Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com School of Telecommunications Engineering, idian University, i an. Shaanxi 77, P.R. China Abstract. CLEFIA is a 8-bit block cipher proposed by Sony Corporation in 7. Our paper introduces a new chosen text attack, the impossible differential-linear attack, on iterated cryptosystems. The attack is efficient for 6-round CLEFIA with whitening keys. In the paper, we construct a -round impossible differential-linear distinguisher. Based on the distinguisher, we present an effective attack on 6-round CLEFIA- 8 with data complexity of.7, recovering 96-bit subkeys in total. Our attack can also be applied to CLEFIA-9 and CLEFIA-56. Keywords:CLEFIA, impossible differential-linear cryptanalysis, impossible differential cryptanalysis, linear approximation. Introduction CLEFIA [6] is a 8-bit block cipher supporting key lengths of 8, 9 and 56 bits. It achieves enough immunity against known attacks and is flexible enough for efficient implementation in both hardware and software. As a block cipher proposed by Sony Corporation in 7, CLEFIA has received significant amount of cryptanalytic attention. However, except for the evaluation report [7] from the designer s, there are only a few significant cryptanalytic results about its security against various cryptanalytic techniques. At present, the most powerful attack on CLEFIA is a series of impossible differential attacks on reduced rounds of it. The first one is proposed by its designers in the evaluation report of CLEFIA [7]. In FSE 8, Tsunoo et al. introduced This work is supported by the National Natural Science Foundation of China (No.675, 6775), Beijing Natural Science Foundation (N.466), the th Five-year Cryptography Development Foundation of China (No.MMJJ6), the Fundamental Research Funds for the Central Universities, Scientific Research and Postgraduate Training Cooperation Project- Scientific Research Base-New Theory of Block Cipher and Obfuscation and their Application Research, and Foundation of State Key Laboratory of Information Security(Nos.-, --6). To whom correspondence should be addressed.

new 9-round impossible differentials for CLEFIA, and presented a -round attack on CLEFIA-8 with 8.9 chosen plaintexts and 9 encryptions[8]. Later, by the same impossible differential distinguisher, Zhang et al. presented an attack on 4-round CLEFIA, in which the design team pointed out a flaw and showed that it is not successful[9]. In IndoCrypt, Tezcan proposed improbable differential cryptanalysis and applied it to /4/5-round CLEFIA-8/96/56 by taking advantage of relations among the round keys [4]. Our Contribution. In this paper, we will propose a new method, the impossible differential-linear attack, to analyze the CLEFIA block cipher. By constructing a -round distinguisher, using the new method, and combining it with key relations we found, we propose an attack on 6-round CLEFIA-8 with data complexity of.7 and time complexity of.7. Furthermore, Appendix A presents another distinguisher construction. The attacks to another 6-round is also given in Appendix B, we also show an attack on 5-round CLEFIA-8 in Appendix C. Our attacks are more efficient comparison to the present results. In Appendix D we also provide some key relations. Outline.This paper is organized as follows: Section provides a brief description of CLEFIA, and Section introduces our new method of impossible differentiallinear attack. In section 4 we present details of the -round impossible differentiallinear distinguisher. The 6-round impossible differential-linear attack on CLEFIA- 8 is discussed in detail in section 5. We summarize our results in section 6. Description of CLEFIA. Notation a b : The concatenation of a and b; a (b) : b is the bit length of a; a T : The transposition of a vector a; P = (P, P, P, P ) : A 8-bit plaintext, P i {, } ( i ); C = (C, C, C, C ) : A 8-bit ciphertext, C i {, } ( i ); (i, i, i, i ) : The ith round input data, j i {, } : The OR value of and ;. CLEFIA CLEFIA is a 8-bit block cipher having a generalized Feistel structure with four -bit data lines. For the key lengths of 8, 9, and 56 bits, CLEFIA has 8,, and 6 rounds respectively. The encryption function uses four -bit whitening keys W K, W K, W K, W K {, } and r -bit round keys, where r is the number of rounds. i {, } ( i < r) represents round key, and W K, W K, W K, W K {, } are whitening keys. We denote d- branch r-round generalized Feistel network employed in CLEFIA as GF N d,r.

P P P P F WK F WK k k k k x S y x S y F F x x S S M y y 4 5 F F F k k k k r F r 4 F x x S S y y r r F WK F WK x x F S S M y y C C C C F (a) Encryption function ENC r (b) Functions and F Fig.. CLEFIA The encryption process can be seen in Fig. (a). The details of GF N 4,r are as follows: Step. T T T T P (P W K ) P (P W K ) Step. For i = to r do the following: T T F (T, i ), T T F (T, i+ ) T T T T T T T T Step. C C C C T (T W K ) T (T W K ) Each round contains two parallel F functions, F and F, and their structures are shown in Fig. (b) where S and S are 8 8-bit S-boxes. The details of F are as follows: Step. T T T T x, T i {, } 8, x {, } Step. T S (T ), T S (T ), T S (T ), T S (T ) Step. y = M (T, T, T, T ) T, y {, } F is defined by replacing the terms in F as follows: S is replaced with S, S with S, and M with M.

The two matrices M and M used in the F-functions are defined as follows. x x x4 x6 x x8 x xa M = x x x6 x4 x4 x6 x x, M = x8 x xa x x xa x x8 x6 x4 x x xa x x8 x. Key Scheduling For the 8-bit key, the Double Swap function Σ : {, } 8 {, } 8 is defined as follows: (8) [7 6] [ 7] [ 6] [64 ] where [a b] denotes a bit string cut from the a-th bit to the b-th bit of. Let K = K K K K be the key and L be an intermediate key, the key scheduling consists of the following steps: Step. L GF N 4, (CON,, CON, K,, K ) Step.W K W K W K W K K Step. For i= to 8 do the following: T L (CON 4+4i CON 4+4i+ CON 4+4i+ CON 4+4i+ ) L Σ(L) If i is odd: T T K 4i 4i+ 4i+ 4i+ T We need 6 constant values CON (s) ( s 59) in the 8-bit key scheduling algorithm. Let R = xb7e(= (e ) 6 ) and Q = x4f(= (π ) 6 ), where e is the base of the natural logarithm (.788...) and π is the circle ratio (.459...). CON (s) are generated by the following way, in which IV 8 = x48a(= ( ) 6 ) Step. T IV 8 Step. For j = to 9 do the following: CON j (T R) (T <<< ) CON j+ (T Q) (T <<< 8) T T x (mod z 6 + z 5 + z + z + z 5 + z 4 + ) The key relations we found are illustrated in Appendix D. The Impossible Differential-Linear Attack Inspired by the differential-linear attack, first introduced by Langford and Hellman in [], we propose a new cryptanalytic method called impossible differentiallinear attack, because it combines the impossible differential cryptanalysis and linear cryptanalysis together. The attack is not completely new, since the impossible differential attack and linear attack were typical and widely used in

previous attacks on various cryptosystems. However, no previous work has been done on combining these two together. The block cipher E is represented as E = E E, where E and E are two subciphers. We use an impossible differential Ω P Ω T with probability for E, and a linear approximation λ P λ T with probability / + q for E, where λ P Ω T is a fixed value π( or ). Our impossible differential-linear attack procedures are described as follows:. Encrypting stage: Let M be the set of chosen plaintext pairs whose difference P P is Ω P, we encrypt distinct plaintexts in M. In E, we have E (P ) E (P ) Ω T with probability. In E, we can get equations λ P E (P ) λ T E (E (P )) λ K K = () and λ P E (P ) λ T E (E (P )) λ K K =. Both of their probabilities are / + q. Consequently, using the piling up lemma presented in [5], we can get λ P (E (P ) E (P )) = λ T E (E (P )) λ T E (E (P )) () with probability / + q.. Decrypting stage: In this stage we will guess part of the subkeys. Then decrypt some rounds of the ciphertext pairs with the guessed subkeys. Decrypting process is also separated into two subciphers E and E, i.e., D = E E. In the first decrypting subcipher E, take λ P Ω T = π into Eq.(), it can be rewritten as λ T E (E (P ))λ T E (E (P )) = λ P Ω T = π. In fact, we just partially decrypt all ciphertext pairs (C, C )=(E (E (P )), E (E (P ))) with each guessed subkeys in the first decrypting subcipher E. The subkeys, with the maximal probability not suiting Eq.() λ P E (C) λ P E (C ) = π, () is regard as the correct subkeys. Denote the set of pairs satisfying E (C) E (C ) = Ω T as T, and denote the set of pairs satisfying λ P E (C) λ P E (C ) = π as V. It is certain that T V. Property. For T V, if an impossible map M V, another impossible map M T also holds. Proof. Assume that there is a map F : M T. Randomly choose p M, and compute t = F (p) T. Since T V, we can get t V, which indicates that there is t = F (p) V, i.e., the map F : M V holds. It contradicts to the known condition.

. Sieving stage: Guess part of the first rounds subkeys, and eliminate those wrong values by showing that the impossible property holds if these subkeys are used. That is, we eliminate those wrong values in terms of E (P ) E (P ) E (C) E (C ), where λ P E (C) λ P E (C ) = π. From Property, after sieving stage, the right values must satisfy that E (P ) E (P ) Ω T. Property. In Sieving stage, the success probability of sieving guessed values by E (P ) E (P ) E (C) E (C ), where λ P E (C) λ P E (C ) = π, is much higher than the filtering probability using E (P ) E (P ) Ω T. Proof. In Sieving stage, we eliminate those wrong guessed key values which satisfy Eq.(). When the number of eliminated values is less than the total number, the more eliminated values, the higher successful sieving probability. After the first decrypting subcipher E, The number of the key values satisfying Eq.() is (C) E (C ) = Ω T. more than the number of the wrong key values with E So Property is established. We named all the above as an impossible differential-linear distinguisher. The probability of our distinguisher is dominated by the above steps -, which can be estimated separately as follows. The success rates are /+q and in Encrypting stage and Decrypting stage, respectively. Because our elimination principle is sieving the values using the condition E (P ) E (P ) E (E (E (P ))) E (E (E (P ))), where λ P E (E (E (P ))) λ P E (E (E (P ))) = π, the total probability of our distinguisher is (/ + q ), i.e., / q. The key recovery attack requires about 8 O(q 4 ) chosen plaintext pairs. 4 The -Round Impossible Differential-Linear Distinguisher In this section, we first present a -round impossible differential-linear distinguisher, which consists of a 9-round impossible differential characteristic followed by a 4-round linear approximation. 4. 9-Round Impossible Differential Characteristic Paper [8] presented several 9-round impossible differential characteristics. We choose the following one that is the most efficient and suitable to our attack: (, ϖ,, ) (, β,, ), where ϖ = (,,, x), β = (y,,, ) After the encryption of 9 rounds, the input difference of the th round cannot have the following form: 9 = ( 9, 9, 9, 9 ) = (β,,, ) (4) with probability as illustrated in Fig..

F F 8 8 8 8 6 7 F F 9-round impossible differential characteristic 9 P F 9 9 F 9 8 9 9 Q P F F Q P F, ), P F, ) Q ( ( Q T T Q P Q F F F, ), Q F, ) T ( ( T 4-round linear characteristic Q P T 4 5 Q P T F F F, 4), P F, 4 ) Q ( ( Q 4 P T P ' 9 P P T K K Fig.. -round impossible differential-linear distinguisher 4. 4-Round Linear Characteristic Here we will describe the construction of a 4-round linear characteristic illustrated in Fig., which is from round to round. Details of the 4-round linear characteristic are described as follows. In the th round, we get 9 =. In the th round, based on the definition of the round function F, we can get the following two equations: F (, ) =, =

Using linear approximations for the non-linear S-boxes in F, we can get the following equation. λ P F (, ) = λ Q λ Q As a result, the linear characteristic of the th round can be expressed by the following equation: λ P = λ P λ Q λ Q, p = / + q (5) Similarly, the linear characteristic of the th round can be expressed as λ Q = λ Q λ T λ T, p = / + q (6) In the th round, we can first get the following equation. F (, 4 ) =, = Next, we can choose an appropriate pair of values (λ P, λ Q ) by taking the linear characteristics expressed in Eq.(5) and Eq.(6) into account and get the linear characteristic of the th round as follows: λ P = λ P λ Q λ Q 4, p = / + q (7) Finally, by concentrating the above linear characteristics of rounds - together, we can have the following property: Property. If Eq.(5)-(7) hold, we can get the following 4-round linear characteristic of CLEFIA from round to round : λ P 9 = λ P = λ P λ T λ K K, p = / + q q q (8) Proof. If Eq.(5)-(7) are true, this property is obvious from the CLEFIA structure. Note. Similarly, if we arbitrarily choose a 4-round CLEFIA from round i(i ) to round i +, we can rewrite Eq.(5)-(7) as following Eq.(5 )-(7 ): λ P i+ = λ P i+ λ Q i+ λ Q (i+)+, p = / + q (5 ) λ Q i+ = λ Q i+ λ T i+ λ T (i+), p = / + q (6 ) λ P i+ = λ P i+4 λ Q i+4 λ Q (i+), p = / + q (7 ) and we can obtain the following 4-round linear characteristic λ P i = λ P i+ = λ P i+4 λ T i+ λ K K, p = / + q q q

4-Round Linear Approximations. Furthermore, we can derive the 4-round linear input mask from the above 4-round linear characteristic. Let (v, u) k be an approximation of a -bit invertible function F s ( i j, k), ( s, k 5). Eq.(5) suggests that the linear approximation of function F (, ) is (v, u) = (λ Q, λ P ) (9) Eq.(6) indicates that the linear approximation of function F (, ) is and Eq.(7) indicates (v, u) = (λ T, λ Q ) () (v, u) 4 = (λ Q, λ P ). () Denoting the input mask of the j th -bit input data in the i th round as ( i 6, j ), which is also the output mask of the ((j + IM j i )mod4) th output data in the (i ) th round, we can get IM = IM = λ P from Eq.(9), IM = IM = λ Q and IM = λ T from Eq.(), and IM = IM = λ P from Eq.(). In addition, we can also derive IM =, IM =, and IM =, and so on. As a result, we can derive some 8-bit input masks as follows: Property 4. If Property holds, the 8-bit input masks of 4-round CLEFIA are: In the th round: IM 9 = (IM 9, IM 9, IM 9, IM 9 ) = (λ P,,,). In the th round: IM = (IM, IM, IM, IM ) = (,,, λ P ). In the th round: IM = (IM, IM, IM, IM ) = (, λ Q, λ P, ). In the th round: IM = (IM, IM, IM, IM ) = (λ Q, λ P,, λ T ). In the 4 th round, IM = (IM, IM, IM, IM ) = (λ P,, λ T, ), where denotes an unknow -bit input mask. Note. If a 4-round CLEFIA, from round i(i ) to round i +, satisfies Eq.(5 )-(7 ), their 8-bit input masks are IM i = (λ P,,,), IM i+ = (,,, λ P ), IM i+ = (, λ Q, λ P, ), and IM i+ = (λ Q, λ P,, λ T ), respectively. Additionally, IM i+4 = (λ P,, λ T, ). 4. The -Round Impossible Differential-Linear Distinguisher Here, we first propose a new property, impossible differential-linear property, which is a concatenation of impossible differential characteristic and linear characteristic. To concatenate the above two parts together, the core technology resides in how to link the output differential 9 = (β,,, ) and the input masks IM 9 = (λ P,,,) of the th round together? From section 4., we have β = (y,,, ), y F 8 \{}. If choosing λ P = (, λ, λ, λ ),λ {,,...ff}, by Eq.(4), we can get the following equation with probability : λ P 9 = λ P (9 9 ) =. ()

As a result, we always have IM 9 9 = (,,, ) in the th round, which links the output differential 9 and the input masks IM 9 together. Property 5. For a pair of plaintexts (P, P ) whose difference is (, ϖ,, ) with ϖ = (,,, x), if we choose λ P = (, λ, λ, λ ),λ {,,...ff}, the 4-round linear characteristic can be concatenated to the 9-round impossible differential characteristic based on Eq.(8)and Eq.() to form the following -round impossible differential-linear distinguisher. λ P ( ) λ T ( ) = () Details of another -round impossible differential distinguisher are discussed in Appendix A. 4.4 Selection of λ In this subsection, we show how to select the values for λ P, λ Q and λ T to make the bias of the 4-round linear characteristic as high as possible. At first, we analyze the linear approximation of F in the th round as follows. λ P F (, ) = λ Q λ Q The four bytes output of the S-boxes are denoted as (u, v, z, w). Then the round function can be expressed as: F (, ) = M (S( )) = M (u, v, z, w) According to the definition in section, we can get the following equation: u (8 v) ( z) (a w) M (u, v, z, w) T = (8 u) v (a z) ( w) ( u) (a v) z (8 w) (a u) ( v) (8 z) w Next, based on the discussion in section 4. about how to choose value for λ P, the left part of the linear approximation can be computed as follows: λ P F (, ) = { λ λ λ } M (u, v, z, w) T = λ (v (8 v) z ( z) w (a w)) Note that the primitive polynomial used in the multiplication is z 8 + z 4 + z + z +, which can be denoted as a binary string. Hence, we can compute the parity of λ ( z) as follows: λ ( z) = λ (z << ), z 7 = λ (z << ), z 7 =

where z 7 denotes the left-most bit of z. By choosing an appropriate value of λ such that λ =, the above two cases can both be transformed into the following equation: λ ( z) = λ (z << ) = (λ >> ) z no matter what the left-most bit of z is. Similarly, when λ also satisfies (λ >> ) =, the parity of λ (8 v) and λ (a w) can be computed respectively as follows: λ (8 v) = λ (v << ) = (λ >> ) v λ (a w) = λ (( w) (8 w)) = ((λ >> ) (λ >> )) w Therefore, the left part of the linear approximation can be transformed into the following equation: λ P F (, ) = (λ (λ >> )) v (λ (λ >> )) z (λ (λ >> ) (λ >> )) w = {, λ (λ >> ), λ (λ >> ), λ (λ >> ) (λ >> )} (u, v, z, w) By utilizing the linear distribution table of each S-box, we use the following linear approximation for each S-box (ε denotes the bias of the linear approximation). (λ (λ >> )) v = λ ( ), p 4 = / + ε (λ (λ >> )) z = λ ( ), p 5 = / + ε (λ (λ >> ) (λ >> )) w = λ ( ), p 6 = / + ε where ( ) j stands for the j th byte of ( )( j ), and (u, v, z, w) denotes the corresponding output of each S-box respectively. As a result, we get the following linear approximation for the function F in the th round. λ P F ( ) = {, λ, λ, λ } ( ), p = / + ε ε ε Note that we choose λ Q as the form of λ Q = {, λ, λ, λ }, such that we can make use of the property of the linear transformation as described in section 4.. Similar analysis can be applied to the linear approximation used in the th and th round. By running through all the possible values of λ P, λ Q and λ T that satisfies the above conditions, we can choose the following three linear approximations which achieve the highest biases. {, f6, f6, f6} F ( ) = {, eb, eb, eb} ( ) whose probability is p /.6. {, eb, eb, eb} F ( ) = {, 49, 49, 49} ( )

whose probability is p /.8. {, f6, f6, f6} F ( 4) = {, eb, eb, eb} ( 4) whose probability is p /.9. Plugging the corresponding values of λ P, λ Q and λ T into Eq.(5)-(8), we can get the following -round linear characteristic of CLEFIA. {, f6, f6, f6} = {, f6, f6, f6} {, 49, 49, 49} λ K K (4) whose probability is p /.6. Finally, the decrypting stage of the -round impossible differential-linear distinguisher can be expressed as: {, f6, f6, f6} ( ) {, 49, 49, 49} ( ) = (5) The total probability of the -round impossible differential-linear distinguisher can be computed as described in section, which is about / 6.6. 5 The Impossible Differential-Linear Attack on 6-Round CLEFIA-8 In this section, we explain our impossible differential-linear attack on 6-round CLEFIA-8 with whitening keys. In this attack, we set the above -round impossible differential-linear distinguisher as rounds -5, and extend two rounds backward and one round forward as shown in Fig.. The expression of the decrypting stage of the -round impossible differentiallinear distinguisher should be transformed to the following form: {, f6, f6, f6} (5 5 ) {, 49, 49, 49} ( 4 ) =, (6) and the total probability of the -round impossible differential-linear distinguisher is around / 6.6, theoretically. Based on the analysis in section, we can know that approximately ( 6.6 ) 6. correct pairs are needed to mount the key recovery attack. In the following, we first introduce how to obtain the plaintext pairs, then describe the attack procedure in detail as illustrated in Fig.. In the end, we estimate the data complexity and time complexity of our attack. 5. Chosen Plaintext We choose a structure composed of 7 plaintexts that is defined as follows: S P = (,,, ) j, j 7, If we choose plaintext pairs (P, P ) where P = (,,, ) and P = (,,, ) = ( δ, γ,, ϖ), whose difference takes the form P = (δ, γ,, ϖ) with ϖ = (,,, x), δ = (aw, w, 8w, w), w = M (S(x )) M (S(x x)) (x F 8), and γ = (v, v, v, v ). We can get = (, ϖ,, ). For the computations of δ and γ, please refer to Fig.. Thus, we have 55 possible values of both ϖ and δ, possible values of γ, and one structure can produce about 9 distinct plaintext pairs. 4

F WK F WK 8 (,,, x), x F \ {} * F (, ) F (, ) * F (, ) F (, ) F F 4 5 F F 4 F 4 4 4 8 9 F -round impossible differentiallinear distinguisher 5 6 5 5 5 F 6 WK 6 F 6 WK ( F (, )) ( WK ) (,*,*,*) 6 5 5 Fig.. 6-round impossible differential-linear attack 5. The Impossible Differential-Linear Attack on 6-Round CLEFIA-8 with Whitening Keys In the following, we will discuss our impossible differential-linear attack on 6- round CLEFIA-8 with whitening keys in detail. In Fig., plaintext P =, ciphertext C = 6. Step. Take 5.7 structures defined above, i.e. 7 5.7 =.7 plaintexts, so 9 5.7 = 69.7 plaintext pairs. Encrypt.7 distinct plaintexts for 6 rounds. Insert all ciphertexts into a table T indexed by 5, ( 5 = 6 ). Step. Let -bit subkey and 4-bit subkey ( 9 W K ) be indexed by N,..., N 56 and reset N i ( i 56 ).

Create a table T of F (5, ), indexed by all values of and values of 5. For every guess of (-bit), look up the value of F (5, ) in T for each 5, and obtain the value of 5 W K = 6 F (5, ) for each 6. Select only the pairs whose difference are equal in the first byte of (5 W K ), the expected number of such pairs is 69.7 8 = 6.7. Then for every guess of the last three bytes of subkey 9 W K (4- bit), we can partially compute the value of λ Q 4 = λ Q (F (5 W K, 9 W K )6 ) for each 6, and the value of λ P 5 λ Q 4. If the pair satisfies Eq.(6), increment the corresponding N i by. After running all 56 guesses, we output the minimum value of N i as the 56-bit correct subkeys. Based on the analysis in section and [,5], we know that approximately 8 ( 6.6 ).5 plaintext pairs are needed for the -round impossible linear distinguisher, we expect to have 8. pairs left with this condition. Step. We eliminate those wrong 4-bit values for the first two rounds subkey (, ) (The first three zero bytes of ϖ only lead to the last byte of that affects F, so -bit and 8-bit ) by showing that the impossible property holds if these subkeys are used. To do so, we use a precomputation stage. At this precomputation stage, we consider all pairs whose difference (,,, ) = (, ϖ,, ) after the first two rounds encryption. To achieve this, we need to perform two step, the first step makes sure that =, and the second step enables =. ). If =, there are possible values for. We perform A = F ( W K ) and create a hash table H containing one of the outputs of A and the OR of the two outputs ( ). There are possible values for ( ), and on average one value of corresponds to each value of ( ). Now for each of the 8. remaining pairs we compute ( ), and use the table H to fetch one possibility of that corresponds to the computed ( ). The process identifies roughly one wrong value for the subkey by ORing the plaintext and A. The probability of a wrong -bit value for is ( ). After analyzing all 8. pairs, we expect only ( ) 8. 75 wrong values of remaining. ). In round, if =, there are possible values for. We perform A = F ( ) = F ( ) and create a hash table H containing one of the outputs of A and OR of the two outputs ( ). There are possible values for ( ) and 8 possible values for. Now for each of the 8. remaining pairs we compute ( ), and use the table H to fetch one possibility of that corresponds to the computed ( ). The process identifies roughly one wrong value for the subkey by ORing the plaintext and A. The probability of a wrong 8-bit value for is ( ). After analyzing all 8. pairs, we expect only 8 ( ) 8. 99 wrong values of.

Therefore, wrong values of the 4-bit of (, ) can be established unless the initial guess of the -bit value of or 4-bit value of ( 9 W K ) is correct. It is expected that we can eliminate the whole 4-bit value of and in this step, since the wrong values of (,, ( 9 W K ), ) remains with a small probability of max{ 56 75 = 9, 56 99 = 4 }. Hence if there remains a value of (, ), we can assume that the guessed 56-bit values for ( 9 W K ) and are correct. Our attack can recover 96-bit subkeys. Complexity Analysis. According to the above analysis, a structure has 7 plaintexts, we need about 5.7 structures, so the data complexity of our attack is about 7 5.7 =.7. Step need.7 encrypting operations, Step requires ( ) 97 F operations, which is equal to 96 one round operation. The required time for memory access in step is less than ( ) 8. + ( 8 ) 8.. F operations, i.e.. operations one round. Therefore, the total time complexity of our attack can be estimate as about.7 + ( 96 +. ) / 6.7..7/ = 9.7 bytes of memory are needed to store the table T, 96 / = 9 bytes of memory are needed to store the list of deleted key values (, 9,, ), = bytes of memory are needed to store the hash table (H, H ), and 64 / = 6 bytes of memory are needed to store table T. Our attack can recover 96-bit subkeys (,, 9 W K, ). Note. For another -round impossible differential-linear distinguisher and another 6-round attack to CLEFIA-8, please refer to Appendix A and Appendix B, respectively. For attacks to 5-round CLEFIA-8, please refer to Appendix C. Our attack is also effective to CLEFIA-9 and CLEFIA-56. 6 Conclusion In this paper, we present a new attack, impossible differential-linear attack, and achieve a result of 6-round CLEFIA-8 with.7 CP, and time complexity is also.7. The comparison of cryptanalytic results with CLEFIA is illustrated in Table, which shows that our attack is more efficient than the present results. The attack is also effective to 5-round CLEFIA-8, given in Appendix C. References. E. Biham, O. Dunkelman, N. Keller. Enhancing Differential-Linear Cryptanalysis, Advances in Cryptology, Proceedings of ASIACRYPT, Lecture Notes in Computer Science 5, pp. 54-66, Springer, (). A. Bogdanov, V. Rijmen. Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers. In: http://eprint.iacr.org//.. S. K. Langford, M. E. Hellman. Differential-Linear Cryptanalysis, Advances in Cryptology. In:Proceedings of CRYPTO94. LNCS, vol. 89, pp. 7-5. Springer, Heidelberg (994)

Table. Comparison of Cryptanalysis Results of CLEFIA-8 Reference Rounds Recover Key Data Complexity Time Complexity [6,7] -bit.7 [8] 7-bit 8.9 9 [9] 8-bit 8.9 8 this paper 6 96-bit.7.7 this paper 6 4-bit 4.5 this paper 5 64-bit 4.5 9. this paper 5 64-bit 4.5 99. 4. C. Langford. Improbable Differential Attack-Cryptanalysis of Reduced Round CLEFIA, Advances in Cryptology. In:Proceedings of INDOCRYPT. LNCS, vol. 6498, pp. 97-9. Springer, Heidelberg () 5. M. Matsui. Linear Cryptanalysis Method for DES Cipher, Advances in Cryptology. In:Proceedings of EUROCRYPT9. LNCS, vol. 765, pp. 86-97. Spinger, Heidelberg (994) 6. T. Shirai, K. Shibutani, T. Akishita, S. Moriai, T. Iwata. The 8-bit Blockcipher CLEFIA. In:Proceedings of Fast Software Encryption 7, LNCS, vol. 459, pp. 8-95.(7) 7. Sony Corporation. The 8-bit blockcipher CLEFIA: Security and performance evaluations. Revision., On-Line document, 7.June (7), http://www.sony.co.jp/products/clefia/technical/data/clefia-eval-..pdf 8. Y. Tsunoo, E. Tsujihara, M. Shigeri, T. Saito, T. Suzaki and H. Kubo. Impossible Differential Cryptanalysis of CLEFIA. In:Fast Software Encryption-FSE 8, LNCS, vol. 586, pp. 98-4. Springer, Verlag (8). 9. W. Zhang, J. Han. Impossible Differential Analysis of Reduced Round CLEFIA. In:Beijing, China. Proc of Inscrypt 8. pp. 8-9. (8)

Appendix A. Another -round impossible differential-linear distinguisher Another -round impossible differential-linear distinguisher concatenates an impossible differential (,,, ϖ) (,,, β) [] with a 4-round linear characteristic. For details please refer to Fig.4. ϖ F F 8 8 8 8 6 7 F F β 9-round impossible differential characteristic 9 β F 9 9 F 9 8 9 = 9 λ Q λ P F F ( = λ ( λ = F, ), P F, ) = λq Q 4-round linear characteristic λ P λ T λ Q F F ( = λ ( λ = F, ), Q F, ) = λt T λ T λ Q λ P 4 5 F F ( = λ ( λ = F, 5), P F, 5 ) = λq Q 5 λ Q λ P λ P ' 9 = λp = λp λt λk K Fig. 4. -round impossible differential-linear distinguisher

Appendix B. Another Attack on 6-round CLEFIA-8 Another 6-round attack on CLEFIA-8 is illustrated in Fig.5 with the - round impossible differential-linear distinguisher in section 4, and three rounds extension on plaintext side. Its main ideas is: Choose a structure composed of 4 plaintexts, whose corresponding plaintext pairs are of the form P = (ϖ, ξ, γ, θ). Encrypt all 8 plaintext pairs, select only the pairs whose ciphertexts are equal in the first byte of 6. According to section 5., we can recover 4-bit subkeys. The data complexity is about [ 4 8 ( 6.6) / ( 8 8 8)] 4.5. The time complexity is [( ) / +(( ) 7 + ( ) 7 + ( 8 ) 7 ) / ] / 6

F WK F F F 8 (,,, x), x F \ {} * WK F (, 5 ) F (, 5 ) * F (, ) F (, ) F (, ) F (, ) * F (, ) F (, ) * 5 F 4 F 7 F 6 F 5 5 5 5 F WK F -round impossible differentiallinear distinguisher WK 6 6 6 6 6 (,*,*,*) Fig. 5. 6-round impossible differential-linear attack

Appendix C. Attacks on 5-round CLEFIA-8 The attacks to 5-round CLEFIA-8 below are all with whitening keys. The details of the attack can be divided into two cases. The first extension is one round on plaintext side, and one round on ciphertext side as illustrated in Fig.6. We can choose a structure composed of 4 plaintexts, whose plaintext differences is of the form P = (,, ϖ, δ). Obviously, one structure can produce about 55 different plaintext pairs. Similar to the section 5., we can recover 64-bit subkey composed of (8bit), 7 (4bit), and 8 (bit), with impossible differential-linear attack. The data complexity is The time complexity is 4 [8 ( 6.6 ) / ( 55 8 8 )] 4.5 [( ) / + (( 8 ) 8 ) / ] / 5 9. The second extension is two rounds on plaintext side, illustrated in Fig. 7. We can choose a structure composed of 7 plaintexts, whose plaintext differences is of the form P = (δ, γ,, ϖ). Obviously, one structure can produce about 9 distinct plaintext pairs. Similar to section 5., we can recover 64-bit subkey, that is (bit), (8bit), and 9(4bit), with impossible differential-linear attack. The data complexity is 7 [8 ( 6.6 ) / ( 9 8 8 )] 4.5 The time complexity is [( ) / +(( ) 4 + ( 8 ) 4 ) / ] / 5 99.

F WK ϖ F δ WK 8 ϖ = (,,, x), x F \ {} * δ = F (, ) F ( ϖ, ) ϖ F F 6 7 F F -round impossible differentiallinear distinguisher 4 4 4 4 8 9 F WK F WK 5 5 5 5 ( F (, )) = ( WK ) = (,*,*,*) 5 4 8 4 Fig. 6. 5-round impossible differential-linear attack

F WK F 8 (,,, x), x F \ {} * WK F (, ) F (, ) * F (, ) F (, ) F F 4 5 F F 4 F 4 4 4 8 9 WK F -round impossible differentiallinear distinguisher WK 5 5 5 5 5 (,*,*,*) Fig. 7. 5-round impossible differential-linear attack

Appendix D. Round Key Relation According to the description in section, we can get the relationship between generated round keys and related data as follows: L CON 4 CON 5 CON 6 CON 7 4 5 6 7 Σ(L) K CON 8 CON 9 CON CON 8 9 Σ (L) CON CON CON 4 CON 5 4 5 Σ (L)K CON 6 CON 7 CON 8 CON 9 6 7 8 9 Σ 4 (L) CON 4 CON 4 CON 4 CON 4 Σ 5 (L)K CON 44 CON 45 CON 46 CON 47 4 5 Σ 8 (L) CON 56 CON 57 CON 58 CON 59 Based on the properties proved in [5], we get the following key relations: C = [56 6] [ ] [7 7] C = [7 95] [96 99] [ 6] 4 C = [ 4] [8 ] [ 55] 5 C 4 = [ ] [5 7] [64 7] where C = CON 56 (CON 5 [56 6] CON 7 [ ] CON 7 [7 7] ) C = CON 57 (CON 6 [7 95] CON 7 [96 99] CON 7 [ 6] ) C = CON 58 (CON 4 [ 4] CON 4 [8 ] CON 5 [ 55] ) C 4 = CON 59 (CON 4 [ ] CON 4 [5 7] CON 6 [64 7] ) Thus we get the following properties from the above derivations: Property 6.. If bits are known, we can get 4 bits [7 95], and 8 bits [96 99] [ 6]. Property 7.. If bits 4 are known, then we can get 8 bits [ 4] [8 ], and 4 bits [ 55].