Distinguisher for Shabal's Permutation Function
暂无分享,去创建一个
In this note we consider the Shabal permutation function P as a block cipher with input Ap,Bp and key C,M and describe a distinguisher with a data complexity of 2 random inputs with a given difference. If the attacker can control one chosen bit of Bp, only 2 21 inputs with a given difference are required on average. This distinguisher does not appear to lead directly to an attack on the full Shabal construction.
[1] Jean-Philippe Aumasson. On the pseudorandomness of Shabal ’ s keyed permutation , 2009 .
[2] Van Assche,et al. A rotational distinguisher on Shabal ’ s keyed permutation and its impact on the security proofs , 2010 .
[3] Christophe Clavier,et al. Indifferentiability with Distinguishers: Why Shabal Does Not Require Ideal Ciphers , 2009, IACR Cryptol. ePrint Arch..