Show description

22 operations. Calculation of the Coefficients Related to the Bits X 6 [0 − 6]. In this case, the procedure is simpler: Improved Higher-Order Differential Attacks on MISTY1 45 1. We guess the 57 key bits of K1 , K7 , K8 , K4 [7 − 15] and partially decrypt all the 244 ciphertexts through F L10 and the first two F I layers of round 7. At this stage, the data can be reduced to a list of size 237 , where the 37 bits are 14 bits of CR , 7 bits in B and the input to F I7,3 . 2. We guess the 25 bits of EK7,3,i i = 1, 2, 3.

Differential forgery attack against LAC, July 2014. inria. fr/hal-01017048 ¨ Biclique cryptanalysis of TWINE. In: 20. , Manulis, M. ) CANS 2012. LNCS, vol. 7712, pp. 43–55. Springer, Heidelberg (2012) 21. : Impossible differential attack on reduced-round TWINE. -G. ) ICISC 2013. LNCS, vol. 8565, pp. 123–143. Springer, Heidelberg (2014) 22. : PRESENT: an ultra-lightweight block cipher. , Verbauwhede, I. ) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) 23. : Improved single-key attacks on 8-round AES-192 and AES-256.

As we show below, all the steps of the attack can be performed very efficiently, such that even when they are repeated 36 times, the overall time complexity is still dominated by encrypting the plaintexts. We obtain 12 11’th order differentials, but due to linear dependence, we can use only 7 of them simultaneously. By using the same arguments (with F L3 ◦ F L1 in place of F L3), we can divide the 44’th order differential of 4round MISTY1 used in [13] into 12 43’th order differentials and use 7 of them simultaneously.