Abstract
Developed by Hitachi, MULTI2 is a block cipher used mainly to secure the multimedia content. It was registered in ISO/IEC 9979 and was patented in US and Japan. MULTI2 uses the Feistel structure and operates on the 64-bit blocks. The encryption key has 256 bits.
This paper studies the linear analysis on MULTI2. We give a detailed bias analysis on MULTI2 round functions. For the first time formal proofs on their bias properties are given. This allows to find a new 4-round bias 2− 2. Previously, the best 4-round bias 2− 5.7 was proposed. Using our results on the MULTI2 round functions, we propose the linear attacks on r-round MUTLI2 to recover the encryption key. Our linear attack can recover the 256-bit encryption key in time 246, 260.4, 283.8, 291.7, 2123.4, 2123.2 of r-round encryptions for r = 8,12,16,20,24,28 respectively. Further, we can recover the 32-bit sub-key in last round much faster than the whole encryption key recovery, i.e., in time 237 for r = 8,12,16,20,24. Note that previously, the best linear key-recovery attack was a 20-round attack with time 293.4 (of 20-round encryptions) and data 239.2. As ISO register recommends to use at least 32 rounds, our attacks remain to be theoretical and do not threaten security for the practical use currently.
This work is supported by the National Science and Technology Major Project under Grant No. 2010ZX01036-001-002 & 2010ZX01037-001-002, the Knowledge Innovation Key Directional Program of Chinese Academy of Sciences under Grant No. KGCX2-YW-125 & KGCX2-YW-174, and the National Natural Science Foundation of China under Grant No. 61170072.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Aoki, K., Kurokawa, K.: A study on linear cryptanalysis of MULTI2. In: The 1995 Symposium on Cryptography and Information Security, SCIS 1995 (1995) (in Japanese)
Aumasson, J.-P., Nakahara Jr., J., Sepehrdad, P.: Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2). In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 296–307. Springer, Heidelberg (2009)
ARIB. STD B25 v.5.0 (2007), http://www.arib.or.jp
Bogdanov, A., Tischhauser, E.: On the wrong key randomization hypothesis in Matsui’s algorithm 2 (submitted, 2012), https://lirias.kuleuven.be/handle/123456789/333158
Collard, B., Standaert, F.-X., Quisquater, J.-J.: Improving the Time Complexity of Matsui’s Linear Cryptanalysis. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 77–88. Springer, Heidelberg (2007)
Harpes, C., Massey, J.L.: Partitioning Cryptanalysis. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 13–27. Springer, Heidelberg (1997)
Hitachi, Japanese laid-open patent application No. H1-276189 (1998)
Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Matsui, M.: The First Experimental Cryptanalysis of the Data Encryption Standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lu, Y., Ding, L., Wang, Y. (2012). Improved Linear Analysis on Block Cipher MULTI2. In: Pieprzyk, J., Sadeghi, AR., Manulis, M. (eds) Cryptology and Network Security. CANS 2012. Lecture Notes in Computer Science, vol 7712. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35404-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-35404-5_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35403-8
Online ISBN: 978-3-642-35404-5
eBook Packages: Computer ScienceComputer Science (R0)