
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

A Property for Full CLEFIA128 Detected by a Middletext Distinguisher under the KnownKey Setting
Kazumaro AOKI
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E97A
No.1
pp.292297 Publication Date: 2014/01/01
Online ISSN: 17451337
DOI: 10.1587/transfun.E97.A.292
Print ISSN: 09168508 Type of Manuscript: Special Section LETTER (Special Section on Cryptography and Information Security) Category: Keyword: CLEFIA, higherorder integral, integral attack, middletext distinguisher, knownkey attack, zerosum,
Full Text: PDF(125.9KB) >>Buy this Article
Summary:
CLEFIA is a 128bit block cipher proposed by Shirai et al. at FSE 2007, and it was selected as several standards. CLEFIA adopts a generalized Feistel structure with the switching diffusion mechanism, which realizes a compact hardware implementation for CLEFIA, and it seems one of the promising candidates to be used for restricted environments, which require that a cryptographic primitive is versatile. It means that we need to evaluate the security of CLEFIA even for unusual scenario such as knownkey scenario. As Knudsen and Rijmen did for 7round AES at Asiacrypt 2007, we construct 17round knownkey distinguisher using two integral characteristics. To combine the 17round knownkey distinguisher with the standard subkey recovery technique for a secretkey scenario, we can construct a knownkey distinguisher for full CLEFIA128 from a random permutation under the framework of middletext distinguisher proposed by Minier et al. at Africacrypt 2009. The knownkey distinguisher requires query of 2^{112} texts, time complexity of 2^{112}, and memory complexity of 2^{3} blocks, with the advantage of e^{1}, where e is the base of the natural logarithm. Note that there is no practical impact on the security of CLEFIA128 for the current usages, since the result can only work under the knownkey setting and data used by the adversary are enormous and needs a special form.

