that of [FI.sub.ij]. [FO.sub.i] includes three sets of [FI.sub.ij]. Therefore the total number of times of [[summation].sup.[directsum]] operation in (14) times 2/3 corresponds to the total number of times of [FO.sub.i], operation (T) required for this attack as follows:

T = [2.sup.50] x [2.sup.32] x [7.summation over (i = 0)][2.sup.-7i] x 2/3 [approximately equal to] [2.sup.81.4] (17)

5 COMPLEXITY REDUCTION BY EXPLOITING A MOLULO 2 OCCURRENCE DISTRIBUTION

In this section, we show that the computational complexity of (14) can be reduced by exploiting a modulo 2 occurrence distribution (MOD) for intermediate data of (14), which is sequentially derived by using a partial sum technique proposed by Ferguson et al. [10]. The advantage of using MOD is as follows. Even number of times of XOR operations of a certain variable x is zero, while odd number of times of them is x. Therefore even number of XOR operations of x becomes unnecessary, and odd number of them can be substituted with x by using MOD.

Next we show the algorithm to reduce the complexity of (14). Fig. 6 shows the output part of [FO.sub.8]. [X.sub.1], [X.sub.4], [X.sub.7], [X.sub.3L], [X.sub.8L], [X.sub.9R], [x.sub.10], [x.sub.11], and [x.sub.14] denote 9 bits of intermediate data. [X.sub.2], [X.sub.5], [X.sub.3r], [X.sub.8r], [X.sub.9l], and [X.sub.12] denote 7 bits of intermediate data. [X.sub.3] and [X.sub.8] denote 16 bits of intermediate data where [x.sub.8] = [x.sub.8L] [parallel] [x.sub.8R] = [x.sub.9L] [parallel] [x.sub.9R]. By using the intermediate data X, in Fig. 6, (14) can be rewritten as

[[sumamtion over [DELTA]P[member of][V.sup.(32)]].sup.[direct sum]][{[FI.sup.-1.sub.82](I[direct sum][x.sub.3]; [KI'.sub.82k])}.sup.L7] = [[summation over [DELTA]P[member of][V.sup.(32)]].sup.[direct sum]][{[S.sup.- 1.sub.9]([x.sub.14][direct sum][KI'.sub.821]}.sup.L7] = 0 (18)

[x.sub.14] = [x.sub.11][direct sum][S.sup.-1.sub.7]([x.sub.12] [direct sum] [KI'.sub.822]), (19)

[x.sub.12] = [([x.sub.11][direct sum][x.sub.9L]).sup.R7], (20)

[x.sub.11] = [S.sup-1.sub.9]([x.sub.10][direct sum][KI'.sub.823]), (21)

[x.sub.10] = [x.sub.9L] [direct sum] [x.sub.9R], (22)

[x.sub.9L] [parallel] [x.sub.9R] = [x.sub.8L] [parallel] [x.sub.8R], (23)

[x.sub.9L] = [([x.sub.8L]).sup.L7], [x.sub.9R] = [([x.sub.8L]).sup.R2] [parallel] [x.sub.8R], (24)

[x.sub.8L] = [x.sub.3L] [direct sum] [S.sup.-1.sub.9]([x.sub.7][direct sum][KI'.sub.831]), (25)

[x.sub.8R] = [x.sub.3R][direct sum][S.sup.-1.sub.7]([x.sub.5][direct sum][KI'.sub.832]), (26)

[x.sub.7] = [x.sub.4] [direct sum][S.sup.-1.sub.7] ([x.sub.5][direct sum] [KI'.sub.832]), (27)

[x.sub.5] = [([x.sub.4][direct sum][x.sub.2]).sup.R7], (28)

[x.sub.4] = [S.sup.-1.sub.9]([x.sub.1] [direct sum] [KI'.sub.833]), (29)

[x.sub.3L] [parallel] [x.sub.3R] = [x.sub.3], (30)

[x.sub.1] = [x.sub.2] [direct sum] [x.sub.0], (31)

[x.sub.2] [parallel] [x.sub.0] = [x.sub.3] [direct sum]v, (32)

[x.sub.3] [parallel] v = [C.sub.L][direct sum][C.sub.R]. (33)

Our attack algorithm to operate (13), (33) to (18) in the inverse order is as follows.

Attack Algorithm

1. Make MOD of total 32-bit data [x.sub.1], [x.sub.2], [X.sub.3L], and [X.sub.3R] (referred to as MOD1) from [2.sup.32] blocks of cipher text C(P[direct sum][DELTA]P) via (13), (33), (32), (31), and (30). The maximum and the average number of the elements of MOD1 are [2.sup.32] and [2.sub.31], respectively.

2. Guess [KI'.sub.833], and make MOD of total 32-bit data [x.sub.4], [x.sub.5], [x.sub.3L], and [x.sub.3R] (MOD2) from MOD1 via (29) and (28) with at most [2.sup.32] times and the average [2.sup.31] times of [S.sub.9.sup.-1] operation. The maximum and the average number of the elements of MOD2 are [2.sup.32] and [2.sup.31], respectively.

3. Guess [KI'.sub.832], and make MOD of total 25-bit data [x.sub.7], [x.sub.8R], and [x.sub.3L] (MOD3) from MOD2 via (27) and (26) with at most [2.sup.32] times and the average 231 times of [S.sub.7.sup.-1] operation. The maximum and the average number of the elements of MOD3 are 225 and [2.sup.24], respectively.

4. Guess [KI'.sub.831], and make MOD of total 16-bit data [x.sub.10] and [x.sub.9L] (MOD4) from MOD3 via (25), (24), (23), and (22) with at most [2.sup.25] times and the average [2.sup.24] times of [S.sub.9.sup.-1] operation. The maximum and the average number of the elements of MOD4 are [2.sup.16] and [2.sup.15], respectively.

5. Guess [KI'.sub.823], and make MOD of total 16-bit data [x.sup.11] and [x.sup.12] (MOD5) from MOD4 via (21) and (20) with at most [2.sup.16] times and the average [2.sup.15] times of [S.sub.9.sup.-1] operation. The maximum and the average number of the elements of MOD5 are [2.sup.16] and [2.sup.15], respectively.

6. Guess [KI'.sub.822], and make MOD of 9-bit data [x.sup.14] (MOD6) from MOD5 via (19) with at most [2.sup.16] times and the average [2.sup.15] times of [S.sub.7.sup.-1] operation. The maximum and the average number of the elements of MOD6 are [2.sup.9] and [2.sup.8], respectively.

7. Guess [KI'.sub.821], and compute (18) from MOD6 with at most [2.sup.9] times and the average [2.sup.8] times of [S.sub.9.sup.-1] operation, and confirm the authenticity of the guessed six keys [KI.sub.833]', [KI.sub.832]', [KI.sub.831]', [KI.sub.823]', [KI.sub.822]', [KI.sub.821] by (18).

We execute Step 1 one time. Steps 2, 3, ..., 7 are executed by using a nested structure of loop iterations. Step 2 is the outermost loop, and step 7 is the innermost loop. We apply this algorithm for all the candidate keys, and confirm its authenticity by (18) as described in the previous section. The maximum number ([T.sub.max]) and the average number ([T.sub.av]) of times of [S.sup.-1.sub.i] operation for our attack algorithm are given by

[T.sub.max] = [7.summation over (i=0)] [T.sub.2] [approximately equal to] [2.sup.60.6], (34)

[T.sub.2] = [2.sup.9] ([2.sup.32] + [T.sub.3]), [T.sub.3] = [2.sup.7]([2.sup.32] + [T.sub.4]), (35)

[T.sub.4] = [2.sup.9] ([2.sup.25] + [T.sub.5]), [T.sub.5] = [2.sup.9]([2.sup.16] + [T.sub.6]), (36)

[T.sub.6] = [2.sup.7] ([2.sup.16] + [T.sub.7]), [T.sub.7] = [2.sup.9] x [2.sup.9] x [2.sub.-7i], (37)

and

[T.sub.av] = [7.summation over (i=0)] [T'.sub.2] [approximately equal to] [2.sup.59.6], (38)

[T'.sub.2] = [2.sup.9]([2.sup.31] + [T'.sub.3]), [T'.sub.3] = [2.sup.7] ([2.sup.31] + [T'.sub.4]), (39)

[T'.sub.4] = [2.sup.9]([2.sup.24] + [T'.sub.5]), [T'.sub.5] = [2.sup.9] ([2.sup.15] + [T'.sub.6]), (40)

[T'.sub.6] = [2.sup.7]([2.sup.15] + [T'.sub.7]), [T'.sub.7] = [2.sup.9] x [2.sup.8] x [2.sup.-7i]. (41)

It is natural to assume that the computational complexity of [S.sup.-1.sub.i] is equivalent to that of [S.sub.i]. [T.sub.i] and [T'.sup.i] are correspond to the computational complexity of the nested structure of steps i to 7 (i = 2, 3, ..., 7). Because [FO.sub.i] = 1, 2, 8) includes 9 sets of S (i = 7, 9), the maximum number ([T.sub.max]') and the average number ([T.sub.av]') of times of [FO.sub.i], operation are given by

[T'.sub.max] = [T.sub.max]/9 [approximately equal to] [2.sup.57.4], [T.sub.av]' = [T.sub.av]/9 [approximately equal to] [2.sup.56.4] (42)

In the previous section, attacker requires [2.sup.35] blocks of chosen plain text and [2.sup.81.4] times of [FO.sub.i] operation. This attack algorithm has reduced the number of times of [FO.sub.i] operation to up to [1/2.sup.25]. Note that the number of blocks of chosen plain text required for this attack is [2.sup.35].

6 CONCLUSIONS

We have study the 32nd-order differential attack on 8 rounds of MISTY2 without FL functions. We found the new 32nd-order differential characteristic of MISTY2 without FL functions. Using the characteristics and MOD, we showed that 8 rounds of MISTY2 without FL functions can be attacked with [2.sup.35] blocks of chosen plain text and [2.sup.57.4]. times of FO operation.

REFERENCES

[1.] Dey, S.: An Image Encryption Method: SD-Advanced Image Encryption Standard: SDAIES. In: International Journal of Cyber-Security and Digital Forensics, vol. 1, no. 2, pp. 82-88, The Society of Digital Information and Wireless Communications, (2013).

[2.] Dey, S.: Amalgamation of Cyclic Bit Operation in SD-EI Image Encryption Method: An Advanced Version of SD-EI Method: SD-EI VER-2, In: International Journal of Cyber-Security and Digital Forensics, vol. 1, no. 3, pp. 221-225, The Society of Digital Information and Wireless Communications, (2013).

[3.] Sulaiman, S., Muda, Z., Juremi, J., Mahmod, R., Yasin, S. Md.: A New Shift column Transformation: An Enhancement of Rijndael Key Scheduling, In: International Journal of Cyber-Security and Digital Forensics, vol. 1, no. 3, pp. 160-166, The Society of Digital Information and Wireless Communications, (2013).

[4.] Juremi, J., Mahmod, R., Sulaiman, S., Ramli, J.: Enhancing Advanced Encryption Standard S-box Generation Based on Round Key, In: International Journal of Cyber-Security and Digital Forensics, vol. 1, no. 3, pp. 183-188, The Society of Digital Information and Wireless Communications, (2013).

[5.] Abusukhon, A., Talib, M., Ottoum, I.: Secure Network Communication Based on Text-to-image Encryption, In: International Journal of Cyber-Security and Digital Forensics, vol. 1, no. 4, pp. 263-271, The Society of Digital Information and Wireless Communications, (2013).

[6.] Matsui, M.: New Block Encryption Algorithm MISTY. In: Lecture Notes in Computer Science, vol. 1267, pp. 54-68, Springer, (1997).

[7.] Lai, X.: Higher Order Derivatives and Differential Cryptanalysis. Communications and Cryptography, vol. 276, pp. 227-233, Springer, (1994).

[8.] Sugita, M.: Higher Order Differential Attack of Block Ciphers MISTY1, 2. In: IEICE Tech. Report, vol. 98, no. 48, pp. 31-40, (1998).

[9.] Hatano, Y., Tanaka, H., Kaneko, T.: Higher Order Differential Attack of MISTY2 without FL Functions. In: Proc. The International Conference on Fundamentals of Electronics, Communications and Computer Sciences, Sect. 17, pp. 6-10, (2002).

[10.] Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.: Improved Cryptanalysis of Rijndael. In: Lecture Notes in Computer Science, vol. 1978, pp. 136-141, Springer, (2001).

Yasutaka Igarashi (1), Toshinobu Kaneko (2), Yutaka Eguchi (1), Takahiro Murai (1), Ryutaro Sueyoshi (1), Yosuke Hashiguchi (1), Seiji Fukushima (1), Tomohiro Hachino (1)

(1) Kagoshima University 1-21-40 Korimoto, Kagoshima, 890-0065 Japan {igarashi, fukushima, hachino}@eee.kagoshima-u.ac.jp

(2) Tokyo University of Science 2641 Yamazaki, Noda, Chiba, 278-8510 Japan kaneko@ee.noda.tus.ac.jp

Table 1. Complexity of a higher-order differential attack on MISTY2 without FLs. '' * '' denotes this article. rd. order data # of times ref. 5 7 [2.sup.7] [2.sup.39] [8] 7 7 [2.sup.11] [2.sup.83] [9] 8 32 [2.sup.35] [2.sup.81.4] * 8 32 [2.sup.35] [2.sup.57.4] *

Printer friendly Cite/link Email Feedback | |

Author: | Igarashi, Yasutaka; Kaneko, Toshinobu; Eguchi, Yutaka; Murai, Takahiro; Sueyoshi, Ryutaro; Hashiguch |
---|---|

Publication: | International Journal of Cyber-Security and Digital Forensics |

Article Type: | Report |

Date: | Jul 1, 2013 |

Words: | 4522 |

Previous Article: | An authentication middleware for prevention of information theft. |

Next Article: | Assessing database and network threats in traditional and cloud computing. |

Topics: |