A Property for Full CLEFIA-128 Detected by a Middletext Distinguisher under the Known-Key Setting

Kazumaro AOKI  

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E97-A   No.1   pp.292-297
Publication Date: 2014/01/01
Online ISSN: 1745-1337
Print ISSN: 0916-8508
Type of Manuscript: Special Section LETTER (Special Section on Cryptography and Information Security)
CLEFIA,  higher-order integral,  integral attack,  middletext distinguisher,  known-key attack,  zero-sum,  

Full Text: PDF(125.9KB)
>>Buy this Article

CLEFIA is a 128-bit block cipher proposed by Shirai et al. at FSE 2007, and it was selected as several standards. CLEFIA adopts a generalized Feistel structure with the switching diffusion mechanism, which realizes a compact hardware implementation for CLEFIA, and it seems one of the promising candidates to be used for restricted environments, which require that a cryptographic primitive is versatile. It means that we need to evaluate the security of CLEFIA even for unusual scenario such as known-key scenario. As Knudsen and Rijmen did for 7-round AES at Asiacrypt 2007, we construct 17-round known-key distinguisher using two integral characteristics. To combine the 17-round known-key distinguisher with the standard subkey recovery technique for a secret-key scenario, we can construct a known-key distinguisher for full CLEFIA-128 from a random permutation under the framework of middletext distinguisher proposed by Minier et al. at Africacrypt 2009. The known-key distinguisher requires query of 2112 texts, time complexity of 2112, and memory complexity of 23 blocks, with the advantage of e-1, where e is the base of the natural logarithm. Note that there is no practical impact on the security of CLEFIA-128 for the current usages, since the result can only work under the known-key setting and data used by the adversary are enormous and needs a special form.