Cryptography and Communications

, Volume 10, Issue 1, pp 195–209 | Cite as

Statistical integral attack on CAST-256 and IDEA

  • Tingting Cui
  • Huaifeng Chen
  • Long Wen
  • Meiqin WangEmail author
Part of the following topical collections:
  1. Recent Trends in Cryptography


Integral attack, as a powerful technique in the cryptanalysis field, has been widely utilized to evaluate the security of block ciphers. Integral distinguisher is based on balanced property on output with probability one. To obtain a distinguisher covering more rounds, an attacker will usually increase the data complexity by iterating through all values of more bits of plaintexts under the firm limitation that the data complexity should be less than the whole plaintext space. In order to release the limitation and reduce the data complexity, Wang et al. proposed a statistical integral distinguisher at FSE’16. In this paper, we exploit the statistical integral distinguisher to attack the IDEA and CAST-256 block ciphers. As a result, we manage to mount a key recovery attack on 29-round CAST-256 with 296.8 chosen plaintexts, 2219.4 encryptions and 273 bytes of memory. By making a trade-off between the time complexity and data complexity, the attack can be achieved by 283.9 chosen plaintexts, 2244.4 encryptions and 266 bytes of memory. As far as we know, these are the best attacks on CAST-256 in the single-key model without weak-key assumption so far. What’s more, we find an integral distinguisher of IDEA block cipher, which is the longest integral distinguisher known to now. By taking advantage of this distinguisher, we achieve a key recovery attack on 4.5-round IDEA with 258.5 known plaintexts, 2120.9 encryptions and 246.6 bytes of memory respectively. It is the best integral attack with respect to the number of rounds.


Statistical integral attack IDEA CAST-256 

Mathematics Subject Classification (2010)

94-XX 94A60 



This work has been supported by 973 Program (No. 2013CB834205), NSFC Projects (No. 61133013, No. 61572293), Program for New Century Excellent Talents in University of China (NCET-13-0350), Program from Science and Technology on Communication Security Laboratory of China (No. 9140c110207150c11050).


  1. 1.
    Adams, C.M.: Constructing symmetric ciphers using the CAST design procedure. In: Kranakis, E., Oorschot, P. (eds.) SAC 1997, pp 71–104. Springer, US (1997)Google Scholar
  2. 2.
    Adams, C.M.: The CAST-256 encryption algorithm. In: AES Proposal (1998)Google Scholar
  3. 3.
    Aumasson, J. -P., Meier, W.: Zero-sum distinguishers for reduced Keccak-f and for the core functions of Luffa and Hamsi. Presented at the rump session of cryptographic hardware and embedded systems-CHES 2009 (2009)Google Scholar
  4. 4.
    Blondeau, C., Nyberg, K.: Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity. Cryptology ePrint Archive: Report 2015/935.
  5. 5.
    Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang, X., Sako, K (eds.) ASIACRYPT 2012, LNCS, vol. 7658, pp 244–261. Springer, Heidelberg (2012)Google Scholar
  6. 6.
    Chen, H., Cui, T., Wang, M.: Improving algorithm 2 in multidimensional (zero-correlation) linear cryptanalysis using χ 2-method Designs, Codes and Cryptography, pp 1–18. Springer, Heidelberg (2016)Google Scholar
  7. 7.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher square FSE 1997. LNCS, vol. 1267, pp 149–165. Springer, Heidelberg (1997)Google Scholar
  8. 8.
    Demirci, H.: Square-like attacks on reduced rounds of IDEA. In: Nyberg, K., Heys, H (eds.) SAC 2002, LNCS, vol. 2595, pp 147–159. Springer, Heidelberg (2003)Google Scholar
  9. 9.
    Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V (eds.) FSE 2002. LNCS, vol. 2365, pp 112–127. Springer, Heidelberg (2002)Google Scholar
  10. 10.
    Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Damgrd, I.B. (ed.) Eurocrypt 1990, LNCS, vol. 473, pp 389–404. Springer, Heidelberg (1990)Google Scholar
  11. 11.
    Nakahara, J. Jr., Barreto, P.S.L.M., Preneel, B., Vandewalle, J., Kim, H.Y.: Square attacks against reduced-round PES and IDEA block ciphers. IACR Cryptology ePrint Archive Report 2001/068 (2001)Google Scholar
  12. 12.
    Nakahara, J. Jr., Rasmussen, M.: Linear analysis of reduced-round CAST-128 and CAST-256. SBSEG 2007, 45–55 (2007)Google Scholar
  13. 13.
    Seki, H., Kaneko, T.: Differential cryptanalysis of CAST-256 reduced to nine quad-rounds. IEICE transactions on fundamentals of electronics communications and computer sciences, (E84-A)4, pp. 913–918 (2001)Google Scholar
  14. 14.
    Sun, B., Liu, Z., Rijmen, V., Li, R., Cheng, L., Wang, Q., Alkhzaimi, H., Li, C.: Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis. In: Gennaro, R., Robshaw, M (eds.) CRYPTO 2015, LNCS, vol. 9215, pp 95–115. Springer, Heidelberg (2015)Google Scholar
  15. 15.
    Wagner, D.: The boomerang attack. In: Knudsen, L (ed.) FSE 1999, LNCS, vol. 1636, pp 156–170. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Wen, L., Wang, M., Bogdanov, A., Chen, H.: General application of FFT in cryptanalysis and improved attack on CAST-256. In: Meier, W., Mukhopadhyay, D (eds.) INDOCRYPT 2014, LNCS, vol. 8885, pp 161–176. Springer, Heidelberg (2014)Google Scholar
  17. 17.
    Wang, M., Cui, T., Chen, H., Sun, L., Wen, L., Bogdanov, A.: Integrals go statistical: Improved cryptanalysis of skipjack variants. In: Peyrin, T. (ed.) FSE 2016, LNCS, vol. 9783, pp 399–415. Springer, Heidelberg (2016)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  • Tingting Cui
    • 1
    • 2
  • Huaifeng Chen
    • 1
  • Long Wen
    • 1
  • Meiqin Wang
    • 1
    • 3
    Email author
  1. 1.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  2. 2.Science and Technology on Communication Security LaboratoryChengduChina
  3. 3.State Key Laboratory of CryptologyBeijingChina

Personalised recommendations