At ASIACRYPT'12, Bogdanov et al. revealed the identity of integral distinguishers and zero-correlation linear approximations where the mask consists of two parts: one part should take any non-zero value and the other part should be fixed to zero. For zero-correlation linear approximations of some ARX block ciphers, one bit of input mask usually is fixed to one, which do not conform to zero-correlation linear approximations considered by Bogdanov et al. Can they also be converted to an integral distinguisher? In this paper, we show that such zero-correlation linear approximations can be transformed to an integral distinguisher too. As an application, we give the attack on SHACAL-2 which is one of the four selected block ciphers by NESSIE. Namely, a attack on 32-round SHACAL-2 is reported. As an integral attack, our attack is much better than the previous integral attack on 28-round SHACAL-2 in terms of the number of rounds. In the classical single-key setting, our attack could break as many rounds as the previous best attack, but with significant improvements in data complexity and memory complexity. © 2014 Springer International Publishing Switzerland.
CITATION STYLE
Wen, L., & Wang, M. (2014). Integral zero-correlation distinguisher for ARX block cipher, with application to SHACAL-2. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8544 LNCS, pp. 454–461). Springer Verlag. https://doi.org/10.1007/978-3-319-08344-5_32
Mendeley helps you to discover research relevant for your work.