Integral Cryptanalysis and Impossible Differential Cryptanalysis of the <i>μ</i><sup>2</sup> Algorithm

HU Bin; ZHANG Guixian

doi:10.11999/JEIT210638

Volume 44 Issue 9

Sep. 2022

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2022 > 44(9): 3335-3342

HU Bin, ZHANG Guixian. Integral Cryptanalysis and Impossible Differential Cryptanalysis of the μ2 Algorithm[J]. Journal of Electronics & Information Technology, 2022, 44(9): 3335-3342. doi: 10.11999/JEIT210638

Citation:

HU Bin, ZHANG Guixian. Integral Cryptanalysis and Impossible Differential Cryptanalysis of the μ² Algorithm[J]. Journal of Electronics & Information Technology, 2022, 44(9): 3335-3342. doi: 10.11999/JEIT210638

Citation:

PDF( 2135 KB)

Integral Cryptanalysis and Impossible Differential Cryptanalysis of the μ² Algorithm

doi: 10.11999/JEIT210638 cstr: 32379.14.JEIT210638

HU Bin,
ZHANG Guixian^,

The SSF Information Engineering University, Zhengzhou 450001, China

Funds: The National Natural Science Foundation of China (61802438)

Received Date: 2021-06-28
Accepted Date: 2022-03-10
Rev Recd Date: 2022-02-26

Available Online: 2022-03-20

Publish Date: 2022-09-19

Abstract

Abstract

$ {\mu ^{\text{2}}} $ is a lightweight block cipher designed by Yeoh et al (doi: 10.1007/978-981-15-0058-9-27). The cipher has 15 rounds in total and adopts TYPE-II generalized feistel network. The ability of the $ {\mu ^{\text{2}}} $ algorithm to resist differential analysis and linear analysis is evaluated by Yeoh et al. in the design document, but the ability of $ {\mu ^{\text{2}}} $ algorithm to resist integral attack and impossible differential attack is not clear. In this paper, 8/9-round integral distinguishers and 9-round impossible difference are given. Using 8-round integral distinguishers, 9-round $ {\mu ^{\text{2}}} $ is attacked and the time complexity of the attack is ${2^{76}}$ 9-round encryptions, the data complexity is ${2^{48}}$, and the memory complexity is ${2^{48}}$. Using 9-round impossible difference, 11-round $ {\mu ^{\text{2}}} $ is attacked and the time complexity of the attack is ${2^{49}}$ 11-round encryptions, the data complexity is ${2^{64}}$ pairs of plaintexts. The results show that the 9-round $ {\mu ^{\text{2}}} $ algorithm can not resist integral attack, and the 11-round $ {\mu ^{\text{2}}} $ algorithm can not resist impossible differential analysis. In addition, the ability of $ {\mu ^{\text{2}}} $ algorithm to resist differential attack is reevaluated, and the maximum probability of differential characteristic of 4-round $ {\mu ^{\text{2}}} $ algorithm is ${{\text{2}}^{{{ - 39}}}}$, which is more compact than the probability ${2^{ - 3{\text{6}}}}$ of 4-round differential characteristic pointed out in the design report.
- $ {\mu ^{\text{2}}} $ algorithm,
- Mixed Integral Linear Programming (MILP),
- Integral attack,
- Impossible differential analysis,
- Differential analysis

FullText(HTML)

References(19)

References

[1]	KNUDSEN L and WAGNER D. Integral cryptanalysis: Extended abstract[C]. The 9th International Workshop on Fast Software Encryption, Leuven, Belgium, 2002: 112–127.
[2]	TODO Y. Structural evaluation by generalized integral property[C]. The 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, 2015: 287–314.
[3]	TODO Y. Integral cryptanalysis on full MISTY1[C]. The 35th Annual Cryptology Conference, Santa Barbara, USA, 2015: 413–432.
[4]	TODO Y and MORII M. Bit-based division property and application to Simon family[C]. The 23rd International Conference on Fast Software Encryption, Bochum, Germany, 2016: 357–377.
[5]	XIANG Zejun, ZHANG Wentao, BAO Zhenzhen, et al. Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers[C]. The 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, 2016: 648–678.
[6]	HU Kai and WANG Meiqin. Automatic search for a variant of division property using three subsets[C]. Cryptographers’ Track at the RSA Conference, San Francisco, USA, 2019: 412–432.
[7]	WANG Senpeng, HU Bin, GUAN Jie, et al. MILP-aided method of searching division property using three subsets and applications[C]. The 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, 2019: 398–427.
[8]	HU Kai, SUN Siwei, WANG Meiqin, et al. An algebraic formulation of the division property: Revisiting degree evaluations, cube attacks, and key-independent sums[C]. The 26th International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, 2020: 446–476.
[9]	BIHAM E and SHAMIR A. Differential Cryptanalysis of the Data Encryption Standard[M]. New York: Springer, 1993: 11–32.
[10]	MOUHA N, WANG Qingju, GU Dawu, et al. Differential and linear cryptanalysis using mixed-integer linear programming[C]. The 7th International Conference on Information Security and Cryptology, Beijing, China, 2012: 57–76. doi: /10.1007/978-3-642-34704-7_5.
[11]	WU Shengbao and WANG Mingsheng. Security evaluation against differential cryptanalysis for block cipher structures[EB/OL]. https://eprint.iacr.org/2011/551.pdf, 2011.
[12]	SUN Siwei, HU Lei, WANG Peng, et al. Automatic security evaluation and (related-key) differential characteristic search: Application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers[C]. The 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, China, 2014: 158–178.
[13]	SUN Siwei, HU Lei, WANG Meiqin, et al. Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties[EB/OL]. https://eprint.iacr.org/2014/747.pdf, 2014.
[14]	SASAKI Y and TODO Y. New algorithm for modeling s-box in MILP based differential and division trail search[C]. The 10th International Conference for Information Technology and Communications, Bucharest, Romania, 2017: 150–165.
[15]	ZHOU Chunning, ZHANG Wentao, DING Tianyou, et al. Improving the MILP-based security evaluation algorithm against differential/linear cryptanalysis using a divide-and-conquer approach[EB/OL]. https://eprint.iacr.org/2019/019.pdf, 2019.
[16]	BOURA C and COGGIA D. Efficient MILP modelings for sboxes and linear layers of SPN ciphers[J]. IACR Transactions on Symmetric Cryptology, 2020, 2020(3): 327–361. doi: 10.13154/tosc.v2020.i3.327-361
[17]	BIHAM E, BIRYUKOV A, and SHAMIR A. Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials[J]. Journal of Cryptology, 2005, 18(4): 291–311. doi: 10.1007/s00145-005-0129-3
[18]	KNUDSEN L R. DEAL-A 128-bit block cipher[EB/OL]. https://www.researchgate.net/publication/2452654_DEAL_-_A_128-bit_Block_Cipher, 2014.
[19]	YEOH W Z, TEH J S, and SAZALI M I S B M. µ²: A lightweight block cipher[C]. The 6th Computational Science and Technology, Kota Kinabalu, Malaysia, 2019: 281–290.