Statistical integral attack on CAST-256 and IDEA
| العنوان: | Statistical integral attack on CAST-256 and IDEA |
|---|---|
| المؤلفون: | Meiqin Wang, Long Wen, Huaifeng Chen, Tingting Cui |
| المصدر: | Cryptography and Communications. 10:195-209 |
| بيانات النشر: | Springer Science and Business Media LLC, 2017. |
| سنة النشر: | 2017 |
| مصطلحات موضوعية: | Key-recovery attack, Theoretical computer science, Computer Networks and Communications, Applied Mathematics, 020206 networking & telecommunications, Plaintext, 0102 computer and information sciences, 02 engineering and technology, 01 natural sciences, law.invention, Computational Theory and Mathematics, 010201 computation theory & mathematics, law, 0202 electrical engineering, electronic engineering, information engineering, Interpolation attack, Integral cryptanalysis, Slide attack, Cryptanalysis, Ciphertext-only attack, Mathematics, Block cipher |
| الوصف: | Integral attack, as a powerful technique in the cryptanalysis field, has been widely utilized to evaluate the security of block ciphers. Integral distinguisher is based on balanced property on output with probability one. To obtain a distinguisher covering more rounds, an attacker will usually increase the data complexity by iterating through all values of more bits of plaintexts under the firm limitation that the data complexity should be less than the whole plaintext space. In order to release the limitation and reduce the data complexity, Wang et al. proposed a statistical integral distinguisher at FSE’16. In this paper, we exploit the statistical integral distinguisher to attack the IDEA and CAST-256 block ciphers. As a result, we manage to mount a key recovery attack on 29-round CAST-256 with 296.8 chosen plaintexts, 2219.4 encryptions and 273 bytes of memory. By making a trade-off between the time complexity and data complexity, the attack can be achieved by 283.9 chosen plaintexts, 2244.4 encryptions and 266 bytes of memory. As far as we know, these are the best attacks on CAST-256 in the single-key model without weak-key assumption so far. What’s more, we find an integral distinguisher of IDEA block cipher, which is the longest integral distinguisher known to now. By taking advantage of this distinguisher, we achieve a key recovery attack on 4.5-round IDEA with 258.5 known plaintexts, 2120.9 encryptions and 246.6 bytes of memory respectively. It is the best integral attack with respect to the number of rounds. |
| تدمد: | 1936-2455 1936-2447 |
| DOI: | 10.1007/s12095-017-0245-6 |
| URL الوصول: | https://explore.openaire.eu/search/publication?articleId=doi_________::2c2b9745e6c235f4ff9888b8ed03d7fd https://doi.org/10.1007/s12095-017-0245-6 |
| Rights: | CLOSED |
| رقم الانضمام: | edsair.doi...........2c2b9745e6c235f4ff9888b8ed03d7fd |
| قاعدة البيانات: | OpenAIRE |
| تدمد: | 19362455 19362447 |
|---|---|
| DOI: | 10.1007/s12095-017-0245-6 |