Improved Attack On Reduced-Round SPARX-128

SPARX is a family of ARX-based block cipher designed according to the long trail design strategy(LTS)proposed at ASIACRYPT'16.The wide-trail design strategy(WTS).that is at the basis of many S-box based ciphers,in-cluding the AES,is not suitable for ARX designs due to the lack of S-boxes in the latter.In the specification of SPARX,the authors addressed the mentioned limitation by proposing the long trail design strategy(LTS)-a dual of the WTS that is applicable(but not limited)to ARX constructions.In contrast to the WTS,that prescribes the use of small and efficient S-boxes at the expense of heavy linear layers with strong mixing properties,the LTS advocates the use of large(ARX-based)S-Boxes together with sparse linear layers.With the help of the so-called long-trail argument,a designer can bound the maximum differential and linear probabilities for any number of rounds of a cipher built according to the LTS.SPARX-128/128 and SPARX-128/256 are two versions of this family with block size 128 and key size 128/256.SPARX has 32-bit ARX-based S-boxes and provable bounds against differential and linear cryptanalysis.In the specification of SPARX,the designers provided an integral attack on 24-round SPARX-128/256 with 21-round distinguisher.At SAC'17,Tolba et al.pre-sented key recovery attacks on 22-round SPARX-128/128 and 25-round SPARX-128/256.They proposed a zero-correlationdistinguisher that covers 5 steps(20 rounds)for both variants of SPARX-128.Then,using specific linear masks at its output and utilizing some properties of the employed linear layer and S-box,they extended this distinguisher to 5.25 steps(21 rounds).By exploiting some prop-erties of the key schedule,they extended the 20-round distinguisher by 4 rounds to present a 24-round multidimensional zero-correlation attack against SPARX-128/256.The 24-round attack was then extended to a 25-round zero-correlation attack against SPARX-128/256 with the full codebook by using the developed 21-round distinguisher.In addition,they extended the 21-round distinguisher by one round to launch a 22-round multidimensional zero-correlation attack against SPARX-128/128.But the cryptanalysis of 25-round SPARX-128/256 is with the whole codebook,which is sometimes considered as a trivial attack in cryptogra-phy.They also attacked 24-round SPARX-128/256 with impossible differential cryptanalysis.In this thesis,we propose a key recovery attack on 23-round SPARX-128/128 with a variant of 21-round zero-correlation distinguisher which can reduce the number of guessed subkey bits.Our attack on 23-round SPARX-128/128 is the best attack according to the Inumber of rounds compared with existing results at presnt.For the purpose of reducing data complexity,we give a key recovery attack on 25-round SPARX-128/256 with a variant of 20-round zero-correlation distinguisher,which has data complexity less than the whole codebook required for the previous attack.By means of transforming an extended 20-round zero-correlation distinguisher to an integral distinguisher,we are able to mount an integral attack on 24-round SPARX-128/256.Compared with the existing integral attack,both the time and memory complexities are significantly decreased though the data complexity is increased a little.