**Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128**

*Sareh Emami and San Ling and Ivica Nikolic and Josef Pieprzyk and Huaxiong Wang*

**Abstract: **So far, low probability differentials for the key schedule of block ciphers have been used as a straightforward proof of security against related-key differential attacks. To achieve the resistance, it is believed that for cipher with $k$-bit key it suffices the upper bound on the probability to be $2^{-k}$. Surprisingly, we show that this reasonable assumption is incorrect, and the probability should be (much) lower than $2^{-k}$. Our counter example is a related-key differential analysis of the block cipher CLEFIA-128. We show that although the key schedule of CLEFIA-128 prevents differentials with a probability higher than $2^{-128}$, the linear part of the key schedule that produces the round keys, and the Feistel structure of the cipher, allow to exploit particularly chosen differentials with a probability as low as $2^{-128}$. CLEFIA-128 has $2^{14}$ such differentials, which translate to $2^{14}$ pairs of weak keys. The probability of each differential is too low for attacks, but the weak keys have a special structure which allows with a divide-and-conquer approach to gain advantage of $2^7$ over generic attacks. We exploit the advantage and give a membership test for the weak-key class,
provide analysis in the hashing mode, and show the importance for the secret-key mode. The proposed analysis has been tested with computer experiments on small-scale variants of CLEFIA-128.
Our results do not threaten the practical use of CLEFIA.

**Category / Keywords: **secret-key cryptography / CLEFIA, cryptanalysis, weak keys, CRYPTREC, differentials

**Original Publication**** (with minor differences): **Asiacrypt 2014

**Date: **received 25 Jan 2014, last revised 4 Dec 2014

**Contact author: **inikolic at ntu edu sg

**Available format(s): **PDF | BibTeX Citation

**Version: **20141204:141617 (All versions of this report)

**Short URL: **ia.cr/2014/056

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]