Meet-in-the-Middle Attacks on Reduced-Round Hierocrypt-3

Abstract

Hierocrypt-3 is an SPN-based block cipher designed by Toshiba Corporation. It operates on 128-bit state using either 128, 192 or 256-bit key. In this paper, we present two meet-in-the-middle attacks in the single-key setting on the 4-round reduced Hierocrypt-3 with 256-bit key. The first attack is based on the differential enumeration approach where we propose a truncated differential characteristic in the first 2.5 rounds and match a multiset of state differences at its output. The other attack is based on the original meet-in-the-middle attack strategy proposed by Demirci and Selçuk at FSE 2008 to attack reduced versions of both AES-192 and AES-256. For our attack based on the differential enumeration, the master key is recovered with data complexity of \(2^{113}\) chosen plaintexts, time complexity of \(2^{238}\) 4-round reduced Hierocrypt-3 encryptions and memory complexity of \(2^{218}\) 128-bit blocks. The data, time and memory complexities of our second attack are \(2^{32}\), \(2^{245}\) and \(2^{242}\), respectively. To the best of our knowledge, these are the first attacks on 4-round reduced Hierocrypt-3.

A \(MDS_{H}\) and \(MDS_{H}^{-1}\)

\(MDS_{H}\) is represented by:

$$\begin{aligned} \left( \begin{array}{c}y_{0(8)}\\ y_{1(8)}\\ y_{2(8)}\\ y_{3(8)}\\ y_{4(8)}\\ y_{5(8)}\\ y_{6(8)}\\ y_{7(8)}\\ y_{8(8)}\\ y_{9(8)}\\ y_{10(8)}\\ y_{11(8)}\\ y_{12(8)}\\ y_{13(8)}\\ y_{14(8)}\\ y_{15(8)}\\ \end{array} \right) = \left( \begin{array}{c c c c c c c c c c c c c c c c} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1\\ 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1\\ 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1\\ 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0\\ 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1\\ 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0\\ 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1\\ 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0\\ 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0\\ 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1\\ 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0\\ 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1\\ 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0\\ 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1\\ 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0\\ 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1\\ \end{array} \right) \left( \begin{array}{c}x_{0(8)}\\ x_{1(8)}\\ x_{2(8)}\\ x_{3(8)}\\ x_{4(8)}\\ x_{5(8)}\\ x_{6(8)}\\ x_{7(8)}\\ x_{8(8)}\\ x_{9(8)}\\ x_{10(8)}\\ x_{11(8)}\\ x_{12(8)}\\ x_{13(8)}\\ x_{14(8)}\\ x_{15(8)}\\ \end{array} \right) \end{aligned}$$

The inverse matrix, \(MDS_{H}^{-1}\), is given by:

$$\begin{aligned} \left( \begin{array}{c}x_{0(8)}\\ x_{1(8)}\\ x_{2(8)}\\ x_{3(8)}\\ x_{4(8)}\\ x_{5(8)}\\ x_{6(8)}\\ x_{7(8)}\\ x_{8(8)}\\ x_{9(8)}\\ x_{10(8)}\\ x_{11(8)}\\ x_{12(8)}\\ x_{13(8)}\\ x_{14(8)}\\ x_{15(8)}\\ \end{array} \right) = \left( \begin{array}{c c c c c c c c c c c c c c c c} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0\\ 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1\\ 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1\\ 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0\\ 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1\\ 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1\\ 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1\\ 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0\\ 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1\\ 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1\\ 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1\\ 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0\\ 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1\\ 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1\\ 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 1 &{} 0 &{} 1 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1\\ \end{array} \right) \left( \begin{array}{c}y_{0(8)}\\ y_{1(8)}\\ y_{2(8)}\\ y_{3(8)}\\ y_{4(8)}\\ y_{5(8)}\\ y_{6(8)}\\ y_{7(8)}\\ y_{8(8)}\\ y_{9(8)}\\ y_{10(8)}\\ y_{11(8)}\\ y_{12(8)}\\ y_{13(8)}\\ y_{14(8)}\\ y_{15(8)}\\ \end{array} \right) \end{aligned}$$