
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

KeyDependency of Linear Probability of RC5
Shiho MORIAI Kazumaro AOKI Kazuo OHTA
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E80A
No.1
pp.918 Publication Date: 1997/01/25 Online ISSN:
DOI: Print ISSN: 09168508 Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Keyword: RC5, linear cryptanalysis, linear probability, weak key, keydependency,
Full Text: PDF(660.8KB)>>
Summary:
In estimating the vulnerability of a block cipher to differential cryptanalysis and linear cryptanalysis, we must consider the fact that the differential probability and the linear probability vary with the key. In the case of cryptosystems where the round key is XORed to the input data of each round, the difference in both types of probability with different keys is regarded as negligible. However, this is not the case with RC5. This paper makes a primary analysis of the keydependency of linear probability of RC5. Throughout this paper we study "precise" linear probability. We find some linear approximations that have higher deviation (bias) for some keys than the "best linear approximation" claimed by Kaliski and Yin in CRYPTO'95. Using one linear approximation, we find 10 weak keys of RC5_{4/2/2} with linear probability 2^{1}, 2 weak keys of RC5_{4/5/16} with linear probability 2^{2}, and a weak key of RC5_{16/5/16} with linear probability 2^{15.4}, while KaliskiYin's "best biases" are 2^{3}, 2^{9}, and 2^{17}, respectively.


