On the Success Probability of χ2-attack on RC6
Knudsen and Meier applied the χ 2-attack to RC6. The χ 2-attack can be used for both distinguishing attacks and key recovery attacks. Up to the present, the success probability of key recovery attack in any χ 2-attack has not been evaluated theoretically without any assumption of experimental results. In this paper, we discuss the success probability of key recovery attack in χ 2-attack and give the theorem that evaluates the success probability of a key recovery attack without any assumption of experimental approximation, for the first time. We make sure the accuracy of our theorem by demonstrating it on both 4-round RC6 without post-whitening and 4-round RC6-8. We also evaluate the security of RC6 theoretically and show that a variant of the χ 2-attack is faster than an exhaustive key search for the 192-bit-key and 256-bit-key RC6 with up to 16 rounds. As a result, we succeed in answering such an open question that a variant of the χ 2-attack can be used to attack RC6 with 16 or more rounds.
Keywordsblock cipher RC6 χ2 attack statistical analysis
Unable to display preview. Download preview PDF.
- 1.Contini, S., Rivest, R., Robshaw, M., Yin, Y.: The Security of the RC6 Block Cipher. v 1.0, August 20 (1998), Available at http://www.rsasecurity.com/rsalabs/rc6/
- 2.Freund, R.J., Wilson, W.J.: Statistical Method. Academic Press, San Diego (1993)Google Scholar
- 12.Rivest, R., Robshaw, M., Sidney, R., Yin, Y.: The RC6 Block Cipher. v1.1, August 20 (1998), Available at http://www.rsasecurity.com/rsalabs/rc6/
- 14.Vaudenay, S.: An Experiment on DES Statistical Cryptanalysis. In: ACM-CCS 1996, pp. 139–147. ACM Press, New York (1996)Google Scholar
- 16.Takenaka, M., Shimoyama, T., Koshiba, T.: Theoretical Analysis of χ2 Attack on RC6. IEICE Trans. E87-A(1), 28–35 (2004)Google Scholar
- 17.Ryabko, B.: Adaptive chi-square test and its application to some cryptographic problems. Cryptology ePrint Archive, Report 2002/030 (2003), http://eprint.iacr.org/