Improved Integral Cryptanalysis of FOX Block Cipher 1

Transcription

1 Improved Integral Cryptanalyss of FOX Block Cpher 1 Wu Wenlng, Zhang Wentao, and Feng Dengguo State Key Laboratory of Informaton Securty, Insttute of Software, Chnese Academy of Scences, Bejng , P. R. Chna E-mal:{wwl}@s.scas.ac.cn Abstract. FOX s a new famly of block cphers presented recently, whch s based upon some results on proven securty and has hgh performances on varous platforms. In ths paper, we construct some dstngushers between 3-round FOX and a random permutaton of the blocks space. By usng ntegral attack and collson-searchng technques, the dstngushers are used to attack on 4, 5, 6 and 7-round of FOX64, 4 and 5-round FOX128. The attack s more effcent than prevous ntegral attack on FOX. The complexty of mproved ntegral attack s on 4-round FOX128, aganst 5-round FOX128 respectvely. For FOX64, the complexty of mproved ntegral attack s on 4- round FOX64, aganst 5-round FOX64, aganst 6-round FOX64, aganst 7-round FOX64 respectvely. Therefore, 4-round FOX64/64, 5-round FOX64/128, 6-round FOX64/192, 7-round FOX64/256 and 5-round FOX128/256 are not mmune to the attack n ths paper. Key words: Block cpher; FOX; Data complexty; Tme complexty; Integral Cryptanalyss. 1 Introducton FOX [1] s a new famly of block cphers, whch s the result of a jont project wth the company MedaCrypt [2] AG n Zurch, Swtzerland. Fox has two versons, both have a varable number rounds whch depends on keysze: the frst one FOX64/k/r has a 64-bt blocksze wth a varable key length whch s a multple of 8 and up to 256 bts. The second one FOX128/k/r uses a 128-bt blocksze wth the same possble key lengths. For FOX64 wth k=128 and FOX128 wth k=256, the desgners advse that round number are both 16. The hgh level of FOX adopts a modfed structure of La-Massey Scheme [3], whch can be proven to have good pseudorandomness propertes n the Luby-Rackoff paradgm and decorrelaton nhertance propertes proposed by Vaudenay [4]. The round functon of FOX uses SP S (Substtuton-Permutaton-Substtuton) structure 1 Supported partally by the Natonal Natural Scence Foundaton of Chna under Grant No ; the Natonal Basc Research 973 Program of Chna under Grant No.2004CB318004;and the Natonal Hgh-technque 863 Program of Chna under Grant No.2003AA14403

2 wth three layers of subkey addton, SP S structure has already been proven to have powerful ablty to resst dfferental and lnear cryptanalyss. The desgn ratonale of dffuson prmtves n FOX s presented n Ref.[5]. The key schedule of FOX s very complex compared wth other exstng block cphers, each subkey of FOX s related to the seed key and t s very dffcult to acqure nformaton about seed key or other subkeys from some certan subkeys. The complex key schedule, hgh-level structure wth provable securty and powerful round functon make FOX appear to be a strong block cpher. Snce FOX s a new cpher publshed last year, all we know about ts securty analyss are lmted to be the desgner s results and the ntegral cryptanalyss presented n Ref.[6]. The securty of FOX aganst dfferental and lnear cryptanalyss s easy to estmate for the good property of ts S-box, SPS transformaton and hgh level structures. The desgners also analyze the securty of FOX aganst dfferental-lnear cryptanalyss [7,8], boomerang [9] and rectangle attacks [10], truncated and hgher-order dfferentals [11], mpossble dfferentals [12],and parttonng cryptanalyss [13,14], algebrac attack [15,16], slde attack [17,18], and relatedcpher attacks [19]. Integral attack [20] s one of the most effectve attack method aganst AES, whch had been used to analyze the securty of other cphers [20,21]. It s ponted n Ref.[1] that ntegral attack has a complexty of 2 72 encryptons aganst 4-round FOX64, aganst 5-round FOX64, aganst 6-round FOX64. The authors also clamed that ntegral attack has a complexty of encryptons aganst 4-round FOX128,and 5-round FOX128 s mmune to ntegral attack. In ths paper, we combne collson technque and ntegral attack to analyze the securty of FOX. The mproved ntegral attack on FOX s more effcent than known ntegral attack. The complexty of our mproved ntegral attack s on 4-round FOX128, aganst 5-round FOX128 respectvely. For FOX64, the complexty of mproved ntegral attack s on 4-round FOX64, aganst 5-round FOX64, aganst 6-round FOX64, aganst 7- round FOX64 respectvely. Ths paper s organzed as follows: Secton 2 brefly ntroduces the structure of FOX round dstngushers are presented n secton 3. In secton 4, we show how to use the 3-round dstngushers to attack 4 and 5 rounds of FOX128. In secton 5, we brefly ntroduce the attacks on 4,5,6 and 7 rounds of FOX64. and Secton 6 concludes the paper. 2 Descrpton of FOX The dfferent members of FOX famly are denoted as follows: Name Block sze Key sze Round number FOX FOX FOX64/k/r 64 k r FOX128/k/r 128 k r In FOX64/k/r and FOX128/k/r, the round number r must satsfy 12 r 255,

3 whle the key length k must satsfy 0 k 256, wth k multple of 8. Due to space lmtaton, we only ntroduce FOX128 brefly. Detals are shown n Ref.[1] 2.1 Round Functon f64 The round functon f64 conssts of three man parts: a substtuton part denoted sgma8, a dffuson part denoted MU8, and a round key addton part (see Fg.1). Formally, the -th round functon f64 takes a 64-bt nput X (64) = X 0(8) X 1(8) X 7(8), a 128-bt round key RK (128) = RK0 (64) RK1 (64) and returns Y (64) = Y 0(8) X 7(8) = sgma8(mu8(sgma8(x (64) RK0 (64))) RK1 (64)) RK0 (64). The mappng sgma8 conssts of 8 parallel computatons of a non-lnear bjectve mappng(see the table n Ref.[1]). MU8 consders an nput (Z 0(8) Z 7(8) ) as a vector (Z 0(8) Z 7(8) ) T over GF (2 8 ) and multply t wth a matrx to obtan an output vector of the same sze. The matrx s the followng: a 1 a b c d e f 1 a b c d e f 1 1 b c d e f 1 a 1 c d e f 1 a b 1 d e f 1 a b c 1 e f 1 a b c d 1 f 1 a b c d e 1 where a = α + 1, b = α 7 + α, c = α, d = α 2, e = α 7 + α 6 + α 5 + α 4 + α 3 + α 2 and f = α 6 + α 5 + α 4 + α 3 + α 2 + α. α s a root of the rreducble polynomal m(x) = x 8 + x 7 + x 6 + x 5 + x 4 + x Encrypton of FOX128 FOX128 s the 15-tmes teraton of round transformaton elmor128, followed by the applcaton of last round transformaton called elmd128. elmor128, llustrated n Fg.2, s bult as an Extended La-Massey scheme combned wth wth two orthomorphsms or. The -th round transformaton elmor128 transforms a 128-bt nput LL LR RL RR and a 128-bt round key RK (128) n a 128-bt output LL +1 LR+1 RL+1 RR+1. Let LL LR RL RR = X (64) = X0(8) X 1(8) X7(8)) and f64 (X(64), RK(128)) = φ L φ R. Then, LL +1 LR+1 RL+1 RR+1 = or(ll φ L) LR φ L or(rl φ R) RR φ R. The elmd128 functon s a slghtly modfed verson of elmor128, namely the two transformatons or are replaced by two dentty transformaton. The transformaton or s a functon takng a 32-bt nput X = X 0(16) X 1(16) and returnng a 32-bt output Y = Y 0(16) Y 1(16) whch s n fact a one-round Festel

4 X X X X X X X X 0(8) 1(8) 2(8) 3(8) 4(8) 5(8) 6(8) 7(8) RK0 (64) S S S S S S S S MU8 RK1 (64) S S S S S S S S RK0 (64) Y0(8) Y 1(8) Y 2(8) Y 3(8) Y 4(8) Y5(8) Y6(8) Y7(8) Fg. 1. The -th Round Functon of FOX128 LL LR RL RR f64 RK(128) or or 1 LL 1 LR RL 1 1 RR Fg. 2. The -th Round Transformaton elmor128

5 scheme wth the dentty functon as round functon; t s defned as Y 0(16) Y 1(16) = X 1(16) (X 0(16) X 1(16) ) The encrypton C 128 by FOX128 of a 128-bt plantext P 128 s defned as C 128 = elmd128(elmor128(... (elmor128(p 128, RK 1 (128)),..., RK 15 (128))RK 16 (128)) where RK 1 (128),..., RK 16 (128) are round subkeys produced by the key schedule algorthm out of the user key. In ths paper, subkeys are assumed to be ndependent of each other. So we omt the key schedule of FOX n ths paper. 3 3-Round Dstngushers Choose plantexts P (128) = LL 1 LR 1 RL 1 RR 1 as follows: LL 1 = LR 1 = c c c c, RL 1 = RR 1 = c c c x. where x take values n {0, 1} 8, c s a constant n {0, 1} 8. Thus, the nput of the frst round functon f64 1 s X 1 (64) = Let f64 1 ( ) = (a 0 a 1... a 7), where a (0 7) are entrely determned by round subkey RK 1 (128), so a (0 7) are constants when the user key s fxed. Then the output of the 1st round can be wrtten as follows: LL 2 = a 2 c a 3 c a 0 a 2 a 1 a 3, LR 2 = a 0 c a 1 c a 2 c a 3 c, RL 2 = a 6 c a 7 x a 4 a 6 a 5 a 7 x c, LR 2 = a 4 c a 5 c a 6 c a 7 x, Therefore, the nput of the 2nd round functon f64 2 s the followng: X 2 (64) = X0(8) X 2 2 1(8)... X7(8). 2 X 2 0(8) = a 0 a 2, X 2 4(8) = a 4 a 6, X 2 1(8) = a 1 a 3, X 2 5(8) = a 5 a 7 c x, X 2 2(8) = a 0 c, X 2 6(8) = a 4 c, X 2 3(8) = a 1 c, X 2 7(8) = a 5 c. Let f64 2 (X 2 (64)) = (y 0 y 1... y 7), then the output of the 2nd round can be wrtten as follows: LL 3 = y 2 a 0 a 2 y 3 a 1 a 3 y 0 y 2 a 0 c y 1 y 3 a 1 c, LR 3 = y 0 a 0 c y 1 a 1 c y 2 a 2 c y 3 a 3 c, RL 3 = y 6 a 4 a 6 y 7 a 5 a 7 c x y 4 y 6 a 4 c y 5 y 7 a 5 c, RR 2 = y 4 a 4 c y 5 a 5 c y 6 a 6 c y 7 a 7 x. So the nput of the 3rd round functon f64 3 s the followng: X 3 (64) = X 3 0(8) X 3 1(8)... X 3 7(8).

6 c c c c c c c c c c c x c c c x f a a a a a a a a or f64 2 a a a a a c a c a a a a c x a c a c y y y y y y y y or f64 3 y y a c y y a c y a a y a a y y a c y y a x y a a y x a a c or u u u u u u u u v v v v v v v v Fg Round Dstngushers of FOX128

7 X 3 0(8) = y 0 y 2 a 2 c, X 3 4(8) = y 4 y 6 a 6 c, X 3 1(8) = y 1 y 3 a 3 c, X 3 5(8) = y 5 y 7 a 7 x, X 3 2(8) = y 0 a 0 a 2, X 3 6(8) = y 4 a 4 a 6, X 3 3(8) = y 1 a 1 a 3, X 3 7(8) = y 5 x a 5 a 7. By observng the hgh-level structure of FOX128, we get or 1 (LL 4 ) LR 4 = X 3 0(8) X 3 1(8) X 3 2(8) X 3 3(8), or 1 (RL 4 ) RR 4 = X 3 4(8) X 3 5(8) X 3 6(8) X 3 7(8). From the defnton of or 1, we have or 1 (LL 4 ) = LL 4 0(8) LL 4 2(8) LL 4 1(8) LL 4 3(8) LL 4 0(8) LL 4 1(8), or 1 (RL 4 ) = RL 4 0(8) RL 4 2(8) RL 4 1(8) RL 4 3(8) RL 4 0(8) RL 4 1(8), Thus,we have the followng from the above equatons. Further we have the followng: LL 4 0(8) LL 4 2(8) LR 4 0(8) = y 0 y 2 a 2 c, LL 4 1(8) LL 4 3(8) LR 4 1(8) = y 1 y 3 a 3 c, LL 4 0(8) LR 4 2(8) = y 0 a 0 a 2, LL 4 1(8) LR 4 3(8) = y 1 a 1 a 3, RL 4 0(8) RL 4 2(8) RR 4 0(8) = y 4 y 6 a 6 c, RL 4 1(8) RL 4 3(8) RR 4 1(8) = y 5 y 7 a 7 x, RL 4 0(8) RR 4 2(8) = y 4 a 4 a 6, RL 4 1(8) RR 4 3(8) = y 5 x a 5 a 7. LL 4 2(8) LR 4 0(8) LR 4 2(8) = y 2 a 0 c, LL 4 3(8) LR 4 1(8) LR 4 3(8) = y 3 a 1 c, LL 4 0(8) LR 4 2(8) = y 0 a 0 a 2, LL 4 1(8) LR 4 3(8) = y 1 a 1 a 3, RL 4 2(8) RR 4 0(8) RR 4 2(8) = y 6 a 4 c, RL 4 3(8) RR 4 1(8) RR 4 3(8) = y 7 a 5, RL 4 0(8) RR 4 2(8) = y 4 a 4 a 6, Now we analyze the property of y (0 7). Let y = s(x a 5 a 7 c RK0 2 0(8)), then y = s(y b ) RK0 2 (8), here b (0 7) are entrely determned by a (0 7), c and RK 2 (128), so b (0 7) are constants when the user key s fxed. Because s s a permutaton, y = s(x a 5 a 7 c RK0 2 0(8)) dffers when x takes dfferent values and the user key s fxed. As a consequence, y = s(y b ) RK0 2 (8) wll have dfferent values when x takes dfferent values and the user key s fxed. Thus, from the above dscusson we know that LL 4 2(8) LR 4 0(8) LR 4 2(8), LL 4 3(8) LR 4 1(8) LR 4 3(8), LL 4 0(8) LR 4 2(8), LL 4 1(8) LR 4 3(8), RL 4 2(8) RR 4 0(8) RR 4 2(8), RL 4 3(8) RR 4 1(8) RR 4 3(8)

8 and RL 4 0(8) RR 4 2(8) each wll have dfferent values when x takes dfferent values. Therefore we get the followng theorem. Theorem 1. Let P (128) = LL 1 LR RL 1 1 RR 1 and P (128) = LL 1 LR 1 RL 1 RR 1 be two plantexts of 3-round FOX128, C (128) = LL 4 LR RL 4 4 RR 4 and C (128) = LL 4 LR RL 4 4 RR 4 be the correspondng cphertexts. RR (8) (0 7) denotes the (+1) th byte of RR. If LL 1 = LR 1 = LL 1 = LR, 1 RL 1 = RR, 1 RL 1 = RR, 1 RR 1 (8) = RR(8)( 1 = 0, 1, 2), RR 1 3(8) RR3(8), 1 then C (128) and C (128) satsfy the followng nequaltes: LL 4 2(8) LR 4 0(8) LR 4 2(8) LL 4 2(8) LR 4 0(8) LR 4 2(8), (1) LL 4 3(8) LR 4 1(8) LR 4 3(8) LL 4 3(8) LR 4 1(8) LR 4 3(8) (2) LL 4 0(8) LR 4 2(8) LL 4 0(8) LR 4 2(8) (3) LL 4 1(8) LR 4 3(8) LL 4 1(8) LR 4 3(8) (4) RL 4 2(8) RR 4 0(8) RR 4 2(8) RL 4 2(8) RR 4 0(8) RR 4 2(8) (5) RL 4 3(8) RR 4 1(8) RR 4 3(8) RL 4 3(8) RR 4 1(8) RR 4 3(8) (6) RL 4 0(8) RR 4 2(8) RL 4 0(8) RR 4 2(8) (7) From the above dscusson, we have RL 4 1(8) RR 4 3(8) = y 5 x a 5 a 7, and y 5 wll have dfferent values when x take dfferent values. So we can get the followng Corollary, whch s smlar to the ntegral dstngusher presented n Ref.[1] and Ref.[6]. Corollary 1. Let P j (128) = LLj 1 LRj 1 RLj 1 RRj 1 (0 j 255) be 256 plantexts of 3-round FOX128, Cj (128) = LLj 4 LRj 4 RLj 4 RRj 4 be the correspondng cphertexts. If LLj 1 = LRj 1, RLj 1 = RLj 1, RLj (8) ( = 0, 1, 2) are constants, and LRj 3(8) take all possble values between 0 and 255, then Cj (128) (0 j 255) satsfy: 255 (RLj 4 1(8) RRj3(8)) 4 = 0 (8) j=0 4 Attacks on Reduced-Round FOX Attackng 4-round FOX128 Ths secton explans the attack on 4-round FOX128 n detal. The last round omt the or transformaton. Frst we recover 72 bts subkey RK0 4 (64) and RK1 4 0(8). Choose plantext P (128) = LL 1 LR RL 1 1 RR, 1 and let C (128) = LL 5 LR RL 5 5 RR 5 be the correspondng cphertext. The nput of the fourth round functon f64 4 s LL 5 LR RL 5 5 RR, 5 and we can calculate the value of LL 4 2(8) LR 4 2(8) because LL 4 2(8) LR 4 2(8) = LL 5 2(8) LR2(8). 5 If we guess the value of LR0(8), 4 then we can guess LL 4 2(8) LR 4 2(8) LR0(8). 4 From the structure of f64 4, t s known that the value of LR 4 0(8) s entrely determned by the nput LL 5 LR RL 5 5 RR 5 and subkey RK0 4 (64), RK1 4 0(8). Thus usng the nequalty (1) of Theorem 1, we construct the followng algorthm to recover RK0 4 (64) and RK1 4 0(8).

9 Algorthm 1 Step1, Choose 166 plantexts P j (128) j 165) as follows: = LLj 1 LRj 1 RLj 1 RRj 1 (0 LLj 1 = (c c c c), LRj 1 = (c c c c), RLj 1 = (c c c j), RRj 1 = (c c c j). where c s a constant, 0 j 165. The correspondng cphertexts are Cj (128) = LLj 5 LRj 5 RLj 5 RRj 5. Step2, For each possble value of RK0 4 (64) RK1 4 0(8), frst compute the frst byte Y j 4 0(8) of f64 4 (LLj 5 LRj 5 RLj 5 RRj 5 ), and then compute j = Y j 4 0(8) LLj 5 2(8) LRj 5 2(8) LRj 5 0(8). Check f there a a collson among j. If so, dscard the value of RK0 4 (64) RK1 4 0(8). Otherwse, output RK0 4 (64) RK1 4 0(8). Step3, From the output values of RK0 4 (64) RK1 4 0(8) n Step2, choose some other plantexts, and repeat Step2. The probablty of at least one collson occurs when we throw 166 balls nto 256 buckets at random s larger than 1 e 166(166 1)/ So the probablty of passng the test of Step 2 s less than2 76. Because the rght subkey canddates must pass the test of Step2, the number of subkey canddates passng Step2 s about 1 + ( ) Then, only two plantexts are needed n Step3. The data complexty of ths attack s about 168 chosen plantexts. And the man tme complexty of Algorthm 2 s n step2, the tme of computng each j s less than 1-round encrypton, so the tme complexty s less than / encryptons. Next we recover RK1 4 1(8). The steps are very smlar to Algorthm1, except RK0 4 (64) s known here. So the number of canddates s 2 8, only 64 chosen plantexts are needed(we can use the data n Algorthm 1 agan). Usng the nequalty (2) n Theorem 1, we can recover RK1 4 1(8) by computng j = Y j 4 1(8) LLj 5 3(8) LRj 5 3(8) LRj 5 1(8). and the attack requres /4 = 2 12 encryptons. Knowng RK0 4 (64) and RK1 4 0(8), usng nequalty (3) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 2(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 0(8) Y j 4 2(8) LLj 5 0(8) LRj 5 2(8)

10 Smlarly, knowng RK0 4 (64) and RK1 4 1(8), usng nequalty (4) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 3(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 1(8) Y j 4 3(8) LLj 5 1(8) LRj 5 3(8) Furthermore,usng nequalty (5) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 4(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 4(8) RLj 5 2(8) RRj 5 2(8) RRj 5 0(8) And usng nequalty (6) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 5(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 5(8) RLj 5 3(8) RRj 5 3(8) RRj 5 1(8) Knowng RK0 4 (64) and RK1 4 4(8), usng nequalty(7) n Theorem 1 and the plantexts chosen n Algorthm 1, we can recover RK1 4 6(8) by computng and the attack requres 2 12 encryptons. j = Y j 4 4(8) RLj 5 0(8) Y j 5 6(8) RRj 5 2(8) We can t use smlar approach to recover RK1 4 7(8), fortunately ntegral technque can be used here. Knowng RK0 4 (64)) and RK1 4 5(8), usng equaton (8) n Theorem 1,we can construct the followng algorthm to recover RK1 4 7(8). Algorthm 2 Step1, Choose 256 plantexts P j (128) j 122) as follows: = LLj 1 LRj 1 RLj 1 RRj 1 (0 LLj 1 = (c c c c), LRj 1 = (c c c c), RLj 1 = (c c c j), RRj 1 = (c c c j). where c s a constant, 0 j 255. The correspondng cphertexts are Cj (128) = LLj 5 LRj 5 RLj 5 RRj 5. Step2, For each possble value of RK1 4 7(8), frst compute Y j 4 7(8), and then compute 255 = (RL 5 1(8) RR 5 3(8) Y j 4 5(8) Y j7(8)). 4 j=0

11 Check f = 0. If not, dscard the value of RK1 4 7(8), Otherwse, output RK1 4 7(8). Step3, From the output values of RK1 4 7(8) n Step2, choose another group of plantexts, and repeat Step2 untl the key canddate s unque. Wrong values wll pass step2 successfully wth probablty 2 8. Thus Algorthm 2 requres about 2 9 chosen plantexts, and the tme complexty s about /4 = 2 15 encryptons. The data n Algorthm 1 can be repeatedly used here agan, so the data complexty for recoverng RK 4 (128)) s about 2 9, and the tme complexty s about Now we have recovered RK 4 (128) usng 2 9 chosen plantexts and encryptons. By decryptng the 4th round, we can recover RK 3 (128), the tme complexty s less than Smlarly, we can recover RK 2 (128)) and RK 1 (128)), the tme complexty are both less than Therefore, the attack on the 4-round FOX128 requres 2 9 chosen plantexts and about encryptons. 4.2 Attackng 5-round FOX128 We could extend the prevous attack on 5-round FOX128, usng a key exhaustve search on the ffth subkey RK 5 (128). The attack requres encryptons, whch s less expensve than a key exhaustve search. 5 Attacks on Reduced-Round FOX64 Smlar to FOX128, we can get the followng theorem for FOX64. Theorem 2. Let P (64) = L 1 R 1 and P (64) = L 1 R 1 be two plantexts of 3-round FOX64,C (64) = L 4 R 4 and C (64) = L 4 R 4 be the correspondng cphertexts, L (8) denotes the ( + 1) th byte of L, If L 1 = R, 1 L 1 = R, 1 and L 1 (8) = L 1 (8)( = 0, 1, 2),L 1 3(8) L 1 3(8), then C (64) and C (64) satsfy: L 4 2(8) R 4 2(8) R 4 0(8) L 4 2(8) R 4 2(8) R 4 0(8), (9) L 4 3(8) R 4 3(8) R 4 1(8) L 4 3(8) R 4 3(8) R 4 1(8) (10) L 4 0(8) R 4 2(8) L 4 0(8) R 4 2(8) (11) Corollary 2. Let P j (64) = Lj 1 Rj 1 (0 j 255) be 256 plantexts of 3-round FOX64, Cj (64) = Lj 4 Rj 4 be the correspondng cphertexts, If Lj 1 = Rj 1, Lj (8) ( = 0, 1, 2) are constants, and Lj 3(8) take all possble values between 0 and 255, then Cj (64) (0 j 255) satsfy: 255 (Lj 4 1(8) Rj3(8)) 4 = 0 (12) j=0 Usng Theorem 2 and Corollary 2, we can construct the Algorthms smlar to those n Secton 4, and get four subkeys of 4-round FOX64. The attack requres

12 less than 2 9 chosen plantexts, and the tme complexty s about round FOX64 encryptons. Smlarly, we can get subkeys of 5(6, 7)-round FOX64 just through guessng the overall key bts behnd the fourth round, then usng the attack procedure for 4-round FOX64. The tme complexty on 5,6 and 7-round FOX64 s about , and respectvely. 6 Concludng remarks Snce FOX s a new cpher publshed last year, all we know about ts securty analyss are lmted to be the desgner s results [ 1] and Ref.[6]. In ths paper, we combne collson technque and ntegral attack to analyze the securty of FOX. The mproved ntegral attack on FOX s more effcent than known ntegral attacks. The complexty of mproved ntegral attack s on 4-round FOX128, aganst 5-round FOX128 respectvely. For FOX64, the complexty of mproved ntegral attack s about on 4-round FOX64, aganst 5-round FOX64, aganst 6-round FOX64, aganst 7-round FOX64 respectvely. Our results also show that 4-round FOX64/64, 5-round FOX64/128, 6-round FOX64/192,7-round FOX64/256 and 5-round FOX128/256 are not mmune to mproved ntegral attack n ths paper. There are some mstakes about the ntegral cryptanalyss n Ref.[6], so we only compare the performance of known ntegral attacks on FOX n Ref.[1] and that of ths paper n the followng table. Name round Tme Notes FOX Ref.[1] FOX ths paper FOX Ref.[1] FOX ths paper FOX Ref.[1] FOX ths paper FOX ths paper FOX Ref.[1] FOX ths paper FOX ths paper References 1. P.Junod and S. Vaudenay, FOX: a new Famly of Block Cphers, Selected Areas n Cryptography-SAC 2004,LNCS 2595, pp ,sprnger-verlag. FOX Specfcatons Verson 1.2 appeared on 2. Medacrypt AG X.La and J. Massey, A proposal for a new block encrypton standard, Advances n Cryptology-EUROCRYPT 90, LNCS 473,pp ,Sprnger-Verlag. 4. S.Vaudenay, On the La-Massey scheme, Advances n Cryptology- ASIACRYPT 99, LNCS 1716, pp.8-19,sprnger-verlag. 5. P.Junod and S. Vaudenay, Perfect dffuson prmtves for block cphers buldng effcent MDS matrces, Selected Areas n Cryptography-SAC 2004,LNCS 2595, pp ,sprnger-verlag.

13 6. Marne Mner, An ntegral cryptanalyss aganst a fve rounds verson of FOX, Western European Workshop on Research n Crpytography - WEWoRC, July 05-07, Leuven, Belgum, K.Lanford and E.Hellman, Dfferental-lnear cryptanalyss,advances n Cryptology-CRYPTO 94,LNCS 893, pp.17-25,sprnger-verlag. 8. E.Bham, A.Bryukov, and A.Shamr, Enhancng dfferental-lnaer cryptanalyss, Advances n Cryptology-ASIACRYPT 02, LNCS 2501, pp ,sprnger-verlag, 9. D.Wagner, The boomerang attack,fast Software Encrypton-FSE 99, LNCS 1636,pp ,Sprnger-Verlag. 10. E.Bham,O.Dunkelman,and N.Keller, The rectangle attack-rectanglng the Serpent, Advances n Cryptology-EUROCRYPT 01, LNCS 2045,pp ,Sprnger- Verlag. 11. L.Knudsen, Truncated and hgher order dfferentals, Fast Software Encrypton- FSE 95, LNCS 2595,pp ,Sprnger-Verlag. 12. E.Bham, A.Bryukov, and A.Shamr, Cryptanalyss of Skpjack reduced to 31 rounds usng mpossble dfferentals, Advances n Cryptology- EUROCRYPT 99,LNCS 2595, pp.12-23,sprnger-verlag. 13. C.Harpes and J.Massey, Parttonng cryptanalyss,fast Software Encrypton- FSE 97, LNCS 1267,pp.13-27,Sprnger-Verlag. 14. T.Jakobsen and L.Knudsen, The nterpolaton attack aganst block cphers, Fast Software Encrypton-FSE 99, LNCS 1267,pp.28-40,Sprnger-Verlag. 15. N. Courtos and J. Peprzyk, Cryptanalyss of block cphers wth overdefned systems of equatons, Advances n Cryptology-ASIACRYPT 02, LNCS 2595, pp ,sprnger-verlag. 16. S.Murphy and M.Robshaw, Comments on the securty of the AES and the XSL technque,electronc Letters,39(1): A. Bryukov and D.Wagner, Slde attacks, Fast Software Encrypton-FSE 99, LNCS 1636, pp ,sprnger-verlag. 18. A. Bryukov and D.Wagner, Advanced slde attacks, Advances n Cryptology- EUROCRYPT 00, LNCS 1807,pp ,Sprnger-Verlag. 19. H.Wu, Related-cpher attacks, Informaton and Communcatons Securty,ICICS 2002,LNCS 2513, pp ,sprnger-verlag. 20. L. Knudsen and D. wagner, Integral cryptanalyss(extended abstract) Fast Software Encrypton-FSE2002,LNCS 2595, pp ,sprnger-verlag. 21. Y.Yeom, S.Park, and I. Km, On the securty of Camella aganst the square attack, Fast Software Encrypton-FSE 02,LNCS 2356, Sprnger-Verlag 2002,pp Y.Yeom, I. Park, and I. Km, A study of Integral type cryptanalyss on Camella, The 2003 Symposum on Cryptography and Informaton Securty-SCIS 03.