Multidimensional zero-correlation linear cryptanalysis of the block cipher KASUMI

Multidimensional zero-correlation linear cryptanalysis of the block cipher KASUMI

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

The block cipher KASUMI, proposed by ETSI SAGE over 10 years ago, is widely used for security in many synchronous wireless standards nowadays. For instance, the confidentiality and integrity of 3G mobile communications systems depend on the security of KASUMI. Up to now, there is a great deal of cryptanalytic results on KASUMI. However, its security evaluation against the recent zero-correlation linear attacks is still lacking. In this study, combining with some observations on the FL, FO and FI functions, the authors select some special input/output masks to refine the general 5-round zero-correlation linear approximations and propose the 6-round zero-correlation linear attack on KASUMI. Moreover, under the weak key conditions that the second keys of the FL function in rounds 2 and 8 have the same values at 1st–8th and 11th–16th bit-positions, they expand the attack to 7-round KASUMI (2–8). These weak keys take 1/214 of the key space. The new zero-correlation linear attack on the 6-round needs about 2118 encryptions with 262.9 known plaintexts and 254 bytes memory. For the attack under weak keys conditions on the last 7 rounds, the data complexity is about 262.1 known plaintexts, and the time complexity is about 2110.5 encryptions, and the memory requirement is about 285 bytes.


    1. 1)
      • 1. Matsui, M.: ‘New block encryption algorithm MISTY’. FSE 1997, 1997 (LNCS, 1267), pp. 5468.
    2. 2)
      • 2. 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G Security, Specification of the 3GPP Confidentiality and Integrity Algorithms; Document 2: KASUMI Specification, V3.1.1 (2001).
    3. 3)
      • 3. 3rd Generation Partnership Project, Technical Specification Group Services and system Aspects, 3G Security, Specification of the A5/3 Encryption Algorithms for GSM and ECSD, and the GEA3 Encryption Algorithm for GPRS; Document 1: A5/3 and GEA3 Specifications, V6.2.0 (2003).
    4. 4)
      • 4. Sugio, N., Aono, H., Hongo, S., et al: ‘A study on integral-interpolation attack of MISTY1 and KASUMI’. Computer Security Symp., 2006, pp. 173178.
    5. 5)
      • 5. Sugio, N., Tanaka, H., Kaneko, T.: ‘A study on higher order differential attack of KASUMI’. 2002 Int. Symp. on Information Theory and its Applications, 2002.
    6. 6)
    7. 7)
      • 7. Kühn, U.: ‘Cryptanalysis of reduced-round MISTY’. EUROCRYPT 2001, 2001 (LNCS, 2045), pp. 325339.
    8. 8)
      • 8. Jia, K., Li, L., Rechberger, C., et al: ‘Improved cryptanalysis of the block cipher KASUMI’. SAC 2012, 2012 (LNCS, 7707), pp. 222233.
    9. 9)
      • 9. Blunden, M., Escott, A.: ‘Related key attacks on reduced round KASUMI’. FSE 2001, 2001 (LNCS, 2355), pp. 277285.
    10. 10)
      • 10. Biham, E., Dunkelman, O., Keller, N.: ‘A related-key rectangle attack on the full KASUMI’. ASIACRYPT 2005, 2005 (LNCS, 3788), pp. 443461.
    11. 11)
      • 11. Dunkelman, O., Keller, N., Shamir, A.: ‘A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony’. CRYPTO 2010, 2010 (LNCS, 6223), pp. 393410.
    12. 12)
      • 12. Bogdanov, A., Rijmen, V.: ‘Linear hulls with correlation zero and linear cryptanalysis of block ciphers’, Des. Codes Cryptogr., 2012, 70, pp. 115.
    13. 13)
      • 13. Bogdanov, A., Wang, M.: ‘Zero correlation linear cryptanalysis with reduced data complexity’. FSE 2012, 2012 (LNCS, 7549), pp. 2948.
    14. 14)
      • 14. Bogdanov, A., Leander, G., Nyberg, K., et al: ‘Integral and multidimensional linear distinguishers with correlation zero’. AsiaCrypt 2012, 2012 (LNCS, 7658), pp. 24262.
    15. 15)
      • 15. Bogdanov, A., Geng, H., Wang, M., et al: ‘Zero-correlation linear cryptanalysis with FFT and improved attacks on ISO standards Camellia and CLEFIA’. SAC'13, 2013 (LNCS 8282), pp. 306323.
    16. 16)
    17. 17)
      • 17. Wen, L., Wang, M., Bogdanov, A.: ‘Multidimensional zero-correlation linear cryptanalysis of E2’. Africacrypt'14, 2014 (LNCS 8469), pp. 306323.

Related content

This is a required field
Please enter a valid email address