Integral Attack Against Bit-Oriented Block Ciphers

Abstract

Integral attack is an extremely important and extensively investigated cryptanalytic tool for symmetric-key primitives. In this paper, we improve the integral attack against bit-oriented ciphers. First, we propose the match-through-the-Sbox technique based on a specific property of the Sbox. Instead of computing the inverse of the Sbox in partial decryption, we independently calculate two Boolean functions which accept less input bits. The time complexity is thus reduced and the number of attacked rounds will be stretched. Second, we devise an easy-to-implement algorithm for construction of the integral distinguisher, which is then proved to be very effective for constructing lower order distinguishers. It shows SIMON 32, 48, 64, 96 and 128 has 13-, 14-, 17-, 21- and 25-round integral distinguisher, respectively, significantly improving the recent results from EUROCRYPT 2015. Finally, our techniques are applied to several ciphers. We attack one more round than the previous best integral attack for PRESENT and first evaluate the securities of SIMON family (except for SIMON 32) and RECTANGLE with integral attack.

A Details of Step 3

Compute \(\mathop \bigoplus \limits _{{\varLambda _s}} (Y^8[32] \oplus Y^8[0])\) for \(0 \le s < N\).

• We guess 12-bit subkey: \({K^{10}}[i] \oplus {K^{10}}[i + 32],{K^{10}}[i + 16],{K^{10}}[i + 48]\) for \(i \in \{0,2,8,10\} \), and compute the value of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[8] \oplus {Y^9}[40]\) for each ciphertext. Count how many times each 14-bit value appears: \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[i] \oplus {Y^{10}}[i + 32],{Y^{10}}[i + 16],{Y^{10}}[i + 48]\) for \(i \in \{4,6,12,14\} \). And then pick the values which appear odd times.

• Guess 3 subkey bits, \({K^{10}}[4] \oplus {K^{10}}[36],{K^{10}}[20]\) and \({K^{10}}[52]\). Compress the data into at most \({2^{12}}\) values of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[i] \oplus {Y^{10}}[i + 32],{Y^{10}}[i + 16],{Y^{10}}[i + 48]\) for \(i \in \{6,12,14\} \), which appear odd times.

• Guess 3 subkey bits, \({K^{10}}[12] \oplus {K^{10}}[44],{K^{10}}[28]\) and \({K^{10}}[60]\). Compress the data into \({2^{10}}\) texts of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16,48]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[i] \oplus {Y^{10}}[i + 32],{Y^{10}}[i + 16],{Y^{10}}[i + 48]\) for \(i \in \{6,14\} \).

• Guess 3 subkey bits, \({K^{10}}[6] \oplus {K^{10}}[38],{K^{10}}[22]\) and \({K^{10}}[54]\). Compress the data into \({2^{8}}\) texts of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16,24,48]\), \({Y^9}[8] \oplus {Y^9}[40]\) and \({Y^{10}}[14] \oplus {Y^{10}}[46],{Y^{10}}[30],{Y^{10}}[62]\).

• Guess 3 subkey bits, \({K^{10}}[14] \oplus {K^{10}}[46],{K^{10}}[30]\) and \({K^{10}}[62]\). Compress the data into \({2^{6}}\) texts of \({Y^9}[0] \oplus {Y^9}[32]\), \({Y^9}[16,24,48,56]\), \({Y^9}[8] \oplus {Y^9}[40]\).

• Guess 3 subkey bits, \({K^{9}}[0] \oplus {K^{10}}[32],{K^{10}}[16]\) and \({K^{10}}[48]\). Compress the data into \({2^{4}}\) texts of \({Y^8}[0]\), \({Y^9}[24,56]\), \({Y^9}[8] \oplus {Y^9}[40]\).

• Guess 3 subkey bits, \({K^{9}}[8] \oplus {K^{10}}[40],{K^{10}}[24]\) and \({K^{10}}[56]\). Compress the data into \({2^{2}}\) texts of \({Y^8}[0,32]\).

• Compute \(\mathop \bigoplus \limits _{{\varLambda _s}} ({Y^8}[32] \oplus {Y^8}[0])\) for \(0 \le s < N\) and save the 30-bit guessed subkey \(K_2\) in a hash table \({H'}\) indexed by the corresponding N-bit result.

The time complexity is \({2^{30}} + {2^{29}} + {2^{30}} + {2^{31}} + {2^{32}} + {2^{33}} + {2^{34}} = {2^{35}}\) computations of the Sbox.