On the success probability of χ2-attack on RC6

Abstract

Knudsen and Meier applied the χ2-attack to RC6. The χ2-attack can be used for both distinguishing attacks and key recovery attacks. Up to the present, the success probability of key recovery attack in any χ2-attack has not been evaluated theoretically without any assumption of experimental results. In this paper, we discuss the success probability of key recovery attack in χ2-attack and give the theorem that evaluates the success probability of a key recovery attack without any assumption of experimental approximation, for the first time. We make sure the accuracy of our theorem by demonstrating it on both 4-round RC6 without post-whitening and 4-round RC6-8. We also evaluate the security of RC6 theoretically and show that a variant of the χ2-attack is faster than an exhaustive key search for the 192-bit-key and 256-bit-key RC6 with up to 16 rounds. As a result, we succeed in answering such an open question that a variant of the χ2-attack can be used to attack RC6 with 16 or more rounds. © Springer-Verlag Berlin Heidelberg 2005.