Improved Integral Attack on HIGHT

Abstract

HIGHT is a lightweight block cipher with 64-bit block length and 128-bit security, and it is based on the ARX-based generalized Feistel network. HIGHT became a standard encryption algorithm in South Korea and also is internationally standardized by ISO/ICE 18033-3. Therefore, many third-party cryptanalysis against HIGHT have been proposed. Especially, impossible differential and integral attacks are applied to reduced-round HIGHT, and the current best attack under the single-key setting is 27 rounds using the impossible differential attack. In this paper, we propose an improved integral attack against HIGHT. We first propose new 19-round integral characteristics by using the propagation of the division property, and they are improved by two rounds compared with previous integral characteristics. Finally, we can attack 28-round HIGHT by appending 9-round key recovery. Moreover, we can attack 29-round HIGHT if the full code book is used, and it improves by two rounds compared with previous best attack.

Appendices

A Detailed MILP Model for HIGHT

In this appendix, the detailed algorithm to search for integral characteristics on HIGHT is described.

As a result of running the Algorithm 2 with our machine (CPU: i5-6500 @ 3.20 GHz, 3.20 GHz/RAM: 8.00 GB/64-bit operating system, x64 base processor), it took about 50 min.

B Involved Key Size in Key Recovery

In this appendix, the detailed analyses of the involved key size in the calculation of \( Z^{r}_{i} \) is described.

Table 5. The number of involved key bytes in calculation of \( Z^{r}_{i} \)

C Detailed Addition of Whitening Layer

In this appendix, we described detailed procedure how to add the whitening layer to three 19-round integral characteristics. The first 2-round procedure on HIGHT is shown in Fig. 6. Please refer to Table 3 in order to know the relationship between the round keys and the master keys.

Fig. 6.

1-st and 2-nd round procedure of HIGHT

We consider the extension from IC1’ and the lsb of \(X^{2}_{0}\) is represented as

$$\begin{aligned} X^{2}_{0}[0]&= X^{1}_{7}[0] \oplus SK_{7}[0] \oplus F_0(X^{1}_{6})[0] \\&= X^{0}_{6}[0] \oplus WK_{3}[0] \oplus SK_{7}[0] \oplus F_0(F_1(X^{0}_{4} \boxplus WK_{2}) \oplus SK_{2} \boxplus X^{0}_{5})[0]. \end{aligned}$$

We can ignore the value of \(WK_{3}[0]\) and \(SK_{7}[0]\) because \(X^{2}_{0}[0]\) is added linearly by them using XOR. But we cannot ignore that this extension requires guessing the value of \( K_{14} \) and \( K_{2} \) as \(WK_{2}\) and \(SK_{2}\), respectively. Next, we consider the extension from IC3’. In case of considering the lsb, we can regard the modular addition as the XOR. So the lsb of \(X^{2}_{2}\) is represented as

$$\begin{aligned} X^{2}_{2}[0]&= X^{1}_{1}[0] \oplus SK_{4}[0] \oplus F_1(X^{1}_{0})[0] \\&= X^{0}_{0}[0] \oplus WK_{0}[0] \oplus SK_{4}[0] \oplus F_1(F_0(X^{0}_{6} \oplus WK_{3}) \boxplus SK_{3} \oplus X^{0}_{7})[0]. \end{aligned}$$

This extension requires guessing the value of \(K_{15}\) and \(K_{3}\) as \(WK_{3}\) and \(SK_{3}\), respectively. Finally, we consider the extension from IC4’ and the second lsb is represented as

$$\begin{aligned} X^{2}_{2}[1]&= X^{1}_{1}[1] \oplus F_1(X^{1}_{0})[1] \oplus SK_{4}[1] \oplus (X^{1}_{1}[0] \times (F_1(X^{1}_{0})[0] \oplus SK_{4}[0])), \end{aligned}$$

where each \(X^{1}\) are represented as follows:

$$\begin{aligned} X^{1}_{1}[1]&= X^{0}_{0}[1] \oplus WK_{0}[1] \oplus (X^{0}_{0}[0] \times WK_{0}[0])), \\ X^{1}_{1}[0]&= X^{0}_{0}[0] \oplus WK_{0}[0], \\ X^{1}_{0}&= F_0(X^{0}_{6} \oplus WK_{3}) \boxplus SK_{3} \oplus X^{0}_{7}. \end{aligned}$$

This extension requires guessing the value of \(K_{4}[0], K_{12}[0], K_{15}\) and \(K_{3}\) as \(SK_{4}[0], WK_{0}[0], WK_{3}\) and \(SK_{3}\), respectively.