A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis Routo Terada 1 Eduardo T. Ueda 2 1 Dept. of Computer Science University of São Paulo, Brazil Email: rt@ime.usp.br 2 Dept. of Computer Science University of São Paulo, Brazil Email: edutakeo@ime.usp.br Abstract We analyze the χ 2 cryptanalysis, one of the most successful cryptanalysis technique against the RC6 algorithm. We apply this type of cryptanalysis as distinctioncryptanalysisaswellaskey-recoverycryptanalysis. We present a modified version of RC6 by introducing a very simple data-dependent swapping function in its structure. The conclusions inferred by statistical experiments is that this modified version is stronger against the χ 2 cryptanalysis technique. Keywords: Cryptography, Block Cipher, RC6 Algorithm, χ 2 cryptanalysis 1 Motivations and preliminaries The RC6 algorithm, a symmetric block cipher, is a strengthened version of RC5 and was submitted to the NIST (National Institute of Standards and Technology) as an AES (Advanced Encryption Standard) candidate. Its authors are Ronald L. Rivest, Matthew J. B. Robshaw, Ray Sidney and Yiqun L. Yin (11), researchers at MIT (Massachusetts Institute of Technology) and RSA Labs. The hashing algorithm called MD6 presented by Ron Rivest (Invited Talk, CRYPTO Conference, August 2008) has various basic operations in common with RC6. The cryptanalysis technique called χ 2 was originally proposed by Serge Vaudenay (15) to cryptanalyze the DES algorithm. Baudron et al. (1) and Knudsen and Meier (5) were the first ones to apply the χ 2 technique on the RC6 algorithm, and their estimate is that RC6 reduced to 15 rounds is vulnerable (weak) against this type of cryptanalysis, with complexity 2 125. Later, other researchers applied this type of cryptanalysis on the RC6 as well: (2)(3)(7)(8)(9)(10)(13). In (3) and (8) variants of RC6 were considered, called RC6W and RC6P, respectively. RC6W means RC6 without pre or post-whitening and RC6P means RC6 without post-whitening. Pre-whitening of RC6 is the addition of the S[0] and S[1] subkeys before the main loop, while post-whitening is the addition of the S[2r +2] and S[2r +3] subkeys just after the main loop (r is the number of rounds). Knudsen and Meier stated that to apply succesfully the χ 2 cryptanalysis on RC6 with 16 or more rounds is an open problem. But Miyaji and Takano Copyright c 2009, Australian Computer Society, Inc. This paper appeared at the Australasian Information Security Conference (AISC2009), Wellington, New Zealand, January 2009. Conferences in Research and Practice in Information Technology (CRPIT), Vol. 98, Ljiljana Brankovic and Willy Susilo, Ed. Reproduction for academic, not-for profit purposes permitted provided this text is included. in (9) proved that it is theoretically possible to cryptanalyze RC6 with 16 rounds using 2 127.20 plaintexts. The χ 2 cryptanalysis applied on RC6 in (9) is the most effective one so far. In order to strengthen RC6 against the χ 2 cryptanalysis, we define a new version called RC6T that is obtained by adding a simple data-dependent swapping function, called T (), in each round. This function consists of swapping (exchanging) the two halves of a, e.g., 32 bit block, if the Hamming weigth of the block is odd, as defined below (where L and R are the left and right halves of the input block): ½ (R, L) if HWeight(LR) is odd T (L, R) = (L, R) if HWeight(LR) is even We show that RC6T with 13 rounds is as strong against the χ 2 cryptanalysis as the original RC6 with 15 rounds. As this paper shows, RC6T with fewer number of rounds than RC6 is as secure against the χ 2 cryptanalysis as RC6, so that we conjecture an eventual slowdown caused by implementation details of T () can be compensated by using RC6T with less number of rounds. The first author of this paper introduced the function T () to strengthen RC6 against Differential Cryptanalysis in (14). Input: Plaintextstoredinfourregisterswithw-bits: A, B, C, D r is the number of rounds 2r +4subkeys with w-bits stored in S[0,...,2r +3] Output: Ciphertext in A, B, C, D Algorithm: B = B + S[0] D = D + S[1] for i =1to r do{ B = T (B) D = T (D) t =(B (2B +1)) lg w u =(D (2D +1)) lg w A =((A t) u)+s[2i] C =((C u) t)+s[2i +1] (A, B, C, D) =(B,C, D,A) } A = A + S[2r +2] C = C + S[2r +3] Figure 1: Algorithm RC6T Figure 1 represents the RC6T algorithm with the T () function. The only difference to the original RC6
is the addition of B = T (B) and D = T (D) inside the main loop. From now on we will show that this version of RC6 is stronger against the χ 2 cryptanalysis than the original RC6 submitted as an AES candidate. 2 Statistical facts This section explains how to use the χ 2 statistical technique to distinguish a ciphertext with unknown probabilistic distribution p from another ciphertext with uniform probabilistic distribution π (4)(5)(6). Let X = X 0,X 1,...,X n 1 be independent random variables such that X i {a 0,a 1,...,a m 1 } with unknown probabilistic distribution p, andletn aj (X) be the number of times X takes on the value a j.the χ 2 statistics of X that estimates the distance between the observed distribution p and the expected uniform distribution π =(π 0, π 1,...,π m 1 ) is definided as: χ 2 = m 1 X i=0 (N ai (X) nπ i ) 2 nπ i. It is obvious that P m 1 j=0 N a j (X) =n, and since the probability of each π i is 1 m, as the distribution of π is uniform, we can simplify the equation above as follows: χ 2 = m n m 1 X i=0 ³ N ai (X) n m 2. In a χ 2 test, χ 2 statistics is compared to χ 2 a,m 1, the value for the χ 2 test with m 1 degrees of freedom with significance level a. Thus, after computing the χ 2 statistics, it is possible to make a decision of the following hypothesis test: ½ H0 : p = π (null hypothesis) H 1 : p 6=π (alternative hypothesis) The Tables 1 and 2 show the threshold values for the χ 2 distribution with 63, 255 and 1023 degrees of freedom. These values were used by Knudsen and Meier (5), however we consider only the case with 63 degrees of freedom. For example, for 63 degrees (level, χ 2 )=(0.95, 82) in Table 2 means that the χ 2 statistical value exceeds 82 only 5% ofthetimeifthe distribution of the observed X were in fact uniform. Table 1: χ 2 distribution with different degrees of freedom Level 0.5 0.60 0.70 0.80 63 degrees of freedom 62 65 68 72 255 degrees of freedom 254 260 266 273 1023 degrees of freedom 1022 1033 1046 1060 Table 2: χ 2 distribution with different degrees of freedom Level 0.90 0.95 0.99 63 degrees of freedom 77 82 92 255 degrees of freedom 284 293 310 1023 degrees of freedom 1081 1098 1131 The Theorems 2.1 and 2.2 (9)(12), which follow, refer to χ 2 statistics and are very important for the χ 2 statistics. Theorem 2.1 When H 0 is true, the χ 2 statistics defined in this section follows the χ 2 distribution with degree of freedom approximately equal to m 1. In addition, the expected average and variance is computed by E H0 (χ 2 )=m 1 and V H0 (χ 2 )=2(m 1), respectively. Theorem 2.2 When H 1 is true, the χ 2 statistics defined in this section follows the non-central χ 2 distribution with degree of freedom approximately equal to m 1. Additionaly, the expected average and variance is computed by E H1 (χ 2 )=m 1+nθ and V H1 (χ 2 )= 2(m 1) + 4nθ, respectively, where nθ is called noncentral parameter and nθ = n P m 1 i=0 where P (a i ) is the probability that a i occurs. 3 Measured correlations (π i P (a i)) 2 π i, Now we investigate the non-randomness of RC6 and RC6T with r rounds. This analysis is based on systematic experiments, considering some increasing number of rounds with 32-bit words (blocks). It is important to notice that the used plaintexts and keys were generated with uniform distribution, using a linear congruence method. As Knudsen and Meier (5), we used their method to show that detection and quantifying of nonrandomness can be measured for RC6 and RC6T with up to 5 rounds by software implementation. For this purpose, we used two types of testing, as we describe next. For both types (A 0,B 0,C 0,D 0 ) is a plaintext, (A r+2,b r+2,c r+2,d r+2 ) is a ciphertext after r rounds, lsb n (X) is the least significant n bits of X, anda b is the concatenation of a and b. Test 1: χ 2 of lsb 3 (A r+1 ) lsb 3 (C r+1 ) in the case lsb 5 (A 0 )=lsb 5 (C 0 )=0. Test 2: χ 2 of lsb 3 (A r+1 ) lsb 3 (C r+1 ) in the case lsb 5 (B 0 )=lsb 5 (D 0 )=0. We notice that Test 1 appliedtorc6andrc6t with EVEN number of rounds implies χ 2 values greater than for Test 2, for the same number of rounds. As well as Test 2 applied to RC6 and RC6T with ODD number of rounds implies χ 2 values greater than for Test 1, for the same number of rounds. Another point to observe with respect to the two types of testing is that the applied method assigns zero to 10 bits of each plaintext, so that the total number of distinct plaintexts that can be generated in the experiments is reduced from 2 128 to 2 118. The Tables 3 and 4 show the measured correlations for RC6 with Test 1 and Test 2, respectively. Notice that for these tests the χ 2 statistics are computed for integer values lsb 3 (A r+1 ) lsb 3 (C r+1 ) with 6 bits, and then, the expected value of the χ 2 statistics is 63. Table 3: Test 1 on RC6-32/r/16 with r =2, 4 rounds 2 13 54 20 2 14 72 20 2 15 96 20 4 30 59 10 4 31 134 10 4 32 226 10 The Tables 5 and 6 show the measured correlations for RC6T with Test 1 and Test 2, respectively. Again, notice that for these tests the χ 2 statistics are computed for integer values lsb 3 (A r+1 ) lsb 3 (C r+1 )
Table 4: Test 2 on RC6-32/r/16 with r =3, 5 rounds 3 14 59 20 3 15 72 20 3 16 90 20 5 32 74 10 5 33 115 10 5 34 205 10 with 6 bits, and then, the expected value of the χ 2 statistics is 63. WhenRC6Twith4 and 5 rounds are considered the values of the χ 2 statistics were computed for just one test, instead of taking the average of 10 tests, since the computational cost became very high, making it infeasible. Table 5: Test 1 on RC6T-32/r/16 with r = 2, 4 rounds 2 17 60 20 2 18 79 20 2 19 123 20 4 36 79 1 4 37 137 1 4 38 301 1 Table 6: Test 2 on RC6T-32/r/16 with r = 3, 5 rounds 3 21 58 20 3 22 73 20 3 23 112 20 5 39 54 1 5 40 128 1 5 41 275 1 The results in this section show clearly that more plaintexts are required to measure the χ 2 statistics for RC6T equivalent to the measured values for RC6, when the same number of rounds is considered. This implies that RC6T is stronger against the distinction and key-recovery cryptanalysis, as we show in the next sections. 4 Distinction cryptanalysis In this section we apply the results in the previous section to distinguish the algorithms RC6 and RC6T with a given number of rounds from a random permutation chosen from the set of all permutations. Cryptanalysis of this type is called distinction cryptanalysis, and is useful and relevant for the construction of key-recovery cryptanalysis, which is relatively more elaborated. The Figure 2 shows the distinction cryptanalysis proposed by Knudsen and Meier (5), which we applied to the algorithms RC6 and RC6T. The algorithm shown in Figure 2 analyzes a sequence of n plaintexts, deciding whether these values were ciphered by RC6 (or RC6T) or not. The condition 82 indicates that the algorithm returns the correct answer with 95% of certainty, according to the Tables 1 and 2. It is important to emphasize that the choice of the number of plaintexts n is dependent upon the number of rounds considered for each algorithm. Next, we show the distinction cryptanalysis applied on RC6 and RC6T. The Table 7 lists the results for the RC6-32/r/16 with r =2, 4 rounds considering the Test 1.Wecon- Input: Algorithm RC6(RC6T) or random permutation, Number n of texts; Output: Answers if the input is RC6(RC6T) or not; 1. consider n texts (A, B, C, D) ciphered with RC6(RC6T) or not; 2. for i =1to n do: j = lsb 3 (A i ) lsb 3 (C i ); increment array[j]; 3. compute χ 2 of array; 4. if ( computed χ 2 ) 82 then return The input is RC6(RC6T) ; else return The input is a random permutation ;. Figure 2: Distinction cryptanalysis cluded that 2 15 plaintexts are sufficient to distinguish a ciphered permutation with 2 rounds from a permutation chosen at random for 95% of cases, since with 2 15 plaintexts the measured value of χ 2, 92, isgreater than 82. Considering a factor of 2 15.7 (=2 30.7 15 ) additional plaintexts at each 2 rounds, we estimate that for RC6 with r rounds, similar values are obtainable with 2 15 (2 15.7 ) r 2 2 =2 7.85r 0.7 plaintexts and so, log 2 (#plaintexts) =7.85r 0.7. Table 7: Complexity to distinguish the RC6-32/r/16 using Test 1 2 13 59 2 14 72 2 15 92 4 30 66 4 30.7 107 6 46.4 8 62.1 10 77.8 12 93.5 14 109.2 16 124.9 The values presented in Table 7 indicate that it is possible to distinguish RC6 with 14 rounds from a random permutation when we consider Test 1. Notice that to cryptanalyze 14 rounds we need 2 109.2 plaintexts, and for 16 rounds, we need much more than 2 118, i.e., the number of available plaintexts. In Table 8 we have the results for RC6-32/r/16 with r =3, 5 rounds using Test 2.Observethat2 16 plaintexts are sufficient to distinguish a ciphered permutation with 3 rounds from a random permutation, since for 2 16 plaintexts the measured value of χ 2 is greater than 82. Notice yet that there exists a factor of 2 16 (=2 32 16 ) additional plaintexts to measure the equivalent values of χ 2 at each 2 rounds of RC6; thus we estimate that, with r rounds, similar results is obtainable with 2 16 (2 16 ) r 3 2 =2 8r 8 plaintexts. Hence, basedonrunsdonewithrc6,with3 and 5 rounds, we have that log 2 (#plaintexts) =8r 8 for the case of r rounds. The results in Table 8 indicate that it is possible to distinguish RC6 with up to 15 rounds from a random permutation when Test 2 is considered. Notice that for 17 rounds the number of required plaintexts is greater than 2 118.
Table 8: Complexity to distinguish RC6-32/r/16 using Test 2 3 14 55 3 15 72 3 16 91 5 31 53 5 32 95 7 48 9 64 11 80 13 96 15 112 17 128 5 Distinction cryptanalysis of RC6T The Table 9 shows the results for RC6T-32/r/16 with r = 2, 4 rounds, considering Test 1. We have that 2 18.2 plaintexts are sufficient to distinguish a ciphered permutation with 2 rounds from a randomly chosen permutation in 95% of cases. Observe the existence of a factor of 2 17.8 (=2 36 18.2 ) additional plaintexts to measure equivalent values of χ 2 at each 2 rounds of RC6T; thus we estimate that, for RC6T with r rounds, similar values are obtainable with 2 18.2 (2 17.8 ) r 2 2 =2 8.9r+0.4 plaintexts. Therefore, based on our implementations, and the data shown in Table 9 we have that log 2 (#plaintexts) =8.9r +0.4 for r rounds. Table 9: Complexity to distinguish RC6T-32/r/16 using Test 1 2 17 57 2 18 76 2 18.2 95 4 35 64 4 36 87 6 53.8 8 71.6 10 89.4 12 107.2 14 125 16 142.8 The values shown in Table 9 indicate that it is possibletocryptanalyzerc6twithupto12 rounds from a random permutation when we consider Test 1.We already know that 14 rounds of RC6 may be cryptanalyzed using Test 1 with 2 109.2 plaintexts. But to cryptanalyze RC6T with 14 rounds, the number of required plaintexts is greater than 2 118. InTable10wehavetheresultsofRC6T-32/r/16 with r = 3, 5 rounds using Test 2. Observe that 2 22.6 plaintexts is an acceptable value to distinguish a ciphered permutation with 3 rounds from a random permutation. Furthermore, it is also possible to conclude that a factor of 2 16.8 (=2 39.4 22.6 ) additional plaintexts are required to measure equivalent values of χ 2 at each 2 rounds. Thus, we estimate that for RC6T with r rounds, similar results are obtainable with 2 22.6 (2 16.8 ) r 3 2 =2 8.4r 2.6 plaintexts. Therefore, basedonresultsforrc6twith3 and 5 rounds, we conclude that log 2 (#plaintexts) =8.4r 2.6 when r rounds are considered. The results in Table 10 indicate that it is possible to distinguish RC6T with up to 13 rounds from a random permutation when we consider Test 2 presented in Section 3. With this test it is possible to cryptanalyze 15 rounds of RC6 with 2 112 plaintexts, as already discussed before. But for 15 rounds of RC6T the number of required plaintexts is much greater than 2 118. 6 Key-recovery cryptanalysis This section presents a type of cryptanalysis developped by Isogai, Matsunaka and Miyaji (3) which recovers some bits of the subkeys used in the last round of RC6 or RC6T without post-whitening, denoted RC6P and RC6TP, respectively. This cryptanalysis is based on Test 2,andsetslsb 5 (B 0 ) and lsb 5 (D 0 ) as zero and considers lsb 3 (A r+1 ) and lsb 3 (C r+1 ) to compute the χ 2 statistics. To obtain similar values for a χ 2 test on r +2 rounds compared to r rounds, we assume that a factor of around 2 16 additional plaintexts are required. In (8) it is shown that it is unnecessary to consider alevelofsignificance of 0.95 as in (5) in order to recover the correct key. In the case of Test 2 a level of significance greater than 0.57 is sufficient to recover the key. It is evident that much less plaintexts are necessary for the cryptanalysis with a level a little greater than 0.57, if compared with 0.95. 1. Choose one plaintext (A 0,B 0,C 0,D 0 ) such that lsb 5 (B 0 )=lsb 5 (D 0 )=0and cipher it with r rounds. 2. For each (s a,s c), decipher y b y d with the key 0 s a, 0 s c with 1 round for z a z c, such that z = z a z c is a 6 bit integer. 3. For each s, x a,x c and z, update each vector incrementing count[s][x a][x c][z]. 4. For each s, x a and x c, compute χ 2 [s][x a][x c]. 5. Compute the average avg[s] of {χ 2 [s][x a][x c]} xa,xc for each s andreturnthevalues with the greatest avg[s] as lsb 2 (S[2r]) lsb 2 (S[2r +1]). Table 10: Complexity to distinguish RC6T-32/r/16 using Test 2 3 21 51 3 22 78 3 22.6 92 5 39 66 5 39.4 84 7 56.2 9 73 11 89.8 13 106.6 15 123.4 17 140.2 Figure 3: Key recovery cryptanalysis The Figure 3 describes the cryptanalysis algorithm to recover the key applied to RC6P and RC6TP. Intuitively, the algorithm assigns zero to lsb 3 (B 0 ) and lsb 3 (D 0 ), computes the χ 2 statistics for integer values of 6 bits obtained by concatenating 3 bits of A r with 3 bits of C r and recovers lsb 2 (S[2r]),lsb 2 (S[2r+1]) used by r-th. round of RC6P and RC6TP. We use the following notation: (y b,y d )=(lsb 3 (B r+1 ),lsb 3 (D r+1 )), (x a,x c )=(lsb 5 (F (C r+1 )),lsb 5 (F (A r+1 ))), (s a,s c )= (lsb 2 (S[2r]),lsb 2 (S[2r +1])) (where F () is defined below) and s = s a s c,wherex a (respectively x c )isthe amount of rotation on A r (respectively C r )inther-
th. round of RC6P or RC6TP and F (x) =[x(2x +1) (mod 2 w )] log 2 w. The cryptanalysis algorithm to recover the key in Figure 3 can be generalized to recover e bits of the key, where e is an even integer. In this case, let z =(e +2); χ 2 is computed on z bits. The plaintexts for the cryptanalysis algorithm are grouped in 2 10 groups according to the value {x a,x c } and the average avg[s] is computed over each group. In other words, all the plaintexts are uniformly distributed in each group, as long as they are generated randomly for the experiments. To cryptanalyze RC6P, 2 21.8 plaintexts were required in order to recover the right key with 95% of success probability. This fact was confirmed with 100 experiments, when the cryptanalysis was successful 95% of times, and the average of the χ 2 values of the right keys returned by the cryptanalysis algorithm was 64.684, which corresponds to a level of significance 0.57, approximately. By using the measured results in 100 experiments and knowing that it is necessary to have 2 16 additional plaintexts to obtain values of χ 2 equivalent in r +2 rounds compared to r rounds, we conclude that the number of plaintexts required to cryptanalyze RC6P with r rounds, with success probability 95%, isas follows: 2 8 2 21.8 (2 16 ) r 3 2 =2 8r 10.2. Notice that the factor 2 8 is due to the fact that the cryptanalysis algorithm runs only one deciphering round, implying a decreasing of the number of plaintexts. So, with log 2 (#texts)=8r 10.2 the cryptanalysis algorithm recovers the right key with success probability 95%. To analyze the time complexity, i.e., the cost of running the cryptanalysis algorithm, we let one unit of cost be an increment of the vector count[s][x a ][x c ][z]. As we have 2 4 pairs (s a,s c ) for each plaintext and each pair corresponds to an increment, then the total cost is given by: (# of plaintexts) 2 4 =2 8r 10.2 2 4 =2 8r 6.2. Then, replacing the number 2 118 of plaintexts available in this expression, which determines the number of required plaintexts to cryptanalyze RC6P, we conclude that the cryptanalysis is successful for 16 rounds of RC6P using 2 117.8 plaintexts and 2 121.8 units of cost. We apply the same type of attack on algorithm RC6T without post-whitening, denoted RC6TP. Accordingtothemeasuresoftheχ 2 tests in Section 3, considering Test 2,approximately2 17 additional plaintexts are required to obtain χ 2 values equivalent for r +2rounds compared to r rounds. Systematic experiments done as before, for RC6P, indicate that 2 27.2 plaintexts are required in each experiment in order to recover the right key of RC6TP with 95% of success probability. This fact was verified with 100 experiments, where the cryptanalysis was succesful 95% of times, and the average of the χ 2 values of the right keys returned by the cryptanalysis algorithm was 64.534, which corresponds to a level of 0.57, approximately. Considering the results obtained with these 100 experiments and knowing that 2 17 plaintexts are required to achieve χ 2 values equivalent in r+2 rounds compared to r rounds, the number of required plaintexts to cryptanalyze RC6TP with r rounds and probability of success 95% is given by: 2 8.5 2 27.2 (2 17 ) r 3 2 =2 8.5r 6.8. We notice there is a factor of 2 8.5 due to the fact that the cryptanalysis algorithm runs only one deciphering round, which decreases the number of plaintexts. Thus, with log 2 (#texts) = 8.5r 6.8 the cryptanalysis recovers the right key with success probability 95%. We also analyze the time complexity, i.e., the running cost. For this purpose, one unit of cost is one increment of the vector count[s][x a ][x c ][z]. As we have 2 4 pairs (s a,s c ) for each plaintext and each pair corresponds to an increment, the running cost is: (# plaintexts) 2 4 =2 8.5r 6.8 2 4 =2 8.5r 2.8. Replacing the number 2 118 of available plaintexts in this expression, which determines the amount of required plaintexts to cryptanalyze RC6TP, we conclude that the cryptanalysis is successful for 14 rounds of RC6TP using 2 112.2 plaintexts and 2 116.2 units of cost. From the results obtained in this Section, the overall conclusion is that RC6TP is stronger against this type of cryptanalysis than RC6P, since the introduction of the swapping function T () implied that 14 rounds is weak (i.e., at least 15 rounds are necessary to counter-attack), insteadof 16 rounds of RC6P (i.e., at least 17 rounds are necessary to counter-attack). 7 Conclusions Based on computational experiments we estimated that a distinction cryptanalysis is successful for RC6 with up to 15 rounds. For 15 rounds, 2 112 plaintexts are required to cryptanalyze RC6. However, the experiments showed that for RC6T with up to 13 rounds can be distinguished from a random permutation. For 13 rounds, 2 106.6 plaintexts are required to cryptanalyze RC6T. We implemented the key-recovery cryptanalysis as well, of type chosen-plaintext cryptanalysis, against RC6 without post-whitening (RC6P), proposed in (3). The analysis of our experimental data for this cryptanalysis showed that 16 rounds of RC6P can be cryptanalyzed using 2 117.8 plaintexts with probability 95% of successfully recovering the right secret key. We applied the same cryptanalysis against RC6T without post-whitening (i.e., RC6TP) and verified that fewer rounds can be cryptanalyzed, i.e., less rounds are required to counter-attack RC6TP than RC6P. For RC6TP, the experiments showed that 14 rounds can be cryptanalyzed using 2 112.2 plaintexts with success probability 95%. The overall conclusion is that the introduction of the simple data-dependent swapping function T () in the RC6 algorithm strengthens significantly against the χ 2 cryptanalysis. With RC6T, a greater number of plaintexts are required to achieve χ 2 values similar to the ones obtained for the original RC6. We got the same conclusion with respect to the distinction cryptanalysis (to distinguish the output of RC6T from a random permutation) and the key-recovery cryptanalysis (to recover the right key) with high probability. References [1] Baudron,O., H. Gilbert, L. Granboulan, H. Handschuh, A. Joux, P. Nguyen, F. Noilhan, D. Pointcheval, T. Pornin, G. Poupard, J. Stern, S. Vaudenay (1999), Report on the AES candidates, http://csrc.nist.gov/archive/aes/round1/conf2/ papers/baudron1.pdf
[2] Gilbert, H., H. Handschuh, A. Joux, S. Vaudenay (2000), A Statistical Attack on RC6, 7th, Fast Software Encryption Workshop, B. Schneier, ed., Springer-Verlag, LNCS 1978, pp. 64-74. [3] Isogai,N.,T.Matsunaka,A.Miyaji(2003),Optimized χ 2 -cryptanalysis against RC6, Applied Cryptography and Network Security, pages 16-32 [4] Kelsey, J., B. Schneier, D. Wagner (1999), Mod n Cryptanalysis, with Applications Against RC5P and M6, Lecture Notes in Computer Science, volume 1636, pages 139 155, Springer-Verlag, London, UK, url = http://citeseer.ist.psu.edu/ [5] Knudsen, L. R., W. Meier (2000), Correlations in RC6 with a Reduced Number of Rounds, Proceedings of the 7th International Workshop on Fast Software Encryption, ISBN 3-540-41728-1, Springer-Verlag, London, UK [6] Knuth, D. E. (1981), The Art of Computer Programming, Volume 2, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, volume 2, edition 2 [7] Miyaji, A., M. Nonaka (2003), Cryptanalysis of Reduced-Round RC6 without Whitening, IEICE Transactions on Fundamentals, Inst. of Electronics, Communications and Computer Sciences, pages 19-30, volume E86-A, number 1 [8] Miyaji, A., M. Nonaka (2202), Cryptanalysis of the Reduced-Round RC6, International Conference on Information and Communications Security, pages 480-494 [9] Miyaji, A., T. Takano, (2005) On the Success Probability of χ 2 -cryptanalysis on RC6, Australasian Conference on Information Security and Privacy, pages 61-74 [10] Miyaji, A., T. Takano (2007) Evaluation of the security of RC6 against the χ 2 -attack, IEICE Transactions on Fundamentals, Inst. of Electronics, Communications and Computer Sciences, vol. E90-A, No.1(2007), 22-28. [11] Rivest, R. L., M. J. B. Robshaw, R. Sidney and Y. L. Yin (1998), The RC6 Block Cipher. Version 1.1, url = http://www.rsasecurity.com/rsalabs/ [12] Ryabko, B. (2003), Adaptive Chi-Square Test and Its Application to Some Cryptographic Problems, Cryptology eprint Archive, url = http://eprint.eacr.org/ [13] Takenaka, M., T. Shimoyama, T. Koshiba (2004), Theoretical Analysis of χ 2 Attack on RC6, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, pages 28-35, volume E87-A, number 1 [14] Terada, R., I. Corrêa Jr.(2003), A stronger version of RC6 against Differential Cryptanalysis. In: Symposium on Cryptography and Information Security, 2003, Hamamatsu. Procdgs. of the Symposium on Cryptography and Information Security 2003. Tokyo, Japan : Inst. of Electronics, Information and Communication Engineers, 2003. v. 2003. pages 11D04-11D09. [15] Vaudenay, S. (1996), An Experiment on DES Statistical Cryptanalysis, ACM Conference on Computer and Communications Security, pages 139-147, url = http://citeseer.ist.psu.edu/