On the Success Probability of χ2-attack on RC6

  • Atsuko Miyaji
  • Yuuki Takano
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3574)


Knudsen and Meier applied the χ 2-attack to RC6. The χ 2-attack can be used for both distinguishing attacks and key recovery attacks. Up to the present, the success probability of key recovery attack in any χ 2-attack has not been evaluated theoretically without any assumption of experimental results. In this paper, we discuss the success probability of key recovery attack in χ 2-attack and give the theorem that evaluates the success probability of a key recovery attack without any assumption of experimental approximation, for the first time. We make sure the accuracy of our theorem by demonstrating it on both 4-round RC6 without post-whitening and 4-round RC6-8. We also evaluate the security of RC6 theoretically and show that a variant of the χ 2-attack is faster than an exhaustive key search for the 192-bit-key and 256-bit-key RC6 with up to 16 rounds. As a result, we succeed in answering such an open question that a variant of the χ 2-attack can be used to attack RC6 with 16 or more rounds.


block cipher RC6 χ2 attack statistical analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Contini, S., Rivest, R., Robshaw, M., Yin, Y.: The Security of the RC6 Block Cipher. v 1.0, August 20 (1998), Available at
  2. 2.
    Freund, R.J., Wilson, W.J.: Statistical Method. Academic Press, San Diego (1993)Google Scholar
  3. 3.
    Gilbert, H., Handschuh, H., Joux, A., Vaudenay, S.: A Statistical Attack on RC6. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 64–74. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Handschuh, H., Gilbert, H.: χ2 Cryptanalysis of the SEAL Encryption Algorithm. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 1–12. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  5. 5.
    Isogai, N., Matsunaka, T., Miyaji, A.: Optimized χ2-attack against RC6. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 16–32. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Junod, P.: On the Complexity of Matsui’s Attack. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 199–211. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Kelsey, J., Schneier, B., Wagner, D.: Mod n Cryptanalysis, with applications against RC5P and M6. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 139–155. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  8. 8.
    Knudsen, L., Meier, W.: Correlations in RC6 with a reduced number of rounds. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 94–108. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Knuth, D.: The art of computer programming, 2nd edn. Seminumerical Algorithms, vol. 2. Addison-Wesley, Reading (1981)zbMATHGoogle Scholar
  10. 10.
    Matsunaka, T., Miyaji, A., Takano, Y.: Success probability in χ2-attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 310–325. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Miyaji, A., Nonaka, M.: Cryptanalysis of the Reduced-Round RC6. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 480–494. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Rivest, R., Robshaw, M., Sidney, R., Yin, Y.: The RC6 Block Cipher. v1.1, August 20 (1998), Available at
  13. 13.
    Selcuk, A.A., Bicak, A.: On probability of success in differential and linear cryptanalysis. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 174–185. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Vaudenay, S.: An Experiment on DES Statistical Cryptanalysis. In: ACM-CCS 1996, pp. 139–147. ACM Press, New York (1996)Google Scholar
  15. 15.
    Shimoyama, T., Takenaka, M., Koshiba, T.: Multiple linear cryptanalysis of a reduced round RC6. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 76–88. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Takenaka, M., Shimoyama, T., Koshiba, T.: Theoretical Analysis of χ2 Attack on RC6. IEICE Trans. E87-A(1), 28–35 (2004)Google Scholar
  17. 17.
    Ryabko, B.: Adaptive chi-square test and its application to some cryptographic problems. Cryptology ePrint Archive, Report 2002/030 (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Atsuko Miyaji
    • 1
  • Yuuki Takano
    • 1
  1. 1.Japan Advanced Institute of Science and Technology 

Personalised recommendations