Zero Correlation Linear Cryptanalysis on LEA Family Ciphers

Home , Camellia (cipher), CLEFIA, Distinguishing attack, LEA (cipher)

Journal of Communications Vol. 11, No. 7, July 2016

Kai Zhang, Jie Guan, and Bin Hu Information Science and Technology Institute, Zhengzhou 450000, China Email: [email protected]; [email protected]; [email protected]

Abstract—In recent two years, zero correlation linear Zero correlation linear cryptanalysis was firstly cryptanalysis has shown its great potential in cryptanalysis and proposed by Andrey Bogdanov and Vicent Rijmen in it has proven to be effective against massive ciphers. LEA is a 2011 [2], [3]. Generally speaking, this cryptanalytic block cipher proposed by Deukjo Hong, who is the designer of method can be concluded as “use linear approximation of an ISO standard block cipher - HIGHT. This paper evaluates the probability 1/2 to eliminate the wrong key candidates”. security level on LEA family ciphers against zero correlation linear cryptanalysis. Firstly, we identify some 9-round zero However, in this basic model of zero correlation linear correlation linear hulls for LEA. Accordingly, we propose a cryptanalysis, the data complexity is about half of the full distinguishing attack on all variants of 9-round LEA family code book. The high data complexity greatly limits the ciphers. Then we propose the first zero correlation linear application of this new method. In FSE 2012, multiple cryptanalysis on 13-round LEA-192 and 14-round LEA-256. zero correlation linear cryptanalysis [4] was proposed For 13-round LEA-192, we propose a key recovery attack with which use multiple zero correlation linear approximations time complexity of 2131.30 13-round LEA encryptions, data to reduce the data complexity. In this version of zero complexity of 2128 plaintext-ciphertext pairs and memory correlation linear cryptanalysis, although the data complexity of 260.58 bytes. For 14-round LEA-256, we propose complexity can be reduced to some extent, however, a key recovery attack with time complexity of 2250.19 14-round multiple zero correlation linear cryptanalysis method is LEA encryptions, data complexity of 2128 plaintext-ciphertext based on a strong hypothesis that all zero correlation pairs and memory complexity of 2142.35 bytes. As far as we linear approximations used are independent from each know, these are the best results on LEA using zero correlation other. In ASIACRYPT 2012, integral zero correlation linear cryptanalysis so far. distinguisher and multidimensional zero correlation linear

Index Terms—Cryptography, cryptanalysis, zero correlation cryptanalysis model [5] were proposed. The data linear cryptanalysis, LEA family ciphers, ARX ciphers complexity for multidimensional zero correlation linear cryptanalysis is the same as multiple zero correlation linear cryptanalysis, however, it doesn’t rely on the I. INTRODUCTION strong assumption. Nowadays, zero correlation linear cryptanalysis has been a new criterion to evaluate the Recently, large numbers of ciphers using only addition, security of newly proposed ciphers [6]-[10]. rotation and XOR have emerged, usually they are called In the specification of LEA [1], the designers evaluated ARX ciphers. Due to the simple operation and high the security level on LEA against massive cryptanalytic efficiency in software and hardware, these ciphers usually methods such as differential cryptanalysis, linear have very good software and hardware performances. cryptanalysis, impossible differential cryptanalysis and One typical application of this kind of ciphers is low zero correlation linear cryptanalysis etc. Among these resource devices such as sensor nodes and RFID tags. attacks, boomerang attack seems to attack the longest Lightweight block cipher LEA [1] was proposed by rounds for LEA-128/192/256, which is 15/16/17 round Electronics and Telecommunications Research Institute respectively. And the rounds attacked with differential of Korea in 2013. It is a typical ARX block cipher and it cryptanalysis, truncated differential cryptanalysis and provides a high-speed software encryption on general- impossible differential cryptanalysis seems to be a little purpose processors. In the specification of LEA [1], shorter, which is 12/13/14 round respectively. For designers have a thorough investigation on the security integral and zero correlation linear cryptanalysis, these level of LEA with a wide variety of cryptanalytic two kinds of distinguishers seem to be much shorter than methods such as differential attack, linear attack, zero others, while the rounds attacked with these two methods correlation attack, impossible differential attack and so on. are much shorter too. This paper reevaluates the security level on LEA family ciphers against zero correlation Manuscript received January 19, 2016; revised July 19, 2016. linear cryptanalysis. This work was supported by the National Natural Science Foundation of China under Grant No.61202491, 61272041, 61272488, Our contributions 61402523 and 61572516. The main purpose of this paper is to evaluate the Corresponding author email: [email protected]. security level of LEA family ciphers against zero doi:10.12720/jcm.11.7.677-685

correlation linear cryptanalysis. Firstly, we identify some just identified a 7-round zero correlation approximation 9-round zero correlation linear hulls which can attack all and consider the possibility of 9-round attack for 128-bit versions of 9-round LEA family ciphers. Secondly, we keys, 10-round attack for 192-bit keys, and 11-round propose the first zero correlation linear cryptanalysis on attack for 256-bit keys. 13-round LEA-192 and 14-round LEA-256. Compared The summary of cryptanalysis on LEA family ciphers with our results, the specification of LEA block ciphers is concluded in the Table I below.

TABLE I: SUMMARY OF CRYPTANALYSIS ON LEA FAMILY CIPHERS Length of the Rounds Complexity Attack type Algorithm Reference Distinguisher Attacked Time Data Memory LEA-128/ Differential 11 12/13/14 ------[1] 192/256 10 11 -- 292 -- Linear LEA [1] 11 11 -- 2126 -- Truncated LEA-128/ 11 12/13/14 ------[1] Differential 192/256 LEA-128/ Boomerang 14 15/16/17 ------[1] 192/256 Impossible LEA-128/ 10 12/13/14 ------[1] Differential 192/256 LEA-128/ Integral 6 9/10/11 ------[1] 192/256 Differential- LEA-128/ 14 ------[1] Linear 192/256 7 9 ------[1] LEA-128 9 9. O()2127 O()2127 -- Section 4.1 7 10 ------[1] Zero Correlation LEA-192 9 13 O()2131. 30 O()2128 260. 58 bytes Section 4.2 7 11 ------[1] LEA-256 9 14 O()2250. 19 O()2128 2142. 35 bytes Section 4.3

.: This attack is a distinguishing attack, not a key recovery attack.

This paper is organized as follows. LEA family ciphers  RK i : a 192-bit round key for the i-th round, are briefly introduced in Section 2. Section 3 proposes consisting of six 32-bit words RKi (,, RK i RK i some key observations on LEA block ciphers which will 01 i i i i i be used in our cryptanalysis. In Section 4, first of all, RK2,,,) RK 3 RK 4 RK 5 . RK j,() m n represents the bits some 9-round zero correlation linear hulls are proposed i m to n of RKj (0 j 5) ; for all variants of LEA family ciphers. Then based on  K : master key. For LEA-128, KKKKK (,,,) , these newly proposed distinguishers, zero correlation 0 1 2 3 linear cryptanalysis for 13-round LEA-192 and 14-round for LEA-192, KKKKKKK (,,,,,)0 1 2 3 4 5 , for LEA-

LEA-256 are proposed. Section 5 concludes the paper. 256, KKKKKKKKK (,,,,,,,)0 1 2 3 4 5 6 7 ;  r : the number of rounds. For LEA-128, r  24 , for II. BRIEF DESCRIPTION ON LEA FAMILY CIPHERS LEA-192, r  28 , for LEA-256, r  32 ; LEA has the block size of 128 bits and the key size of   : XOR operation; 128, 192 or 256 bits. The word size of LEA is 32 bits.  : Addition modulo 232; The number of rounds is 24 for 128-bit keys, 28 for 192-  : Subtraction modulo 232; bit keys, and 32 for 256-bit keys.  ROLi (),i : left rotation for i bits; A. Notations  RORi (),i : right rotation for i bits;  P : a 128-bit plaintext, consisting of four 32-bit  LEAi : i-round LEA algorithm.

words PPPPP (,,,)0 1 2 3 . Pi,() m n represents the bits m B. Round Function for Encryption and Decryption to n of Pi(0 3) ; i The round function for LEA is computed as follows:  C : a 128-bit ciphertext, consisting of four 32-bit Xi1  ROL(( X i  RK i ) ( X i  RK i )) words CCCCC (,,,)0 1 2 3 . Ci,() m n represents the bits 0 9 0 0 1 1  i1 i i i i X1 ROR 5(( X 1  RK 2 ) ( X 2  RK 3 )) m to n of Cii (0 3) ;  i1 i i i i i  X : a 128-bit intermediate value (input of i-th round X2 ROR 3(( X 2  RK 4 ) ( X 3  RK 5 ))  ii1 in the encryption), consisting of four 32-bit words XX30 i i i i i i XXXXX (,,,)0 1 2 3 . X j,() m n represents the bits m To describe the round functions for encryption and i decryption clearer, we depict them in the Fig. 1 below. to n of Xjj (0 3) ;

i i i i X i1 X i1 X i1 X i1 X 0 X1 X 2 X 3 0 1 2 3

i i RK5 RK4

>>>9

i i RK2 RK3 >>>3

i i <<<5 RK0 RK1 i i RK0 RK1 >>>5

RK i i 2 RK3 <<<3 <<<9

i RK4 i RK5

X i X i X i X i X i X i X i X i 0 1 2 3 0 1 2 3 Fig. 1. Round functions for encryption (Left) and decryption (Right)

i i i i i i i for 0i 32 C. Key Schedule RK (,,,,,) RK0 RK 1 RK 2 RK 3 RK 4 RK 5 The key schedule uses the following eight constants are produced through the following relations: for generating round keys. T[6 i mod8] ROL1 ( T [6 i mod8] ROLi ( [ i mod8]))

[0] 0xc 3 efe 9 db , [1] 0 x 44626 b 02, T[6 i 1mod8]  ROL31 ( T [6 i  1mod8] ROLi ( [ i mod8]))

[2] 0x 79 e 27 c 8 a , [3] 0 x 78 df 30 ec , T[6 i 2mod8]  ROL62 ( T [6 i  2mod8] ROLi ( [ i mod8])) T[6 i 3mod8]  ROL ( T [6 i  3mod8] ROL ( [ i mod8])) [4] 0x 715 ea 49 e , [5] 0 xc 785 da 0 a , 11i 3 T[6 i 4mod8] ROL ( T [6i 4mod8] ROL ( [ i mod8])) [6] 0xe 04 ef 22 a , [7] 0 xe 5 c 40957. 13 i4 T[6 i 5mod8]  ROL17 ( T [6 i  5mod8] ROLi 5 ( [ i mod8])) Key schedule for LEA-128: As KKKKK (,,,) 0 1 2 3 RKi ( T [6 i mod8], T [6 i  1mod8], T [6 i  2mod8], is a 128-bit key, set T[] i Ki for 04i . Round key T[6 i 3mod8], T [6 i  4mod8], T [6 i  5mod8]) i i i i i i i RK (,,,,,) RK0 RK 1 RK 2 RK 3 RK 4 RK 5 for 0i 24 are produced through the following relations: III. SOME OBSERVATIONS ON LEA In this section, we introduce two observations on LEA. T[0] ROL1 ( T [0] ROLi ( [ i mod 4])) T[1] ROL ( T [1] ROL ( [ i mod 4])) These observations are used in the key recovery attacks in 31i section 5. The first observation is partial arithmetic for T[2] ROL62 ( T [2] ROLi ( [ i mod 4])) module addition and the second observation is according

T[3] ROL11 ( T [3] ROLi 3 ( [ i mod 4])) to the key schedule. RKi  ( T [0], T [1], T [2], T [1], T [3], T [1]) Observation 1 (Partial Arithmetic for Module Addition): Given x,, y z be n -bit values, and

Key schedule for LEA-192: As KKKKK (,,,,0 1 2 3 n z( x y )mod2 . If xr,, y r z r are r -bit values is a 192-bit key, set for 06i . KK45,) T[] i Ki (1rn ) , representing the 0-th to (r  1) -th bits of xy, i i i i i i i r Round key RK (,,,,,) RK0 RK 1 RK 2 RK 3 RK 4 RK 5 for and z respectively. If z' ( xr  y r )mod2 , z '  z r , the 0i 28 are produced through the following relations: same holds for z( x y )mod2n .

T[0] ROL1 ( T [0] ROLi ( [ i mod 6])) i Observation 2: For each round key word RK j , it T[1] ROL ( T [1] ROL ( [ i mod 6])) 31i must corresponds to a master key word K . Suppose T[2] ROL ( T [2] ROL ( [ i mod 6])) a 62i f :{0,1}32 {0,1} 32 , Kfi RK , f is a bijection. T[3] ROL ( T [3] ROL ( [ i mod 6])) aj 11i 3 Proof: The operation of the key schedule is of the T[4] ROL ( T [4] ROL ( [ i mod 6])) 13i 4 form: T[5] ROL ( T [5] ROL ( [ i mod 6])) 17i 5 RK ROL( T  )) RKi  ([ T 0],TTTTT [1], [2], [3], [4], [5]) As “ ” is a Latin square transformation,  is a Key schedule for LEA-256: As constant, this form of transformation is a bijection from KKKKKK (,,,,,0 1 2 3 4 KKK5,,) 6 7 is a 128-bit key, set T to RK . As the first T is originated from one of the

T[] i Ki for 08i . Round key master key word which can be denoted as Ka , so for

i ff12 This distinguishing attack can be applied to all each round key word RK j , KTTa 01   versions of LEA block ciphers.  T fm RK i , each f(0 t m ) is a bijection, mj1 t B. Zero Correlation Linear Cryptanalysis on LEA-192 so f f  f  f , Kfi RK , f is a bijection. mm10aj In this section, based on the 9-round zero correlation

linear hull (0,e0 ,0,0) ( e 9 ,0,0, e 0 ) , we can attack 13- IV. ZERO CORRELATION LINEAR CRYPTANALYSIS ON round LEA-192 if we add three rounds before and one LEA FAMILY CIPHERS round after the zero correlation linear hull. The initial In this part, first of all, we propose a distinguishing three rounds encryption and final one round decryption attack on all variants of 9-round LEA block ciphers. Then are depicted in Fig. 2. zero correlation linear cryptanalysis on 13-round LEA- P P P P 192 and 14-round LEA-256 are proposed. 0,(8 0) 1,(15 0) 2,(15 0) 3,(13 0) RK 1 RK 1 A. Distinguishing Attack LEA and Zero Correlation 4,(13 0) 5,(13 0)

1 Linear Hulls on LEA 1 RK2,(15 0) RK3,(15 0) In this section, a distinguishing attack that can be >>>3 applied to all variants of 9-round LEA block ciphers is proposed, and the complexity of this attack is also >>>5 analyzed. The procedure of the distinguishing attack is as <<<9 follows:

1 1 1 Algorithm 1 Distinguishing attack on LEA block ciphers X1,(10 0) X 2,(10 0) X 3,(8 0) 1. Collect 2n1 plaintext-ciphertext pairs RK 2 RK 2 (x , y ), y f ( x ), f ( x ) represents a random permutation 4,(8 0) 5,(8 0)

2 or LEA9 (9-round LEA algorithm); 2 RK2,(10 0) RK 2. Calculate the number of (,)xy that satisfy 3,(10 0) >>>3

(0,ex0 ,0,0) 0 and (e90 ,0,0, e ) y 0 ; f >>>5 3. Compute C, according to the equation below: {(x , y ) | x  0 and  y  0} <<<9 C f 1 , 2n2 f 4. If C,  0, f ( x ) is LEA9, a random permutation 2 2 X1,(5 0) X 2,(5 0) otherwise. To explore longer zero correlation linear hulls for LEA, RK 3 3 we use an automatic approach which makes searching for 2,(5 0) RK3,(5 0) all the single bit pattern of the input and output linear >>>3 masks possible. For single bit pattern linear masks, we found hundreds of zero correlation linear hulls for LEA >>>5 reduced to 8-round, however, only a few of them can be <<<9 extended by one round, here are some zero correlation linear hulls for 9-round LEA ( is the linear mask of the X 3 input and  is the linear mask of the output): 1,(0)

12 12 TABLE II: ZERO-CORRELATION LINEAR HULLS FOR 9-ROUND LEA X 0,(9) X 3,(0)

 13 13 RK4,(0) RK5,(0)

(0,e0 ,0,0) ( e 9 ,0,0, e 0 ) 13 13 RK2,(0) RK (0,(0,0, ,1,?),0,0)  (ee90 ,0,0, ) 3,(0) >>>3 (0,(0,0, ,1,?,?),0,0)  (ee ,0,0, ) 90 13 13 RK0,(0) RK1,(0) >>>5 1) Complexity analysis <<<9 The data complexity of the distinguishing attack is 2n1 chosen plaintext-ciphertext pairs, the computational n1 C C C C complexity is 2 evaluations of inner product operation. 0,(9) 1,(27) 2,(29) 3,(0,9) For this attack, if fx() is LEA, it cannot be misjudged as Fig. 2. Initial three rounds encryption(up) and final one round a random permutation, otherwise, the probability that a decryption(down) for LEA-192 random permutation is misjudged as LEA is 2/(4 128)/2 The key recovery process can use partial-sum 22  63.3 . technique from step 1 to step 9 below:

Step 1. Collect all the plaintext-ciphertext pairs. 57 PP2,(15 0)|] 3,(13 0) of size 2 where each element is 96-bit 12 12 Allocate a counter vector VXXPP1[ 0,(9) | 3,(0) | 0,(80) | 1,(150) | length and initialized to zero.

TABLE III: PARTIAL ENCRYPTION PROCEDURE OF THE ATTACK ON 13-ROUND LEA-192 Step Guess Computing Counter(size) Complexity

RK [13-0], 1 1 1 5 [(P RK ) ( P  RK )] 3  X 12 12 1 1 3,(13 0) 5,(13  0) 2,(13  0) 4,(13  0) 2,(10  0) VXXXX[ | | | 57 6 60 RK [13-0] 2 0,(9) 3,(0) 1,(10 0) 2,(10 0) 2 2 2 4 5 1 123 |]X3,(8 0) (33 bits)  2 2/3 LEA1 RK3 [15-0], 1 1 1 [(P1,(15 0) RK 2,(15  0) ) ( P 2,(15  0)  RK 3,(15  0) )] 5  X 1,(10  0) RK2 [15-0]

RK5 [8-0], 1 2 1 2 2 [(X3,(80) RK 5,(80)  ) ( X 2,(80)   RK 4,(80)  )] 3  X 2,(50)  RK [8-0] 12 12 2 2 33 6 60 35 4 VXXXX[ | | | ] 2 2  2  2 5 3 0,(9) 3,(0) 1,(50) 2,(50) 134 RK3 [10-0], 1 2 1 2 2 (14 bits)  2 2/3 LEA1 [(X1,(10 0) RK 2,(10  0) ) ( X 2,(10  0)  RK 3,(10  0) )] 5  X 1,(5  0) RK2 [10-0]

12 12 3 14 6 60 35 6 RK2 [5-0], 2 3 2 3 3 VXXX4[ 0,(9) | 3,(0) | 1,(0) ] 2 2  2  2  2 6 [(X1,(50) RK 2,(50)  ) ( X 2,(50)   RK 3,(50)  )] 5  X 1,(0) 121 RK3 [5-0] (3 bits)  2 1/3 LEA1

Step 2. Guess all possible values of 6 round key bits Step 7. In the first 6 steps of the attack, there are 13 13 13 13 13 13 RK0,(0),,,,, RK 1,(0) RK 2,(0) RK 3,(0) RK 4,(0) RK 5,(0) . altogether 107 key bits information guessed. For any Step 3. Partially decrypt the ciphertext of each (,)PC guessed subkey candidate, if V4[0 | 0 | 0] + V4[1|1| 0] + 12 12 V [0 |1|1] + V [1| 0 |1] = 2127 , the guessed 107-bit subkey pair to get X 0,(9) and X 3,(0) . Add one to the 4 4 corresponding VXXPPP[12 | 12 | | | candidate is kept and discarded otherwise. 1 0,(9) 3,(0) 0,(8 0) 1,(15  0) 2,(15  0) According to [3], a wrong subkey candidate can be |]P . 3,(13 0) kept with probability of about 1 2 2(4 128)/2 2 63.3 . 12 12   Step 4. Allocate a counter vector VXX2[ 0,(9) | 3,(0) | That is to say, for the 2107 guessed round key bits, there XXX1| 1 | 1 ] of size 233 where each 1,(10 0) 2,(10  0) 3,(8  0) are about 2107 2 63.3 2 43.7 subkey candidates left after element is 128-bit length and initialized to zero. Guess the above steps. 1 1 1 1 subkeys RK5,(13 0) , RK4,(13 0) , RK3,(15 0) , RK2,(15 0) . Here are the following steps of our attack: Altogether we should guess 60 key bits information. Step 8. (Master key sieving phase) As the key words 1 1 do not mix with each other during the key schedule which Compute X 2,(10 0) and X1,(10 0) according to the equations in Table III. Add one to the corresponding has been illustrated in observation 2, we can use the exhaustive search method word by word separately and VXXXXX[12 | 12 | 1 | 1 | 1 ] . 2 0,(9) 3,(0) 1,(100) 2,(100)  3,(80)  realize the key sieving phase. For each K[ i ],(0 i 5) , Step 5. Allocate a counter vector VXX[12 | 12 | 3 0,(9) 3,(0) use the key schedule to produce the round keys generated 22 14 XX1,(5 0)|] 2,(5 0) of size 2 where each element is 128- by Ki[]. If the round keys of a guessed Ki[]are among 2 bit length and initialized to zero. Guess subkeys RK5,(8 0) , all the round key candidates after step 7, Ki[]may be a 2 2 2 correct guess, otherwise, it should be eliminated. RK4,(8 0) , RK3,(10 0) , RK2,(10 0) . As the corresponding Step 9. In the first 7 steps, there are altogether 107 bits subkeys RK1 , RK1 , RK1 , RK1 have 5,(13 0) 4,(13 0) 3,(15 0) 2,(15 0) information guessed, ideally, for a round key candidate, been guessed, according to the key schedule, altogether the space of the (KKKKKK [0], [1], [2], [3], [4], [5]) is we should guess extra 35 key bits information (,RK 2 5,(8 0) about 2192 2 107  2 43.7  2 128.7 bits. If a candidate (K [0], RK2,,) RK 2 RK 2 . Compute X 2 and 4,(80) 3,(100)  2,(50)  2,(5 0) KKKKK[1], [2], [3], [4], [5]) can survive against 2 X 2 according to the equations in table III. Add one to 1,(5 0) plaintext-ciphertext pairs, it can be regarded as the correct 12 12 2 2 the corresponding VXXXX3[ 0,(9) | 3,(0) | 1,(50) | 2,(50) ]; key. Step 6. Allocate a counter vector 1) Complexity estimation 12 12 3 3 128 6 VXXX4[ 0,(9) | 3,(0) | 1,(0) ] of size 2 where each element is The time complexity of step 3 is no more than 22 128-bit length and initialized to zero. Guess subkeys LEA1 encryptions, the time complexity of step 4 is 3 3 57 6 60 123 RK2,(5 0) and RK3,(5 0) . As the corresponding subkeys 2 2  2  2 2/3 LEA1 encryptions, the time 33 6 60 35 134 RK 2 and RK 3 have been guessed, according to complexity of step 5 is 2 2  2  2  2 2/3 LEA1 2,(21 0) 3,(26 0) encryptions, the time complexity of step 6 is the key schedule, altogether we should guess extra 6 key 14 6 60 35 6 121 3 3 2 2  2  2  2  2 1/3 LEA encryptions. For the bits information ( RK ). Compute X according to 1 2,(5 0) 1,(0) master key sieving phase of step 8, the time complexity to the equations in table III. Add one to the corresponding recover the master keys which match the subkey VXXX[12 | 12 | 3 ] . 4 0,(9) 3,(0) 1,(0) candidates is about 62 32 and it is negligible when

compared with other time complexities. The time C. Zero Correlation Linear Cryptanalysis on LEA-256 complexity to test the left master key candidates is about If we add four rounds before and one round after the 9- 128.7 2 LEA13 encryptions. round zero correlation linear hull, we can attack 14-round To sum up, the time complexity of the attack is 2131.3 LEA-256. Similarly, the initial four rounds and final one LEA13 encryptions, the data complexity of this attack is round are illustrated in the Fig. 3. 2128 plaintext-ciphertext pairs and the memory As the key schedule plays an important role in requirements are about 260.58 bytes for counters and deciding the number of round key bits involved in, to make this relation clearer, we illustrate these correlations 243.7 (107 / 8) 2 47.44 bytes for the remaining subkey between the round keys and master keys in the Table IV candidates after step 7. This is the first zero correlation below. linear cryptanalysis on 13-round LEA-192. TABLE IV: MASTER KEY WORDS INVOLVED FOR EACH ROUND KEY P P0 P1 P2,(20 0) 3,(18 0) WORD OF LEA-256 (ROUND 1 TO 15)

1 1 RK4,(18 0) RK5,(18 0) Round RK0 RK1 RK2 RK3 RK4 RK5

RK1 1 1 K[0] K[1] K[2] K[3] K[4] K[5] 2,(20 0) RK3,(20 0) >>>3 2 K[6] K[7] K[0] K[1] K[2] K[3]

1 1 RK0 RK 1 3 K[4] K[5] K[6] K[7] K[0] K[1] >>>5 4 K[2] K[3] K[4] K[5] K[6] K[7] <<<9 5 K[0] K[1] K[2] K[3] K[4] K[5] 6 K[6] K[7] K[0] K[1] K[2] K[3] X 1 X 1 X 1 X 1 0,(8 0) 1,(15 0) 2,(15 0) 3,(13 0) 7 K[4] K[5] K[6] K[7] K[0] K[1] RK 2 RK 2 4,(13 0) 5,(13 0) 8 K[2] K[3] K[4] K[5] K[6] K[7]

2 9 K[0] K[1] K[2] K[3] K[4] K[5] RK 2 2,(15 0) RK3,(15 0) >>>3 10 K[6] K[7] K[0] K[1] K[2] K[3] 11 K[4] K[5] K[6] K[7] K[0] K[1] >>>5 12 K[2] K[3] K[4] K[5] K[6] K[7] <<<9 13 K[0] K[1] K[2] K[3] K[4] K[5] 14 K[6] K[7] K[0] K[1] K[2] K[3] X 2 X 2 X 2 1,(10 0) 2,(10 0) 3,(8 0) 15 K[4] K[5] K[6] K[7] K[0] K[1]

RK 3 RK 3 4,(8 0) 5,(8 0) The process of the attack is as follows: 13 13 RK 3 3 2,(10 0) RK3,(10 0) Step 1. Allocate a counter vector VXXP1[ 0,(9) | 3,(0) | 0 | >>>3 106 PPP1| 2,(20 0) | 3,(18 0) ] of size 2 where each element is >>>5 32-bit length and initialized to zero. <<<9 Step 2. Guess all possible values of 6 round key bits 14 14 14 14 14 14 RK0,(0),,,,, RK 1,(0) RK 2,(0) RK 3,(0) RK 4,(0) RK 5,(0) . X 3 X 3 1,(5 0) 2,(5 0) Step 3. Partially decrypt the ciphertext of each (,)PC 13 13 pair to get X 0,(9) and X 3,(0) . Add one to the RK 4 4 2,(5 0) RK3,(5 0) 13 13 >>>3 corresponding VXXPPPP1[ 0,(9) | 3,(0) | 0 | 1 | 2,(200) | 3,(180) ]. Step 4. Allocate a counter vector VXX[13 | 13 | >>>5 2 0,(9) 3,(0) 1 1 1 1 73 <<<9 XXXX0,(8 0)| 1,(15  0) | 2,(15  0) | 3,(13  0) ] of size 2 where each element is 64-bit length and initialized to zero. X 4 1 1 1 1,(0) Guess subkeys RK5,(18 0) , RK4,(18 0) , RK3,(20 0) , 1 1 1 14 14 13 13 RK2,(20 0) , RK1 , RK0 . As RK0,(0) and RK1,(0) have been X 0,(9) X 3,(0) 1 1 guessed, we have to guess 31 bits for both RK1 and RK0 . RK 14 RK 14 4,(0) 5,(0) Altogether we should guess 142 key bits information. 1 1 1 1 RK 14 14 2,(0) RK3,(0) Compute XXX0,(8 0),, 1,(15  0) 2,(15  0) and X3,(13 0) according >>>3 to the equations in Table V. Add one to the corresponding RK 14 RK 14 0,(0) 1,(0) VXXXXXX[13 | 13 | 1 | 1 | 1 | 1 ] . >>>5 2 0,(9) 3,(0) 0,(80) 1,(150)  2,(150)  3,(130)  13 13 <<<9 Step 5. Allocate a counter vector VXX3[ 0,(9) | 3,(0) | 2 2 2 33 XXX1,(10 0)| 2,(10  0) | 3,(8  0) ] of size 2 where each

C element is 128-bit length and initialized to zero. Guess C0,(9) 1,(27) C2,(29) C3,(0,9) 2 2 2 2 Fig. 3. Initial four rounds encryption(up) and final one round subkeys RK5,(13 0) , RK4,(13 0) , RK3,(15 0) , RK2,(15 0) . decryption(down) for LEA-256 Altogether we should guess extra 19 round key bits

22 22 13 13 2 2 ( RK5,(13 6), RK 4,(12 2) ). Compute XX1,(10 0), 2,(10 0) and to the corresponding VXXXX3[ 0,(9) | 3,(0) | 1,(100) | 2,(100) | 2 2 X3,(8 0) according to the equations in Table V. Add one X3,(8 0) ] .

TABLE V: PARTIAL ENCRYPTION PROCEDURE OF THE ATTACK ON 13-ROUND LEA-192 Step Guess Computing Counter(size) Complexity [(P RK1 ) ( P  RK 1 )] 9  X 1 RK01, RK 0 0 1 1 0,(8 0) 13 13 1 VXXX2[ 0,(9) | 3,(0) | 0,(80) | RK [20 0] , 1 1 1 106 6 142 3 [(P RK ) ( P  RK )] 5  X 2 2 2 4 1,(20 0) 2,(20  0) 2,(20  0) 3,(20  0) 1,(15  0) 1 1 1 RK2[20 0] XXX1,(15 0)| 2,(15  0) | 3,(13  0) ] 254  2 LEA1 RK5[18 0] , 1 1 1 (73 bits) [(P3,(18 0) RK 5,(18  0) ) ( P 2,(18  0)  RK 4,(18  0) )] 3  X 2,(15  0) RK4[18 0]

RK [13 0] , 1 2 1 2 2 5 [(X RK ) ( X  RK )] 3  X 13 13 2 3,(13 0) 5,(13  0) 2,(13  0) 4,(13  0) 2,(10  0) VXXX[ | | | 73 6 142 19 RK [13 0] 3 0,(9) 3,(0) 1,(10 0) 2 2  2  2 5 4 22 240 , 1 2 1 2 2 RK3[15 0] XX2,(10 0)|] 3,(8 0) (33 bits)  2 2/3 LEA1 [(X1,(15 0) RK 2,(15  0) ) ( X 2,(15  0)  RK 3,(15  0) )] 5  X 1,(10  0) RK2[15 0]

RK [8 0] , 2 3 2 3 3 5 [(X RK ) ( X  RK )] 3  X 13 13 3 3,(80) 5,(80)  2,(80)  4,(80)  2,(50)  VXXX[ | | | 33 6 142 19 22 RK [8 0] 4 0,(9) 3,(0) 1,(50) 2 2  2  2  2 6 4 3 222 , 2 3 2 3 3 RK3[10 0] X 2,(5 0) ] (14 bits)  2 2/3 LEA1 [(X1,(10 0) RK 2,(10  0) ) ( X 2,(10  0)  RK 3,(10  0) )] 5  X 1,(5  0) RK2[10 0] 13 13 4 14 6 142 19 22 12 RK2[5 0] , 3 4 3 4 4 VXXX5[ 0,(9) | 3,(0) | 1,(0) ] 2 2  2  2  2  2 7 [(X1,(50) RK 2,(50)  ) ( X 2,(50)   RK 3,(50)  )] 5  X 1,(0) 215 RK3[5 0] (3 bits)  2 1/3 LEA1

13 13 all the round key candidates after step 8, Ki[]may be a Step 6. Allocate a counter vector VXX4[ 0,(9) | 3,(0) | 33 14 correct guess, otherwise, it should be eliminated. XX1,(5 0)|] 2,(5 0) of size 2 where each element is 128- Step 10. In the first 8 steps, there are altogether 201 bit length and initialized to zero. Guess subkeys bits information guessed, ideally, for a round key RK3,, RK 3 RK 3 and RK 3 . According to 2,(10 0) 3,(10  0) 4,(80)  5,(8 0) candidate, the space of the (KKKKK [0], [1], [2], [3], [4], the key schedule, altogether we should guess 22 key bits 256 201 137.7 192.7 33 3 KKK[5], [6], [7]) is about 2 2  2  2 bits. If information ( RK2,(10 0), RK 3,(10 0) ). Compute X1,(5 0) and 3 a candidate (KKKKKKK [0], [1], [2], [3], [4], [5], [6], X 2,(5 0) according to the equations in Table V. Add one to K[7]) can survive against 2 plaintext-ciphertext pairs, it the corresponding VXXXX[13 | 13 | 3 | 3 ] . 4 0,(9) 3,(0) 1,(50) 2,(50) can be regarded as the right key. Step 7. Allocate a counter vector 1) Complexity estimation VXXX[13 | 13 | 4 ] of size 23 where each element is 5 0,(9) 3,(0) 1,(0) The time complexity of step 3 is no more than 22128 6 128-bit length and initialized to zero. Guess subkeys LEA encryptions, the time complexity of step 4 is 2254 RK 4 and RK 4 . According to the key schedule, all 1 2,(5 0) 3,(5 0) LEA encryptions, the time complexity of step 5 is 2240 these 12 round key bits have to be guessed. Compute 1 4 2/3 LEA1 encryptions, the time complexity of step 6 is X1,(0) according to the equations in table V. Add one to 222 2 2/3 LEA1 encryptions and the time complexity of 13 13 4 the corresponding VXXX[ | | ] . 215 5 0,(9) 3,(0) 1,(0) step 7 is 2 1/3 LEA1 encryptions. For the master key Step 8. In the first 7 steps of the attack, there are sieving phase of step 9, the time complexity to recover altogether 201 key bits information guessed. For any the master keys which match the subkey candidates is 32 guessed subkey candidate, if V5[0 | 0 | 0] + V5[1|1| 0] + about 82 and it is negligible when compared with 127 V5[0 |1|1]+ V5[1| 0 |1]= 2 , the guessed 201-bit subkey other time complexities. The time complexity to test the 192.7 candidate is kept and discarded otherwise. left master key candidates is about 2 LEA14 Similarly, a wrong subkey candidate can be kept with encryptions. 63.3 201 probability of about 2 . That is to say, for the 2 To sum up, the time complexity of the attack is 2250.19 201 63.3 137.7 guessed round key bits, there are about 2 2 2 LEA14 encryptions, the data complexity of this attack is subkey candidates left after the above steps. 2128 plaintext-ciphertext pairs and the memory Here are the following steps of our attack: requirements are about 2108 bytes for counters and Step 9. (Master key sieving phase) As the key words 2137.7 (201/ 8) 2 142.35 bytes for the remaining subkey do not mix with each other during the key schedule which candidates after step 8. This is the first zero correlation has been illustrated in observation 2, we can use the linear cryptanalysis on 14-round LEA-256. exhaustive search method word by word separately and realize the key sieving phase. For each K[ i ],(0 i 7) , V. CONCLUSION use the key schedule to produce the round keys generated by Ki[]. If the round keys of a guessed Ki[] are among In spite of the high efficiency in software and hardware performance, LEA block cipher shows its high security

level against massive cryptanalytic methods. In this paper, improvement is conspicuous, it doesn’t pose any practical we improve the results on LEA family ciphers against threat for LEA block ciphers. For LEA, how to find more zero correlation linear cryptanalysis. Although the effective cryptanalytic methods is further to be studied.

APPENDIX A ZERO CORRELATION LINEAR HULL FOR 9 ROUND LEA

TABLE VI: ZERO CORRELATION LINEAR HULL FOR 9 ROUND LEA

Conference, Wollongong, NSW, Australia, 2014, pp. 1- ACKNOWLEDGMENT 16. [9] L. Wen, M. Wang, A. Bogdanov, and H. Chen, The authors would like to thank the anonymous “Multidimensional zero-correlation attacks on lightweight reviewers for their helpful comments. This work was block cipher HIGHT: Improved cryptanalysis of an ISO supported by the National Natural Science Foundation of standard,” Information Processing Letters, vol. 114, pp. China under Grant No.61202491, 61272041, 61272488, 322-330, 2014. 61402523 and 61572516. [10] A. Bogdanov, H. Geng, M. Wang, L. Wen, and B. Collard, “Zero-Correlation linear cryptanalysis with FFT REFERENCES and improved attacks on ISO standards camellia and CLEFIA,” in Proc. Selected Areas in Cryptography -- [1] D. Hong, J. K. Lee, D. C. Kim, D. Kwon, K. H. Ryu, and SAC 2013, Tanja Lange, Kristin Lauter, Petr Lisonek, D. G. Lee, “LEA: A 128-bit block cipher for fast 2013, pp. 306-323. encryption on common processors,” in Proc. 14th [11] D. Hong, et al., “HIGHT: A new block cipher suitable for International Workshop Information Security low-resource device,” in Proc. Cryptographic Hardware Applications, Jeju Island, Korea, 2013, pp. 3-27. and Embedded Systems - CHES 2006, Yokohama, Japan, [2] A. Bogdanov and V. Rijmen, “Linear hulls with 2006, pp. 46-59. correlation zero and linear cryptanalysis of block [12] L. Wen, M. Wang, and A. Bogdanov, “Multidimensional ciphers,” IACR Eprint Archive Report 2011/123, 2011. zero-correlation linear cryptanalysis of E2,” in Proc. [3] A. Bogdanov and V. Rijmen, “Linear hulls with AFRICACRYPT 2014, Marrakesh, Morocco, 2014, pp. correlation zero and linear cryptanalysis of block 147-164. ciphers,” Designs, Codes and Cryptography, vol. 70, pp.

369-383, 2014. Kai Zhang received the M.S. degree in [4] A. Bogdanov and M. Wang, “Zero correlation linear cryptology from the Information Science cryptanalysis with reduced data complexity,” in Proc. and Technology Institute, Zhengzhou, 19th International Workshop Fast Software Encryption, China, in June. 2013. He is pursuing his Washington, DC, USA, 2012, pp. 29-48. Ph.D. degree in cryptology from this [5] A. Bogdanov, G. Leander, K. Nyberg, and M. Wang, university. His main research interests “Integral and multidimensional linear distinguishers with include design and analysis of symmetric correlation zero,” in Proc. 18th International Conference ciphers. His works have been published on the Theory and Application of Cryptology and in several refereed journals and he has been serving as a referee Information Security, Beijing, China, 2012, pp. 244-261. for the international journal of Security and Communication [6] H. Soleimany and K. Nyberg, “Zero-correlation linear Networks in the area of information security and cryptology. cryptanalysis of reduced-round LBlock,” Designs, Codes

and Cryptography, vol. 73, pp. 683-698, 2014. Jie Guan is a professor of Information [7] Q. Wang, Z. Liu, K. Varıcı, Y. Sasaki, V. Rijmen, and Y. Science and Technology Institute, Todo, “Cryptanalysis of Reduced-round SIMON32 and Zhengzhou, China. Her main subject SIMON48,” in Proc. 15th International Conference on interest is cryptography and her main Cryptology in India, New Delhi, India, 2014, pp. 143-160. teaching lies in the areas of information [8] Y. Wang and W. Wu, “Improved Multidimensional Zero- systems, the theory of cryptography and Correlation Linear Cryptanalysis and Applications to quantum computation. LBlock and TWINE,” in Proc. 19th Australasian

Bin Hu is a professor of Information Science and Technology Institute, Zhengzhou, China. His main subject interests and his main teaching are Boolean function, information security and cryptology.