© The Institution of Engineering and Technology
The block cipher KASUMI, proposed by ETSI SAGE over 10 years ago, is widely used for security in many synchronous wireless standards nowadays. For instance, the confidentiality and integrity of 3G mobile communications systems depend on the security of KASUMI. Up to now, there is a great deal of cryptanalytic results on KASUMI. However, its security evaluation against the recent zerocorrelation linear attacks is still lacking. In this study, combining with some observations on the FL, FO and FI functions, the authors select some special input/output masks to refine the general 5round zerocorrelation linear approximations and propose the 6round zerocorrelation linear attack on KASUMI. Moreover, under the weak key conditions that the second keys of the FL function in rounds 2 and 8 have the same values at 1st–8th and 11th–16th bitpositions, they expand the attack to 7round KASUMI (2–8). These weak keys take 1/2^{14} of the key space. The new zerocorrelation linear attack on the 6round needs about 2^{118} encryptions with 2^{62.9} known plaintexts and 2^{54} bytes memory. For the attack under weak keys conditions on the last 7 rounds, the data complexity is about 2^{62.1} known plaintexts, and the time complexity is about 2^{110.5} encryptions, and the memory requirement is about 2^{85} bytes.
References


1)

1. Matsui, M.: ‘New block encryption algorithm MISTY’. FSE 1997, 1997 (, 1267), pp. 54–68.

2)

3)

4)

4. Sugio, N., Aono, H., Hongo, S., et al: ‘A study on integralinterpolation attack of MISTY1 and KASUMI’. Computer Security Symp., 2006, pp. 173–178.

5)

5. Sugio, N., Tanaka, H., Kaneko, T.: ‘A study on higher order differential attack of KASUMI’. 2002 Int. Symp. on Information Theory and its Applications, 2002.

6)

6. Sugio, N., Aono, H., Hongo, S., et al: ‘A study on higher order differential attack of KASUMI’, IEICE Trans., 2007, 90A, (1), pp. 14–21 (doi: 10.1093/ietfec/e90a.1.14).

7)

7. Kühn, U.: ‘Cryptanalysis of reducedround MISTY’. EUROCRYPT 2001, 2001 (, 2045), pp. 325–339.

8)

8. Jia, K., Li, L., Rechberger, C., et al: ‘Improved cryptanalysis of the block cipher KASUMI’. SAC 2012, 2012 (, 7707), pp. 222–233.

9)

9. Blunden, M., Escott, A.: ‘Related key attacks on reduced round KASUMI’. FSE 2001, 2001 (, 2355), pp. 277–285.

10)

10. Biham, E., Dunkelman, O., Keller, N.: ‘A relatedkey rectangle attack on the full KASUMI’. ASIACRYPT 2005, 2005 (, 3788), pp. 443–461.

11)

11. Dunkelman, O., Keller, N., Shamir, A.: ‘A practicaltime relatedkey attack on the KASUMI cryptosystem used in GSM and 3G telephony’. CRYPTO 2010, 2010 (, 6223), pp. 393–410.

12)

12. Bogdanov, A., Rijmen, V.: ‘Linear hulls with correlation zero and linear cryptanalysis of block ciphers’, Des. Codes Cryptogr., 2012, 70, pp. 1–15.

13)

13. Bogdanov, A., Wang, M.: ‘Zero correlation linear cryptanalysis with reduced data complexity’. FSE 2012, 2012 (, 7549), pp. 29–48.

14)

14. Bogdanov, A., Leander, G., Nyberg, K., et al: ‘Integral and multidimensional linear distinguishers with correlation zero’. AsiaCrypt 2012, 2012 (, 7658), pp. 24–262.

15)

15. Bogdanov, A., Geng, H., Wang, M., et al: ‘Zerocorrelation linear cryptanalysis with FFT and improved attacks on ISO standards Camellia and CLEFIA’. SAC'13, 2013 (, pp. 306–323.

16)

25. Wen, L., Wang, M., Bogdanov, A., et al: ‘Multidimensional zerocorrelation attacks on lightweight block cipher HIGHT: improved cryptanalysis of an ISO standard’, Inf. Process. Lett., 2014, 114, (6), pp. 322–330 (doi: 10.1016/j.ipl.2014.01.007).

17)

17. Wen, L., Wang, M., Bogdanov, A.: ‘Multidimensional zerocorrelation linear cryptanalysis of E2’. Africacrypt'14, 2014 (, pp. 306–323.
http://iet.metastore.ingenta.com/content/journals/10.1049/ietifs.2014.0543
Related content
content/journals/10.1049/ietifs.2014.0543
pub_keyword,iet_inspecKeyword,pub_concept
6
6