Welcome to the resource topic for
**2014/056**

**Title:**

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

**Authors:**
Sareh Emami, San Ling, Ivica Nikolic, Josef Pieprzyk, Huaxiong Wang

**Abstract:**

So far, low probability differentials for the key schedule of block ciphers have been used as a straightforward proof of security against related-key differential attacks. To achieve the resistance, it is believed that for cipher with k-bit key it suffices the upper bound on the probability to be 2^{-k}. Surprisingly, we show that this reasonable assumption is incorrect, and the probability should be (much) lower than 2^{-k}. Our counter example is a related-key differential analysis of the block cipher CLEFIA-128. We show that although the key schedule of CLEFIA-128 prevents differentials with a probability higher than 2^{-128}, the linear part of the key schedule that produces the round keys, and the Feistel structure of the cipher, allow to exploit particularly chosen differentials with a probability as low as 2^{-128}. CLEFIA-128 has 2^{14} such differentials, which translate to 2^{14} pairs of weak keys. The probability of each differential is too low for attacks, but the weak keys have a special structure which allows with a divide-and-conquer approach to gain advantage of 2^7 over generic attacks. We exploit the advantage and give a membership test for the weak-key class, provide analysis in the hashing mode, and show the importance for the secret-key mode. The proposed analysis has been tested with computer experiments on small-scale variants of CLEFIA-128. Our results do not threaten the practical use of CLEFIA.

**ePrint:**
https://eprint.iacr.org/2014/056

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

**Example resources include:**
implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .