Hight PDF
Hight PDF
Hight PDF
Low-Resource Device
Deukjo Hong
1
, Jaechul Sung
2
, Seokhie Hong
1
, Jongin Lim
1
, Sangjin Lee
1
,
Bon-Seok Koo
1
, Changhoon Lee
1
, Donghoon Chang
1
, Jesang Lee
1
, Kitae
Jeong
1
, Hyun Kim
4
, Jongsung Kim
1
, and Seongtaek Chee
3
1
Center for Information Security Technologies (CIST),
Korea University, Seoul, Korea
{hongdj,hsh,jilim,sangjin,bskoo,crypto77,
pointchang,jslee,kite,joshep}@cist.korea.ac.kr
2
Department of Mathematics, University of Seoul, Seoul, Korea
jcsung@uos.ac.kr
3
National Security Research Institute (NSRI),
161 Gajeong-dong, Yuseong-gu, Daejeon 305-350, Korea
chee@etri.re.kr
4
Korea Information Security Agency (KISA),
78 Karak-dong, Songpa-gu, Seoul 138-160, Korea
hkim@kisa.or.kr
Abstract. In this paper, we propose a new block cipher HIGHT with
64-bit block length and 128-bit key length. It provides low-resource hard-
ware implementation, which is proper to ubiquitous computing device
such as a sensor in USN or a RFID tag. HIGHT does not only consist
of simple operations to be ultra-light but also has enough security as
a good encryption algorithm. Our hardware implementation of HIGHT
requires 3048 gates on 0.25 m technology.
Keywords: Block Cipher, Ubiquitous, Low-Resource Implementation
1 Introduction
Cryptographic applications providing various security services such as conden-
tiality, integrity, protection of privacy, and so on, are admitted as core tech-
nologies for advances in digital information society based on internet. Recently,
ubiquitous computing system is in a matter of concern and interest, and design-
ing cryptographic algorithms and applications suitable for such environment is
an interesting research issue. For example, radio frequency identication (RFID)
systems are useful for the automated electronic toll collection system, identify-
ing and tracing pets, the administration of physical distribution, and so on,
while the radio frequency communication between a reader and a tag causes
SK127,SK126,SK125,SK124
????????????????
????????????????
?
?
Key Schedule
Master Key
Master Key
WK3,WK2,WK1,WK0
WK7,WK6,WK5,WK4
Fig. 1. Encryption process of HIGHT
2 Specication
2.1 Notations
We use the following notations for the description of HIGHT. The 64-bit plain-
text and ciphertext are considered as concatenations of 8 bytes and denoted by
P = P
7
|| P
1
||P
0
and C = C
7
|| C
1
||C
0
, respectively. The 64-bit intermediate
values are analogously represented, X
i
= X
i,7
|| X
i,1
||X
i,0
for i = 0, , 32.
The 128-bit master key is considered as a concatenation of 16 bytes and denoted
by MK = MK
15
|| ||MK
0
. The followings are notations for mathematical op-
erations:
: addition mod 2
8
: subtraction mod 2
8
: XOR (eXclusive OR)
A
s
: s-bit left rotation of a 8-bit value A
We focus on the encryption process in the description of the specication
of HIGHT because the decryption process is explained in the similar to the
encryption process. The encryption process of HIGHT HightEncryption consists
of key schedule, initial transformation, round function, and nal transformation.
Its description is as follows.
HightEncryption(P, MK) {
KeySchedule(MK,WK,SK);
HightEncryption(P, WK, SK) {
InitialTransfomation(P, X
0
, WK
3
, WK
2
, WK
1
, WK
0
);
For i = 0 to 31 {
RoundFunction(X
i
, X
i+1
, SK
4i+3
, SK
4i+2
, SK
4i+1
, SK
4i
);
}
FinalTransfomation(X
32
, C, WK
7
, WK
6
, , WK
5
, WK
4
);
}
}
WK and SK mean whitening keys and subkeys, respectively.
2.2 Key Schedule
The key schedule KeySchedule for HightEncryption consists of two algorithms,
WhiteningKeyGeneration which generates 8 whitening key bytes WK
0
, , WK
7
,
and SubkeyGeneration which generates 128 subkey bytes SK
0
, , SK
127
.
KeySchedule(MK, WK, SK) {
WhiteningKeyGeneration(MK, WK);
SubkeyGeneration(MK, SK);
}
Whitening Key Generation HIGHT uses 8 whitening key bytes WK
0
, , WK
7
for the initial and nal transformations. The algorithm WhiteningKeyGeneration
generates them as follows.
WhiteningKeyGeneration {
For i = 0 to 7 {
If 0 i 3, then WK
i
MK
i+12
;
Else, WK
i
MK
i4
;
}
}
Subkey Generation 128 subkeys are used for 1 computation of HightEncryption,
4 subkeys per round. The algorithm SubkeyGeneration uses the subalgorithm
ConstantGeneration to generate 128 7-bit constants
0
, ,
127
, and then gener-
ates the subkeys SK
0
, SK
127
with the constants.
0
is xed as 1011010
2
. This is also the initial state (s
6
, , s
0
) of 7-bit
LFSR h. The connection polynomial of h is x
7
+ x
3
+ 1 Z
2
[x]. The algorithm
ConstantGeneration uses the LFSR h to produce
1
, ,
127
from
0
as follows.
ConstantGeneration {
s
0
0; s
1
1; s
2
0; s
3
1;
s
4
1; s
5
0; s
6
1;
0
s
6
||s
5
||s
4
||s
3
||s
2
||s
1
||s
0
;
For i = 1 to 127 {
s
i+6
s
i+2
s
i1
;
i
s
6
||s
5
||s
4
||s
3
||s
2
||s
1
||s
0
;
}
}
Since x
7
+x
3
+1 is a primitive polynomial in Z
2
[x], the period of h is 2
7
1 = 127
and so
0
=
127
.
The algorithm SubkeyGeneration generates the subkeys as follows.
SubkeyGeneration(MK, SK) {
Run ConstantGeneration
For i = 0 to 7 {
For j = 0 to 7 {
SK
16i+j
MK
ji mod 8
16i+j
;
}
For j = 0 to 7 {
SK
16i+j+8
MK
(ji mod 8)+8
16i+j+8
;
}
}
}
2.3 Initial Transformation
InitialTransformation transforms a plaintext P into the input of the rst RoundFunction,
X
0
= X
0,7
||X
0,6
|| ||X
0,0
by using the four whitening-key bytes, WK
0
, WK
1
,
WK
2
, and WK
3
.
InitialTransfomation(P, X
0
, WK
3
, WK
2
, WK
1
, WK
0
) {
X
0,0
P
0
WK
0
; X
0,1
P
1
; X
0,2
P
2
WK
1
; X
0,3
P
3
;
X
0,4
P
4
WK
2
; X
0,5
P
5
; X
0,6
P
6
WK
3
; X
0,7
P
7
;
}
2.4 Round Function
RoundFunction uses two auxiliary functions F
0
and F
1
:
F
0
(x) = x
1
x
2
x
7
,
F
1
(x) = x
3
x
4
x
6
.
For i = 0, , 31, RoundFunction transforms X
i
= X
i,7
|| ||X
i,0
into X
i+1
=
X
i+1,7
|| ||X
i+1,0
as follows.
RoundFunction(X
i
, X
i+1
, SK
4i+3
, SK
4i+2
, SK
4i+1
, SK
4i
) {
X
i+1,1
X
i,0
; X
i+1,3
X
i,2
; X
i+1,5
X
i,4
; X
i+1,7
X
i,6
;
X
i+1,0
= X
i,7
(F
0
(X
i,6
) SK
4i+3
);
X
i+1,2
= X
i,1
(F
1
(X
i,0
) SK
4i+2
);
X
i+1,4
= X
i,3
(F
0
(X
i,2
) SK
4i+1
);
X
i+1,6
= X
i,5
(F
1
(X
i,4
) SK
4i
);
}
2.5 Final Transformation
FinalTransformation untwists the swap of the last round function and trans-
forms X
32
= X
32,7
|| X
32,6
|| ||X
32,0
into the ciphertext C by using the four
whitening-key bytes WK
4
, WK
5
, WK
6
, and WK
7
.
FinalTransfomation(X
32
, C, WK
7
, WK
6
, WK
5
, WK
4
) {
C
0
X
32,1
WK
4
; C
1
X
32,2
; C
2
X
32,3
WK
5
; C
3
X
32,4
;
C
4
X
32,5
WK
6
; C
5
X
32,6
; C
6
X
32,7
WK
7
; C
7
X
32,0
;
}
2.6 Decryption Process
The decryption process HightDecryption is done in the canonical way to invert
HightEncryption. Key schedule generates the subkeys in the reverse order. The
round function in the decryption process has instead of and byte-swap with
the opposite direction to that in the encryption process.
3 Design Principles
In this section we list brief description of design principles of HIGHT.
The structure of HIGHT is generalized Feistel-like. This kind of structure
reduces restriction of designing inner auxiliary functions. Compared to SP-
like structure, the round function is light. Since encryption process is simply
converted into decryption process, implementation of the circuit supporting
both encryption and decryption processes does not require much more cost
than the encryption-only circuit.
Every operation in HIGHT is 8-bit-processor-oriented. CPUs embedded into
the sensors in USN (Ubiquitous Sensor Network) are based on 8-bit proces-
sor. So, HIGHT has ecient performance in such environment. We checked
that in 8-bit-oriented software implementation HIGHT is faster than AES-
128.
We intend to combine XOR and addition mod 2
8
alternatively. The combi-
nation of these quite dierent operations spread out the whole round of the
algorithm. It plays an important role for resistance against existing attacks.
The inner functions F
0
and F
1
of the round function provide bitwise diu-
sion. These functions can be viewed as linear transformations from GF(2)
8
to GF(2)
8
. We selected two among linear transformations which have best
diusion.
The 128-bit register used in the key schedule algorithm contains the master
key value both before and after running the algorithm. So, only one 128-bit
register is required for both encryption and decryption processes.
The whitening keys are used in the rst and the last rounds of HIGHT. If
the whitening keys are not used, then the inputs to F
0
and F
1
in the rst
and the last rounds are directly revealed from plaintexts and ciphertexts.
The sequence
0
, ,
127
generated by the linear feedback shift register h
enhances randomness of subkey bytes. It also provides the resistance against
slide attack.
4 Security Analysis
We analyze the security of HIGHT against various attacks. As a result, we claim
that HIGHT is secure enough for cryptographic applications. In this subsection,
we present not only brief description of our analysis but also the result of the
statistical tests on HIGHT.
4.1 Dierential Cryptanalysis
The resistance of a block cipher against dierential cryptanalysis [6] depends on
the maximum probability of dierential characteristics, which are paths from the
plaintext dierence to the ciphertext dierence. First of all, we have implemented
a simulation for nding the maximum dierential characteristics of a small ver-
sion of HIGHT, Mini-HIGHT, which consists of four 8-bit input registers when
2
32
of all possible input values are given. As a result, we found two 8-round max-
imum dierential characteristics with a probability of 2
28
in which there
always exist a dierence pattern such that hamming weight is one at a particular
round, where (, ) {(d0 00 ed 86
x
, 00 84 82 01
x
), (04 dc 20 e2
x
, 00 84 82 01
x
)}.
Since it is impossible for us to nd all of the corresponding dierential charac-
teristics of HIGHT for given 2
64
possible input values, we considered the above
dierence pattern of Mini-HIGHT with a noticeable feature and then found
several 11-round dierential characteristics with probability 2
58
where
(, ) {(11 89 25 e2 c8 01 00 00
x
, 45 02 01 00 00 91 29 95
x
), (c8 01 00 00 11 89 25
e2
x
, 00 91 29 95 45 02 01 00
x
)}. Each of them are constructed by setting a
dierence of a particular intermediate variable to the starting point, and by
prepending and appending good one-round dierential characteristics to it. We
expect that they have the best probability over all the 11-round dierential
characteristics and that for r > 11, no r-round dierential characteristic is use-
ful for dierential cryptanalysis of HIGHT because we checked that there is no
any ecient iterative dierential characteristic. Dierential attack on 13-round
HIGHT without the nal transformation recovers the subkeys of the 12th and
13th rounds with 2
62
plaintexts.
4.2 Linear Cryptanalysis
Linear cryptanalysis [17, 18] uses linear relations of the plaintext, ciphertext,
and key which hold with a probability. We call them, linear approximations. Let
p = 1/2+ be the probability of a linear approximation. is called, bias. If
2
is
relatively high, the linear approximation is very useful for linear cryptanalysis.
We found several 10-round linear approximations with
2
= 2
54
. Similarly to
dierential cryptanalysis of HIGHT, they were constructed by putting a 1-bit
position of an intermediate variable to the starting point, and by prepending
and appending good one-round linear approximations to it. We expect that they
have the best bias over all the 10-round approximations and that for r > 10,
no r-round linear approximation has good bias because we checked that there
is no any iterative linear approximation in HIGHT. Linear attack on 13-round
HIGHT without the nal transformation recovers 36 bits of the subkeys of the
1st, 12th, and 13th rounds. It requires 2
57
plaintexts with the success rate 96.7%.
4.3 Truncated Dierential Cryptanalysis
Truncated dierential characteristic [15] is a path from a partial dierence of
the input to a partial dierence of the output. In order to nd good truncated
dierential characteristics, we computed the probabilities of all dierential char-
acteristics with the following form:
00
1
00
2
00
3
00
4
00
1
00
2
00
3
00
4
(1)
where all
i
,
j
are 1-byte values. The truncated dierential characteristics with
such form can be iterated, but their probabilities are terribly low. Even the sum
of them is too low to be applied to the attack.
As the second approach, we considered several 10-round truncated dieren-
tial characteristics with probability 1. For example, one among them has the
following form: the input dierence is 80 e9 00 00 00 00 00 00
x
and the output
dierence is
1
2
3
4
5
6
7
where is a nonzero 1-byte value and
i
s
are arbitrary 1-byte values. This truncated dierential characteristic provides us
with only one information about the output dierence that the left-most byte
of the output dierence is nonzero. Since the probability of the characteristic
is 1, we have information enough for the attack on HIGHT. We can use the
truncated dierential characteristic to recover 96 bits of the subkeys used from
the 11th round to the 16th round in 16-round HIGHT. The attack requires 2
14.1
plaintexts and 2
108.69
encryptions of 16-round HIGHT.
4.4 Impossible Dierential Cryptanalysis
We can construct a dierential characteristic, which never occurs, by composing
two short truncated dierential characteristics with the probability 1 which do
not meet in the middle. We call it an impossible dierential characteristic [2].
Such dierential characteristic can be used for attacks on block ciphers. Roughly
speaking, since a key candidate satises an impossible dierential characteristic
is a wrong key, we can reduce the number of the key candidates by repeating
such tests. We investigated all of the possible characteristics for all of the possible
input dierences and then found a 14-round impossible dierential characteristic
= where = (80 e9 00 00 00 00 00 00)
x
, = (, ?, ?, ..., ?)
x
( : a
nonzero), = (00, 00, ?, ?, ?, ?, ?, ?)
x
, and = (00 ? ? ? 00 00 00 00)
x
. We
can use this 14-round impossible dierential characteristic to attack 18-round
HIGHT. This attack requires 2
46.8
chosen-plaintexts and 2
109.2
encryptions of
18-round HIGHT.
4.5 Saturation Attack
The saturation attack [10, 16] uses a saturated multiset of plaintexts. The at-
tacker needs the property that XOR sum of particular parts of the corresponding
ciphertexts is zero. We call it a saturation characteristic. Saturation characteris-
tics useful for the attack are often found in block ciphers in which small portions
of the bits are interleaved by a strong nonlinear function while the main interleav-
ing stage is linear. There exist 12-round saturation characteristics with the prob-
ability 1 in HIGHT, e.g., = (S, C, C, C, C, C, C, C) = (?, ?, ?, ?, B
0
, ?, ?, ?)
where S: a saturation set, C: a xed constant, and B
0
: a balanced set for the
least signicant bit. We can apply them to the attack on 16-round HIGHT. It
requires 2
42
plaintexts and 2
51
encryptions of 16-round HIGHT.
4.6 Boomerang Attack
The main idea behind the boomerang attack [20] is to use two short dierential
characteristics with relatively high probabilities instead of one long dierential
with low probability. The boomerang attack has been improved to the amplied
boomerang [14] and the rectangle [4, 5] attacks. This kind of attacks treat the
block cipher E as E = E
1
E
0
a cascade of E
0
and E
1
. We assume that for E
0
there exists a dierential characteristic with probability p and that for
E
1
there exists a dierential characteristic with probability q. Then the
boomerang characteristic which is constructed from two dierential characteris-
tics and has probability p
2
q
2
. We applied the amplied boomerang
attack to 13-round HIGHT without nal transformation. We build a 11-round
boomerang characteristic of HIGHT with probability 2
58
from two dierential
characteristics one with probability 2
12
decipted in Table 2 and the other
one with probability 2
17
decipted in Table 3. We use the 11-round boomerang
characteristic to recover the subkeys of the 13th round with 2
62
plaintexts.
4.7 Interpolation and Higher Order Dierential Attack
Interpolation [13] and higher order dierential [15] attacks are aimed against
block ciphers which have low algebraic degree. Since the degree of a round func-
tion of HIGHT is 8, the full-round HIGHT has a high degree as a vector Boolean
Table 2. The 5 rounds dierential characteristics (the 1st round the 5th round)
with probability 2
12
.
82 01 00 00 00 00 00 00x 00 90 95 ca 01 00 00 00x
00 00 00 00 82 01 00 00x 01 00 00 00 00 90 95 cax
Table 3. The 6 rounds dierential characteristics (the 6th round the 11th round)
with probability 2
17
42 82 01 00 00 00 00 00x 00 90 95 ca 01 00 00 00x
00 00 00 00 42 82 01 00x 01 00 00 00 00 90 95 cax
function. Furthermore, we believe that the result of higher order dierential at-
tack on HIGHT is less than the result of saturation attack on HIGHT because
saturation attack can be viewed as a special and more eective case of higher
order dierential attack.
4.8 Algebraic Attack
In order to apply the algebraic attack [9] to block ciphers, we should derive an
over-dened system of algebraic equations. Since a round function of HIGHT is
the degree 8 as a vector Boolean function, it may be impossible to convert any
equation system in HIGHT into an over-dened system.
4.9 Slide and Related-Key Attacks
Slide [7, 8] and related-key [3] attacks use some weakness of key schedule. The
subkey generation algorithm of HIGHT has a simplicity and a linearity but
resistance enough to frustrate those attacks due to the use of the round function
with strong non-linearity and avalanche eect. It is known that the iterated
ciphers with identical round functions, that is, equal structures and equal subkeys
in the round functions, are vulnerable to slide attacks. However, since HIGHT
uses the dierent constant for each round, it is secure against slide attack.
We are also convinced that the key schedule and round function of HIGHT
makes related-key attacks dicult although the relation between two master keys
is known and the corresponding relations between the subkeys can be predeter-
mined due to linearity of the key schedule. To nd long related-key dierential
characteristics with high probability and mount a successful distinguishing at-
tack, we must keep the number of additions small. This can be done by trying
to cancel out dierences in XORs and additions but this work is not easy. So,
by trial and error, we constructed 18-round related-key boomerang distinguisher
which is composed of two short related-key dierential characteristics with rel-
atively high probability; one is the rst 8 rounds, (2c 00 80 00 00 00 00 00)
x
(00 00 00 00 43 80 00 00)
x
under the related-key dierence (00 00 80 2c 00, ..., 00)
with probability 2
6
and the other one is 10 rounds, (08 9e 6f 80 2c 00 80 00)
x
(2c 00 80 00 00 00 00 00)
x
under the related-key dierence (80 2c 00 00, ..., 00)
with probability 2
23
. This is useful to attack on 19 rounds HIGHT but can be
used to attack on full-round HIGHT.
4.10 Weak Keys
Originally, a weak key is dened as a key under which the encryption function
is involution [19]. We checked that there does not exists any equivalent or weak
key in HIGHT. In a broad sense, a weak key can be dened as a key under which
the resistance of the block cipher against any attacks falls o. We suppose that
it is very dicult to nd such kind of weak keys in HIGHT.
Table 4. Results of HIGHT
Statistical Test Proportion
High Density Low Density
Frequency 0.994(Pass) 0.986(Pass)
Block Frequency (m = 100) 0.993(Pass) 0.991(Pass)
Runs 0.990(Pass) 0.982(Pass)
Long Runs of Ones 0.990(Pass) 0.994(Pass)
Rank 0.988(Pass) 0.992(Pass)
Spectral DFT 1.00(Pass) 0.990(Pass)
Non-overlapping Templates (m = 9) 0.990(Pass) 0.990(Pass)
Overlapping Templates (m = 9) 0.978(Pass) 0.984(Pass)
Universal 0.992(Pass) 0.980(Pass)
Lempel-Ziv Complexity 0.986(Pass) 0.980(Pass)
Linear Complexity (M = 500) 0.984(Pass) 0.994(Pass)
Serial (m = 5) 0.992(Pass) 0.985(Pass)
Approximate Entropy (m = 5) 0.986(Pass) 0.990(Pass)
Cusum 0.992(Pass) 0.988(Pass)
Random Excursions 0.986(Pass) 0.990(Pass)
Random Excursions Variant 0.989(Pass) 0.987(Pass)
4.11 Random Test
We show the results of the NIST statistical test on HIGHT. We use 500 samples
of about 10
6
bit sequences for each test. Consequently, 500 (sample) 10
6
(sequence) bits are used for each test. The Table 4 shows results of HIGHT. Here
input parameters used in these tests has been included in parenthesis beside the
name of the statistical test. From the Table 4, it is clear that the statistical test
results for HIGHT dont indicate a deviation from random behaviour.
5 Hardware Implementation
We designed a simple circuit of HIGHT in order to check the hardware com-
plexity on 0.25m CMOS technology. The circuit consists of three parts: Round-
Function, KeySchedule, and Control Logic. RoundFunction processes whitening-
key addition or round function with 64-bit input data and 4-byte round key, and
KeySchdule generates 4-byte round key (four byte whiteningkeys or subkeys).
Control Logic controls RoundFunction and KeySchedule to process HIGHT algo-
rithm. The total size corresponds to 3048 NAND gates as you see in Table 5.
Our circuit processes one round encryption per one clock cycle, thus its data
throughput is about 150.6 Mbps at a 80 MHz clock rate. Note that our circuit is
not area-optimized, and in order to reduce the gate count, we can simply modify
it to process 1/2 or 1/4 of one round operation per a clock cycle. In the case
of 1/4 round design, we estimate the minimized circuit would require much less
than 3000 gates on 0.25m technology and its data throughput would be about
37.6 Mbps at a 80 MHz clock rate. Meanwhile the last hardware implementa-
tion result of AES-128 [12] requires about 3400 gates and its data throughput is
about 9.9 Mbps under the same clock rate.
Table 5. Gate count for hardware implementation of HIGHT
Component Gate Count
RoundFunction 838
KeySchedule 1648
Control Logic 562
Total 3048
6 Conclusion
We proposed a block cipher HIGHT with 64-bit block length and 128-bit key
length. HIGHT was designed to be proper to the implementation in the low-
resource environment such as RFID tag or tiny ubiquitous devices. From security
analysis, we are sure that HIGHT has enough security. Our implementation
circuit processes one HIGHT encryption with 34 clock and requires 3048 gates.
The data throughput of the circuit is about 150.6 Mbps under the operating
frequency 80 MHz.
References
1. National Institute of Standards and Technology (NIST), FIPS-197: Advanced En-
cryption Standard, November 2001. http://www.itl.nist.gov/pspubs/
2. E. Biham, A. Biryukov and A. Shamir, Cryptanalysis of Skipjack reduced to 31
rounds using impossible dierentials, Advances in Cryptology - EUROCRYPT99,
J. Stern, Ed., LNCS 1592, Springer-Verlag, pp. 12-23, 1999.
3. E. Biham, New Types of Cryptanalytic Attack Using Related Keys, Journal of
Cryptology, Volume 7, Number 4, pp. 156171, 1994.
4. E. Biham, O. Dunkelman, N. Keller, The Rectangle Attack Rectangling the
Serpent, Advances in Cryptology EUROCRYPT 2001, LNCS 2045, Springer-
Verlag, pp. 340357, 2001.
5. E. Biham, O. Dunkelman, N. Keller, New Results on Boomerang and Rectangle
Attacks, FSE 2002, LNCS 2365, Springer-Verlag, pp. 116, 2002.
6. E. Biham, A. Shamir, Dierential Cryptanalysis of the Data Encryption Stan-
dard, Springer-Verlag, 1993.
7. A. Biryukov, D. Wagner, Slide Attacks, Advances in Cryptology FSE99, LNCS
1687, Springer-Verlag, pp. 244-257, 1999.
8. A. Biryukov, D. Wagner, Advanced Slide Attacks, Advances in Cryptology
EUROCRYPT 2000, LNCS 1807, Springer-Verlag, pp. 589606, 2000.
9. N. Courtois, J. Pieprzyk, Cryptanalysis of Block Ciphers with Overdened Sys-
tems of Equations, Advances in Cryptology ASIACRYPT 2002, LNCS 2501,
Springer-Verlag, pp. 267287, 2002.
10. J. Daemen, L. Knudsen and V. Rijmen, The Block Cipher SQUARE, FSE97,
LNCS 1267, Springer-Verlag, pp. 137151, 1997.
11. M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, Strong Authentication for
RFID Systems Using the AES Algorithm, CHES04, LNCS 3156, pp. 357370,
Springer-Verlag, 2004.
12. M. Feldhofer, J. Wolkerstorfer, and V. Rijmen, AES Implementation on a Grain of
Sand, IEE Proceedings on Information Security, Volume 152, Issue 1, pp. 1320,
2005.
13. T. Jakoben and L. R. Knudsen, The Interpolation Attack against Block Ciphers,
FSE97, LNCS 1267, Springer-Verlag, pp. 2840, 1997.
14. J. Kelsey, T. Kohno, B. Schneier, Amplied Boomerang Attacks Against Reduced-
Round MARS and Serpent, FSE 2000, LNCS 1978, Springer-Verlag, pp. 7593,
2001.
15. L. R. Knudsen, Truncated and Higher Order Dierential, FSE 94, LNCS 1008,
Springer-Verlag, pp. 229236, 1995.
16. S. Lucks, The Saturation Attack a Bait for Twosh, FSE 2001, LNCS 1039,
Springer-Verlag, pp. 189-203, 2001.
17. M. Matsui, Linear Cryptanalysis Method for DES Cipher, Advances in Cryptol-
ogy EUROCRYPT93, T. Helleseth, Ed., LNCS 765, Springer-Verlag, pp. 386
397, 1994.
18. M. Matsui, The First Experimental Cryptanalysis of DES, Advances in Cryp-
tology CRYPTO94, LNCS 839, Springer-Verlag, pp. 111, 1994.
19. A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography,
CRC Press, 1996.
20. D. Wagner, The Boomerang Attack, FSE99, LNCS 1636, Springer-Verlag, pp.
156170, 1999.
A Figure of Functions in HIGHT
16 11, 16 10, 16 9, 16 8
( )
i i i i
+ + + +
16 15, 16 14, 16 13, 16 12
( )
i i i i
+ + + +
16 7, 16 6, 16 5, 16 4
( )
i i i i
+ + + +
16 3, 16 2, 16 1, 16
( )
i i i i
+ + +
16 3, 16 2, 16 1, 16
( )
i i i i
SK SK SK SK
+ + +
16 7, 16 6, 16 5, 16 4
( )
i i i i
SK SK SK SK
+ + + +
16 11, 16 10, 16 9, 16 8
( )
i i i i
SK SK SK SK
+ + + +
16 15, 16 14, 16 13, 16 12
( )
i i i i
SK SK SK SK
+ + + +
Bytewise Rotation Bytewise Rotation
Bytewise Rotation
16 11, 16 10, 16 9, 16 8
( )
i i i i
+ + + +
16 15, 16 14, 16 13, 16 12
( )
i i i i
+ + + +
16 7, 16 6, 16 5, 16 4
( )
i i i i
+ + + +
16 3, 16 2, 16 1, 16
( )
i i i i
+ + +
16 3, 16 2, 16 1, 16
( )
i i i i
SK SK SK SK
+ + +
16 7, 16 6, 16 5, 16 4
( )
i i i i
SK SK SK SK
+ + + +
16 11, 16 10, 16 9, 16 8
( )
i i i i
SK SK SK SK
+ + + +
16 15, 16 14, 16 13, 16 12
( )
i i i i
SK SK SK SK
+ + + +
Bytewise Rotation Bytewise Rotation
Bytewise Rotation
Fig. 2. Subkey generation of HIGHT key schedule
F0
?
?
F1
?
F0
?
F1
?
? ? ? ? ? ? ?
Xi,0
Xi1,7 Xi1,6 Xi1,5 Xi1,4 Xi1,3 Xi1,2 Xi1,1 Xi1,0
?
SK4i1
? ?
SK4i2 SK4i3
?
SK4i4
Xi,7 Xi,6 Xi,5 Xi,4 Xi,3 Xi,2 Xi,1
Fig. 3. The i-th RoundFunction of HIGHT for i = 1, , 32