Differential Attack on Five Rounds of the SC2000 Block Cipher

Similar documents
Differential and Rectangle Attacks on Reduced-Round SHACAL-1

Differential-Linear Cryptanalysis of Serpent

Related-Key Rectangle Attack on 42-Round SHACAL-2

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

New Results on Boomerang and Rectangle Attacks

Bit-Pattern Based Integral Attack

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Towards Provable Security of Substitution-Permutation Encryption Networks

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Linear Cryptanalysis of Reduced-Round PRESENT

Chapter 2 - Differential cryptanalysis.

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Revisit and Cryptanalysis of a CAST Cipher

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Impossible Differential Attacks on 13-Round CLEFIA-128

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Linear Cryptanalysis of Reduced-Round Speck

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Algebraic Techniques in Differential Cryptanalysis

Linear Cryptanalysis

New Combined Attacks on Block Ciphers

Security Analysis of the Block Cipher SC2000

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Block Cipher Cryptanalysis: An Overview

Impossible Boomerang Attack for Block Cipher Structures

A Five-Round Algebraic Property of the Advanced Encryption Standard

On Multiple Linear Approximations

Structural Cryptanalysis of SASAS

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Chapter 1 - Linear cryptanalysis.

Enhancing the Signal to Noise Ratio

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

jorge 2 LSI-TEC, PKI Certification department

Cryptanalysis of the SIMON Family of Block Ciphers

A Byte-Based Guess and Determine Attack on SOSEMANUK

Complementing Feistel Ciphers

Improving the Time Complexity of Matsui s Linear Cryptanalysis

DK-2800 Lyngby, Denmark, Mercierlaan 94, B{3001 Heverlee, Belgium,

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent

Linear Cryptanalysis Using Multiple Approximations

On Correlation Between the Order of S-boxes and the Strength of DES

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

A Byte-Based Guess and Determine Attack on SOSEMANUK

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

Linear Approximations for 2-round Trivium

Block Ciphers and Systems of Quadratic Equations

Linear Cryptanalysis of RC5 and RC6

Statistical and Algebraic Properties of DES

S-box (Substitution box) is a basic component of symmetric

Impossible Differential Cryptanalysis of Mini-AES

Structural Cryptanalysis of SASAS

Specification on a Block Cipher : Hierocrypt L1

Affine equivalence in the AES round function

FFT-Based Key Recovery for the Integral Attack

Integral and Multidimensional Linear Distinguishers with Correlation Zero

Lecture 12: Block ciphers

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

KFC - The Krazy Feistel Cipher

Improbable Differential Cryptanalysis and Undisturbed Bits

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

MasterMath Cryptology /2 - Cryptanalysis

Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis

Essential Algebraic Structure Within the AES

ON DISTINGUISHING ATTACK AGAINST THE REDUCED VERSION OF THE CIPHER NLSV2

Improved Multiple Impossible Differential Cryptanalysis of Midori128

How Biased Are Linear Biases

Extended Criterion for Absence of Fixed Points

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

Royal Holloway University of London

Advanced differential-style cryptanalysis of the NSA's skipjack block cipher

Algebraic Techniques in Differential Cryptanalysis

Analysis of SHA-1 in Encryption Mode

How Fast can be Algebraic Attacks on Block Ciphers?

Key classification attack on block ciphers

Improved Analysis of Some Simplified Variants of RC6

Experimenting Linear Cryptanalysis

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

Cryptanalysis of Hummingbird-2

Hardware Design and Analysis of Block Cipher Components

Improved Slide Attacks

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

A Pseudo-Random Encryption Mode

The Hash Function JH 1

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

New Results in the Linear Cryptanalysis of DES

DD2448 Foundations of Cryptography Lecture 3

Security of the AES with a Secret S-box

Key Difference Invariant Bias in Block Ciphers

Research Article New Linear Cryptanalysis of Chinese Commercial Block Cipher Standard SM4

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Improved Cascaded Stream Ciphers Using Feedback

Subspace Trail Cryptanalysis and its Applications to AES

Module 2 Advanced Symmetric Ciphers

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Transcription:

Differential Attack on Five Rounds of the SC2 Block Cipher Jiqiang Lu Department of Mathematics and Computer Science, Eindhoven University of Technology, 56 MB Eindhoven, The Netherlands lvjiqiang@hotmail.com Abstract. SC2 is a 28-bit block cipher with a user key of 28, 92 or 256 bits, which employs a total of 6.5 rounds if a 28-bit user key is used. It is a CRYPTREC recommended e-government cipher. In this paper we describe one 4.75-round differential characteristic with probability 2 26 of SC2 and thirty 4.75-round differential characteristics with probability 2 27. Finally, we exploit these 4.75-round differentials to conduct a differential cryptanalysis attack on a 5-round reduced version of SC2 when used with a 28-bit key. The attack suggests for the first time that the safety margin of SC2 with a 28-bit key decreases below one and a half rounds. Key words: Block cipher, SC2, Differential cryptanalysis Introduction The SC2 block cipher [, 2] has a 28-bit block size and a user key of 28, 92 or 256 bits, which employs a total of 6.5 rounds for a 28-bit user key, and a total of 7.5 rounds for a 92 or 256-bit key. It was designed to have high performance on a wide range of platforms from the low-end processors used in smart cards and mobilephones to the high-end ones that will be available in the near future by suitably implementing it in each platform, and also to have high security [3]. In 22, SC2 became a CRYPTREC recommended e- government cipher [4], after a thorough analysis of its security and performance. In this paper we consider the version of SC2 that uses 28 key bits. The SC2 designers [, 2] first analysed the security of SC2 against differential cryptanalysis [5] as well as certain other cryptanalytic methods, such The work was done when the author was with Royal Holloway, University of London (UK). This paper was published in Postproceedings of INSCRYPT 9 The 5th China International Conference on Information Security and Cryptology, Beijing, CHINA, Feng Bao, Moti Yung, Dongdai Lin and Jiwu Jing (eds), Volume 65 of Lecture Notes in Computer Science, pp. 5 59, Springer-Verlag, 2.

2 Table. Cryptanalytic results on SC2 Attack T ype Rounds Data T ime Source Boomerang attack 3.5 2 67 ACPC 2 67 Memory accesses [8] Rectangle attack 3.5 2 84.6 CP 2 84.6 Memory accesses [8] Linear attack 4.5 2 4.3 KP 2 83.3 Memory accesses [2] 4.5 2 5.2 KP 2 42.3 Memory accesses [2] Differential attack 4.5 2 CP 2 Encryptions [7] 4.5 2 4 CP 2 2 Memory accesses [2] 5 2 27 CP 2 32 Memory accesses This paper as linear cryptanalysis [6]. In 2, Raddum and Knudsen [7] presented a differential attack on 4.5-round SC2, which is based on two 3.5-round differential characteristics with probabilities 2 6 and 2 7, respectively. In 22, by exploiting a few short differentials with large probabilities, Biham et al. [8] presented boomerang [9] and rectangle [] attacks on 3.5-round SC2, following the work described in []. In the same year, Yanami et al. [2] described a 2-round iterative differential characteristic with probability 2 58, and obtained a 3.5-round differential characteristic with probability 2 by concatenating the 2-round differential twice and then removing the first half round; finally they presented a differential attack on 4.5-round SC2 with a time complexity smaller than that of the attack of Raddum and Knudsen. Yanami et al. also presented linear attacks on 4.5-round SC2. These are the best previously published cryptanalytic results on SC2 in terms of the numbers of attacked rounds. In this paper we describe one 4.75-round differential characteristic with probability 2 26 and thirty 4.75-round differential characteristics with probability 2 27, building on the two-round iterative differential characteristic with probability 2 58 of Yanami et al. Finally, using these 4.75-round differential characteristics we present a differential cryptanalysis attack on 5-round SC2, faster than an exhaustive key search. The attack is the first published attack on 5- round SC2. Table sumarises both the previous and our new cryptanalytic results on SC2, where ACPC, CP and KP respectively refer to the required numbers of adaptive chosen plaintexts and ciphertexts, chosen plaintexts, and known plaintexts. The remainder of this paper is organised as follows. In the next section, we give the notation, and describe differential cryptanalysis and the SC2 block cipher. In Section 3, we give the 4.75-round differential characteristics. In Section 4, we present our differential attack on 5-round SC2. Section 5 concludes the paper.

3 2 Preliminaries In this section we give the notation used throughout this paper, and then briefly describe differential cryptanalysis and the SC2 cipher. 2. Notation In all descriptions we assume that the bits of a n-bit value are numbered from to n from left to right, the most significant bit is the -th bit, a number without a prefix expresses a decimal number, and a number with prefix x expresses a hexadecimal number. We use the following notation. bitwise logical exclusive OR (XOR) operation bitwise logical AND operation functional composition. When composing functions X and Y, X Y denotes the function obtained by first applying X and then applying Y exchange of the left and right halves of a bit string X bitwise logical complement of a bit string X 2.2 Differential Cryptanalysis Differential cryptanalysis [5] takes advantage of how a specific difference in a pair of inputs of a cipher can affect a difference in the pair of outputs of the cipher, where the pair of outputs are obtained by encrypting the pair of inputs using the same key. The notion of difference can be defined in several ways; the most widely discussed is with respect to the XOR operation. The difference between the inputs is called the input difference, and the difference between the outputs of a function is called the output difference. The combination of the input difference and the output difference is called a differential. The probability of a differential is defined as follows. Definition. If α and β are n-bit blocks, then the probability of the differential (α, β) for a block cipher E, written α β, is defined to be Pr E ( α β) = Pr P {,} n(e(p ) E(P α) = β). For a random function, the expected probability of a differential for any pair (α, β) is 2 n. Therefore, if Pr E ( α β) is larger than 2 n, we can use the differential to distinguish E from a random function, given a sufficient number of chosen plaintext pairs. 2.3 The SC2 Block Cipher SC2 takes as input a 28-bit plaintext. For simplicity, we describe the plaintext P as four 32-bit words (d, c, b, a). The following three elementary functions I, B and R are used to define the SC2 round function, as shown in Fig..

4 I B I 32 32 S 32 32 6 mask M L 28 28 S 6 S 6 M mask R function S 6 R function Fig.. The round function of SC2 The I function: the bitwise logical XOR () operation of the 28-bit input with a 28-bit round subkey of four 32-bit words. The B function: a non-linear substitution, which applies the same 4 4 S- box S 4 32 times in parallel to the input. For a 28-bit input (d, c, b, a ), the output (d, c, b, a ) is obtained in the following way: (d k, c k, b k, a k ) = S 4 (d k, c k, b k, a k ), where X k is the k-th bit of the word X ( k 3). The R function: a substitution-permutation Feistel structure, which consists of three subfunctions S, M and L. Each of the right two 32-bit words of the input to the R function is divided into 6 groups containing 6, 5, 5, 5, 5 and 6 bits, respectively. These six groups are then passed sequentially through the S function, consisting of two 6 6 S-boxes S 6 and four 5 5 S-boxes, and the linear M function that consists of 32 32-bit words (M[],, M[3]). Given an input a, the output of the M function is defined as a M[] a 3 M[3]. The outputs of the two M functions are then input to the L function. For a 64-bit input (a, b ) the output of the L function is defined as ((a mask)b, (b mask)a ), where mask is a constant (and mask is the complement of mask). Two masks x55555555 and x33333333

5 are used in SC2, in the even and odd rounds, respectively. Finally, the output of the L function is XORed with the left two 32-bit words of the input to the R function, respectively. We denote the L and R functions with mask x55555555 as L 5 and R 5, respectively, and the L and R functions with mask x33333333 as L 3 and R 3, respectively. The round function of SC2 is made up of two I functions, one B function and two R functions. We write Kj i for the subkey used in the jth I function of Round i, and write Kj,l i for the l-th bit of Ki j, where i 6, j =,, l 27. The full 6.5-round encryption procedure of SC2 can be described as: I K B I K R 5 R 5 I K B I K R 3 R 3 I K 2 B I K 2 R 5 R 5 I K 3 B I K 3 R 3 R 3 I K 4 B I K 4 R 5 R 5 I K 5 B I K 5 R 3 R 3 I K 6 B I K 6. Note that we refer to the first round as Round. See [2] for its key schedule. 3 4.75-Round Differential Characteristics of SC2 In this section we describe the 4.75-round differential characteristics. 3. 2-Round Iterative Differential Characteristic of Yanami et al. In 22, Yanami et al. [2] described the results of a search over all the possible two-round iterative differential characteristics with only one active S function in every round for any two consecutive rounds I B I R 5 R 5 I B I R 3 R 3. Their result is that the best two-round iterative differential characteristic (i.e. that with the highest probability) is (α, β, β, ) (α, β, β, ) with probability 2 58 : (α, β, β, ) I B I/2 5 (β,,, ) R 3 R 3 /2 6 γ = x2. (, β,, ) R5 R5/2 6 (β, γ,, β) I B I/2 (α, β, β, ), where α = x2, β = x244 and 3.2 The 4.75-Round Differential Characteristics As a result, we can obtain a 4-round differential characteristic (α, β, β, ) (α, β, β, ) with probability 2 6 by concatenating the above two-round iterative differential twice. It is essential to try to exploit an efficient (i.e. with a relatively high probability) differential operating over more than four rounds in order to break more rounds of SC2. However, this 4-round differential cannot be extended to a differential characteristic operating over more than four rounds with a probability larger than 2 28, as appending even a half round R 3 R 3 at the beginning will cost a probability of 2 6 and appending a B function at the end will cost at least a probability of 2 3. Nevertheless, observe that from the above two-round iterative differential characteristic it follows that two-round iterative differential characteristic (β, γ,, β) (β, γ,, β) for any two consecutive rounds I B I R 3 R 3 I B I R 5 R 5 also holds with a probability of 2 58 : (β, γ,, β) I B I/2

6 (x244,,, x244) L 3 L 3 L 5 L 5 I B I (x244,,, ) (x2, x244, x244, ) I B I (, x244,, ) (x244, x2,, x244) I B I (x244,,, ) 2 2 6 2 5 2 6 2 L 3 L 3 L 5 L 5 (x2, x244, x244, ) I B I (, x244,, ) (x244, x2,, x244) I B I (x244,,, ) L 3 (x244, ) (, ) 2 6 2 5 2 6 2 Fig. 2. A 4.75-round differential characteristic with probability 2 26 (β,,, ) R3 R3/2 6 (α, β, β, ) I B I/2 5 (, β,, ) R5 R5/2 6 (β, γ,, β). It might seem counter-intuitive at first, but there is a major difference between this and the previous iterative 2-round differential characteristic: we can append a.75-round differential characteristic (β, γ,, β) I B I R3 (β,,, ) with a probability of 2 at the end of this differential characteristic! Therefore, we can obtain a 4.75-round differential characteristic (β, γ,, β) (β,,, ) with probability 2 27. By changing the input difference to the difference (β,,, β) we can get a 4.75-round differential characteristic with probability 2 26, and this 4.75-round differential characteristic is depicted in Fig. 2. When we change the input difference for only one of the five active S 4 S-boxes to a value in {x, x2, x6, x7, xd, xf }, we get a total of thirty 4.75-round differential

7 characteristics with probability 2 27. We denote by Ω the set of the 3 input differences for the thirty-one 4.75-round differential characteristics. The differential distribution table of the S 4 S-box is given in [2], and the differential distribution table of the S-box is shown in Table 2 in Appendix A. (The characteristics do not make an active S 6 S-box, so we do not give its differential distribution table.) In a natural way, we might try to find a better differential characteristic on greater than four rounds by first exploiting short differentials with similar structures and then concatenating them, for the above 4.75-round differential obtained from the two-round iterative differential is just a special case among these. Motivated by this idea, we perform a computer search over all the possible differentials for such one round R R I B I with only one R function active and the right two 32-bit input differences and one of the left two 32- bit input differences being zero; moreover, in order to ensure that the resulting differential is capable of being concatenated with itself, we also require that the right two 32-bit output words and one of the left two 32-bit output words have a zero difference. Surprisingly, we find that the differential characteristics (β,,, ) R 3 R 3 I B I (, β,, ) and (, β,, ) R 5 R 5 I B I (β,,, ) in the above two-round iterative differential are the best (i.e. with the highest probabilities) among those with the same forms, respectively. Our search for other similar forms gives no better result. 4 Differential Attack on 5-Round SC2 In this section, we present a differential cryptanalysis attack on 5 rounds of SC2 when used with a 28-bit key. 4. Preliminary Results We first concentrate on the propagation of the output difference of the 4.75- round differential characteristic described above through the following R 3 I K 6 operation. The output difference (β,,, ) will definitely propagate to a difference with the form ( Y x33333333, Y, β, ) after the following R 3 function, where Y GF (2 32 ). Since the function has a uniform differential probability of 2 4, there are totally 2 6 possible values for Y ; we denote the set of all the 2 6 possible differences ( Y x33333333, Y, β, ) by Γ. The difference ( Y x33333333, Y, β, ) will be kept after the following linear I K 6 function. On the other hand, having known the 28-bit difference after the I K 6 function for a ciphertext pair, we only need to guess the 64 subkey bits (K,64, 6, K,27) 6 of K 6 to check whether this pair could produce the difference (β,,, ) just before the adjacent R 3 function. For our case, as a candidate difference just after the I K 6 function should be with the form ( Y x33333333, Y, β, ), we only need to guess the 2 subkey bits K,7, 6, K,89 6 corresponding to the four active S-Boxes in the adjacent R 3 function to determine whether a ciphertext

8 pair with a candidate difference could produce the output difference of the above 4.75-round differential characteristics. 4.2 Attack Procedure By using the 4.75-round differential characteristics, we can mount a differential attack on the following 5 rounds of SC2: I K B I K R 3 R 3 I K 2 B I K 2 R 5 R 5 I K 3 B I K 3 R 3 R 3 I K 4 B I K 4 R 5 R 5 I K 5 B I K 5 R 3 R 3 I K 6. The attack procedure is as follows.. Choose 2 7 structures, where a structure is defined to be a set of 2 2 plaintexts with the 2 bits for the five active S 4 S-boxes taking all the possible values and the other 8 bits fixed. In a chosen-plaintext attack scenario, obtain the corresponding ciphertexts. Keep only the plaintext pairs that have a difference belonging to the set Ω and whose ciphertext pairs have a difference belonging to the set Γ. 2. Guess the 2 subkey bits (K,7, 6, K,89) 6 of K 6 in the I K 6 function, and do as follows. (a) For every remaining ciphertext pair: Partially decrypt the corresponding 2 bits of the two ciphertexts through the I K 6 function and the four active S-boxes in the adjacent R 3 operation, compute the 64-bit difference just after the L 3 operation in the R 3 operation, then XOR it with the left 64-bit difference of the ciphertext pair, and finally check whether the resultant 64-bit difference is zero. (b) Count the number of the ciphertext pairs with the 64-bit difference computed in Step 2(a) being zero, and record this number for the guessed (K,7, 6, K,89). 6 Repeat Step 2 with another guess; and go to Step 3 if all the guesses are tested. 3. For each of the top m ranking guesses for (K,7, 6, K,89) 6 according to the numbers recorded in Step 2(b), (specific values of m will be given below), exhaustively search for the remaining 8 key bits with two known plaintext/ciphertext pairs. If a 28-bit key is suggested, output it as the user key of the 5-round SC2. 4.3 Complexity Analysis The attack requires 2 27 chosen plaintexts. Typically, encrypting chosen plaintexts is assumed to be done by some challenger who holds the user key (i.e. the challenger s running time), and is not counted as part of the time complexity of an attack. In Step, it is expected that 2 7 (22 ) 2 2 3 6 2 3.96 plaintext 5 pairs remain after the filtering condition about Ω, and 2 3.96 26 2 = 2 8.96 ciphertext pairs remain after the filtering condition about Γ; and it requires about 28 3 2 27 2 32 memory accesses to filter out the satisfying ciphertext pairs. Strictly speaking, this is a little more than 5 rounds.

9 The time complexity of Step 2 is dominated by the partial decryptions, which is approximately 2 2 2 2 8.96 4 5 236 5-round SC2 encryptions. Step 3 has a time complexity of m 2 8 5-round SC2 encryptions. The signal-to-noise ratio for the attack is 3 3 2 27 + 3 2 26 2 2.4. In Step 2(b), for the correct 28 key guess the number of the ciphertext pairs with the 64-bit difference computed in Step 2(a) being zero is expected to be 2 3.96 ( 3 3 2 27 + 3 2 26 ) = 6. According to Theorem 3 of [3], we have that the success probability for the attack is about 67% when m =, and is about 98.7% when m = 2 5. 5 Conclusions SC2 is a 28-bit block cipher, which is one of the CRYPTREC e-government Recommended Ciphers. In this paper we have described a few 4.75-round differential characteristics with a probability of larger than 2 28. Finally, using the 4.75-round differential characteristics we have presented a differential attack on 5-round SC2 when used with 28 key bits. The presented attack is theoretical, like most cryptanalytic attacks on block ciphers; and from a cryptanalytic view it suggests for the first time that the safety margin of SC2 with a 28-bit key decreases within one and a half rounds. Acknowledgments The author is very grateful to Prof. Chris Mitchell and the anonymous referees for their editorial comments. References. Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The SC2 block cipher. In Proceedings of the First Open NESSIE Workshop, 2. 2. Shimoyama, T., Yanami, H., Yokoyama, K., Takenaka, M., Itoh, K., Yajima, J., Torii, N., Tanaka, H.: The block cipher SC2. In: Matsui, M. (ed.) FSE 2. LNCS, vol. 2355, pp. 32 327. Springer, Heidelberg (22) 3. Fujitsu Laboratories, http://jp.fujitsu.com/group/labs/en/techinfo/techno te/crypto/sc2.html 4. Cryptography Research and Evaluatin Committees CRYPTREC Report 22. Available at http://www.ipa.go.jp/security/enc/cryptrec/index-e.html 5. Biham, E., Shamir, A.: Differential cryptanalysis of the Data Encryption Standard. Springer-Verlag (993). 6. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 993. LNCS, vol. 765, pp. 386 397. Springer, Heidelberg (994) 7. Raddum, H., Knudsen, L.R.: A differential attack on reduced-round SC2. In: Vaudenay, S., Youssef, A. (eds.) SAC 2. LNCS, vol. 2259, pp. 9 98. Springer, Heidelberg (2)

8. Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 22. LNCS, vol. 2365, pp. 6. Springer, Heidelberg (22) 9. Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 999. LNCS, vol. 636, pp. 56 7. Springer, Heidelberg (999). Biham, E., Dunkelman, O., Keller, N.: The rectangle attack rectangling the Serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2. LNCS, vol. 245, pp. 34 357. Springer, Heidelberg (2). Dunkelman, O., Keller, N.: Boomerang and rectangle attacks on SC2. In Proceedings of the Second Open NESSIE Workshop, 2. 2. Yanami, H., Shimoyama, T., Dunkelman, O.: Differential and linear cryptanalysis of a reduced-round SC2. In: Daemen, J., Rijmen, V. (eds.) FSE 22. LNCS, vol. 2365, pp. 34 48. Springer, Heidelberg (22) 3. Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. Journal of Cryptology 2(), 3 47 (28) A The Differential Distribution Table of the S-box

Table 2. The differential distribution table of the S-box input 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 2 2 22 23 24 25 26 27 28 29 3 3 32 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 4 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 5 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 6 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 7 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 8 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 9 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 4 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 5 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 6 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 7 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 8 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 9 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 22 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 23 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 24 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 25 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 26 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 27 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 28 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 29 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback