CIPHERUNICORN-Aの差分解読/線形解読に対する安全性について  [in Japanese] Differential and Linear cryptanalysis of CIPHERUNICORN-A  [in Japanese]

本稿では,128ビットブロック暗号であるCIPHERUNICORN-Aの差分解読/線形解読に対する安全性について報告する.CIPHERUNICORN-Aのラウンド関数は複雑な構造をしているため,正確な差分/線形確率の計算が困難である.従来の評価では鍵加算と定数乗算を近似したmF関数を定義し,差分/線形特性確率を求めていた.しかし,この定数乗算の近似ではあり得る差分/線形経路を全て網羅していなかったため評価が十分ではなかった.本稿では,定数乗算を近似しないmF'関数を新たに定義し,バイトオリエンテッドな差分/線形経路を再度全数探索した.また,定数乗算における確率を導入し,差分/線形特性確率を従来よりも厳密に求めた結果を報告する.

In this paper, we describe an experimental result of safety against differential and linear cryptanalysis of CIPHERUNICORN-A. Because of the complex structure, it is difficult to calculate the probability of differential and linear characteristics of CIPHERUNICORN-A. We used an mF function in our previous evaluation in order to be able to do the approximate calculation in short term. But, by using the mF function, the approximation of the constant multiplication did not have enough coverage with its possible influential bits relations in differential and linear cryptanalysis. The mF function has two changes from original F function. One is key additions and the other is constant multiplications modified to exclusive OR operations. In this paper, we used a newly defined the mF' function which omitted the change of constant multiplications, searched exhaustively byte-oriented differential and linear influential paths and investigated more strict differential and linear characteristic probabilities.