Impossible differential cryptanalysis of reduced-round <inline-formula><alternatives><math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M2"><msup><mrow><mi mathvariant="bold-italic">μ</mi></mrow><mrow><mn mathvariant="normal">2</mn></mrow></msup></math><graphic specific-use="big" xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="alternativeImage/22C9D519-EA4F-4e54-A8CF-1ACB826F2179-M002.jpg"><?fx-imagestate width="5.50333309" height="5.58799982"?></graphic><graphic specific-use="small" xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="alternativeImage/22C9D519-EA4F-4e54-A8CF-1ACB826F2179-M002c.jpg"><?fx-imagestate width="5.50333309" height="5.58799982"?></graphic></alternatives></inline-formula> algorithm based on matrix method

Abstract

Read online

To evaluate the security of μ2 algorithm in impossible differential cryptanalysis, a 9-round impossible differential distinguisher of μ2 algorithm was constructed based on matrix method and meet-in-the middle technique firstly. Then, with the utilization of key-bridge technique, a 13-round key recovery attack was presented to μ2 algorithm by expanding the 9-round distinguisher forward and backward 2 rounds, respectively. The results show that the master key can be recovered 45 bit in the attack, the data complexity of plaintexts is 242.5, and the time complexity of 13 rounds of algorithm encryptions is 265.3. Compared with the previous research, the study achieves the longest attack rounds, and the data complexity is effectively reduced.

Keywords

• lightweight block cipher
• μ2 algorithm%22%2C%22default_operator%22%3A%22AND%22%7D%7D%7D"> <math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M14"><msup><mrow><mi>μ</mi></mrow><mrow><mn mathvariant="normal">2</mn></mrow></msup></math> algorithm
• impossible differential cryptanalysis
• matrix method