CLEFIA is a 128-bit block cipher proposed by Shirai et al. at FSE 2007, and it was adopted as several standards. CLEFIA adopts a generalized Feistel structure with the switching diffusion mechanism, which realizes a compact hardware implementation for CLEFIA, and it seems one of the promising candidates to be used for restricted environments, which requires that a cryptographic primitive is versatile. It means that we need to evaluate the security of CLEFIA even for unusual scenario such as known-key scenario. As Knudsen and Rijmen did for 7-round AES at Asiacrypt 2007, we construct 17-round known-key distinguisher using two integral characteristics. To combine the 17-round known-key distinguisher with the standard subkey recovery technique for a secret-key scenario, we can construct a distinguisher for full CLEFIA-128 from a random permutation under the framework of middletext distinguisher proposed by Minier et al. at Africacrypt 2009. The distinguisher requires query of 2112 texts, time complexity of 2112, and memory complexity of 23 blocks, with the advantage of e−1, where e is the base of the natural logarithm.
展开▼
