FFT key recovery for integral attack

Abstract

An integral attack is one of the most powerful attacks against block ciphers. We propose a new technique for the integral attack called the Fast Fourier Transform (FFT) key recovery. When the integral dis-tinguisher uses N chosen plaintexts and the guessed key is k bits, a straightforward key recovery requires the time complexity of O(N2). However, the FFT key recovery method requires only the time complexity of O(N + k2). As a previous result using FFT, at ICISC 2007, Collard et al. proposed that FFT can reduce the time complexity of a linear attack. We show that FFT can also reduce the complexity of the integral attack. Moreover, the estimation of the complexity is very simple. We first show the complexity of the FFT key recovery against three structures, the Even-Mansour scheme, a key-alternating cipher, and the Feistel cipher. As examples of these structures, we show integral attacks against PR0ST, CLEFIA, and AES. As a result, 8-round PR0ST ˜ 28,K can be attacked with about an approximate time complexity of 2. Moreover, a 6-round AES and 12-round CLEFIA can be attacked with approximate time complexities of 2 . and 2 ., respectively.