Fast Fourier Transform Key Recovery for Integral Attacks

Yosuke TODO  Kazumaro AOKI  

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E98-A   No.9   pp.1944-1952
Publication Date: 2015/09/01
Online ISSN: 1745-1337
Type of Manuscript: PAPER
Category: Cryptography and Information Security
block ciphers,  integral attack,  Even-Mansour,  key-alternating cipher,  Feistel structure,  FFT,  FWHT,  

Full Text: PDF(867.4KB)
>>Buy this Article

An integral attack is one of the most powerful attacks against block ciphers. We propose a new technique for the integral attack called the Fast Fourier Transform (FFT) key recovery. When N chosen plaintexts are required for the integral characteristic and the guessed key is k bits, a straightforward key recovery requires the time complexity of O(N2k). However, the FFT key recovery only requires the time complexity of O(N+k2k). As a previous result using FFT, at ICISC 2007, Collard etal proposed that FFT can reduce the time complexity of a linear attack. We show that FFT can also reduce the complexity of the integral attack. Moreover, the estimation of the complexity is very simple. We first show the complexity of the FFT key recovery against three structures, the Even-Mansour scheme, a key-alternating cipher, and the Feistel structure. As examples of these structures, we show integral attacks against Prøst, AES, PRESENT, and CLEFIA. As a result, an 8-round Prøst P128,K can be attacked with about an approximate time complexity of 279.6. For the key-alternating cipher, a 6-round AES and a 10-round PRESENT can be attacked with approximate time complexities of 251.7 and 297.4, respectively. For the Feistel structure, a 12-round CLEFIA can be attacked with approximate time complexities of 287.5.