Top | Introduction | Members | Activities | Call for Paper | Link | Japanese


    "A Study on Cryptanalysis against Symmetric Ciphers"


    A symmetric cipher is a cryptosystem which uses the same key in both encryption and decryption. A symmetric cipher is classified into two kinds, of stream cipher and block cipher. The block cipher has an advantage that it is executable in highspeed, therefore it is used by communication form which requires high throughput, such as mobile-phone, VPN-service, WWW-service and etc. Thus, it is regarded that to evaluate the security of block cipher precisely is a important theme from the social point of view. However, it is hard to evaluate the security of block cipher theoretically compared with a public key encryption.
    RC6 is a symmetric block cipher which was proposed by Rivest et al. and one of the final candidate of the AES. It supports 128-bit block and keys of 128, 192 and 256 bits. RC6-w/r/b means that four w-bit-word plaintexts are encrypted with r rounds by b-byte keys. It is recommended RC6-32/20/{16, 24, 32} in~[RRSY98]. The RC6 consists of simple arithmetic operation and rotation shift and has been admired for high-speed software implementation. Let us describe the simplified variants of RC6 as follows: RC6W and RC6P mean RC6 without pre- or post-whitening, and without post-whitening, respectively.
    The \chi^2-attack~[KM00] is known as one of the most efficient attack against the RC6 block cipher. There are two types of attacks, distinguishing and key recovery attack. The distinguishing attack is an attack which distinguishes ciphertexts from random numbers. In our case of \chi^2-attack, ciphertexts are distinguished by using $\chi^2$-test which is applied goodness of fit test in political arithmetic. The key recovery attack is an attack which derive actual key or part of key by using the result of distinguishing attack.
    To confirm accuracy of our theory, we apply our Algorithm~5 to RC6-8 and computes the experimental and theoretical success probability. We see that our theory can estimate the success probability precisely.
    In the best previous attack to 192- and 256-bit-key RC6~[KM00] can recover a correct key for the 14 and 16 round RC6, respectively. Our algorithm can work on the 16 round RC6 with both 192- and 256-bit-key, which improves the previous result. As a result, we can answer the open question of~[KM00], that is, whether \chi^2-attack can be used to attack RC6 with 16 or more rounds.


    [ back ]