Computational Security Evaluation of Light-Weight Block Cipher Against Integral Attack by GPGPU

Integral distinguisher is the main factor of integral attack. In the conventional search strategy of integral distinguisher (ID), there are two steps. In the first step, first order ID is obtained. In the second step, first order ID is extended by increasing the order. We find it is problematic to apply the conventional strategy for Feistel ciphers whose number of sub blocks N is large such as TWINE and LBlock (N = 16). To solve the problem, we propose new search strategy which has large search scope and feasibility in realistic computational condition. By the reduction of the computational complexity, it is reduced from O((_n^N)×(2^mn)) to O(N×2^mn). And for the acceleration of the experiment, we use GPGPU (general-purpose computing on graphics processing units) platform. By using GPGPU platform, we can test substantially higher order ID than existing CPU platform. We execute computer experiment to discover the precise fifteenth order ID of TWINE and LBlock by proposal strategy. As a result, we find new fifteenth order ID which has 8 balanced sub blocks (32-bit) after 15-round encryption both in TWINE and LBlock. These results are the most precise evaluatiPon of TWINE and LBlock.