This article presents a differential fault analysis (DFA) technique using round addition for a generalized Feistel network (GFN) including CLEFIA and RC6. Here the term “round addition” means that the round operation executes twice using the same round key. The proposed DFA needs bypassing of an operation to count the number of rounds such as increment or decrement. To verify the feasibility of our proposal, we implement several operations, including increment and decrement, on a microcontroller and experimentally confirm the operation bypassing. The proposed round addition technique works effectively for the generalized Feistel network with a partial whitening operation after the last round. In the case of a 128-bit CLEFIA, we show a procedure to reconstruct the round keys or a secret key using one correct ciphertext and two faulty ciphertexts. Our DFA also works for DES and RC6.

Knudsen and Meier applied the χ2-attack to RC6. The χ2-attack recovers a key by using high correlations measured by χ2-value. Up to the present, the success probability of any χ2-attack has not been evaluated theoretically without using experimental results. In this paper, we discuss the success probability of χ2-attack and give the theorem that evaluates the success probability without using any experimental result, for the first time. We make sure the accuracy of our theorem by demonstrating it on both 4-round RC6 without post-whitening and 4-round RC6-8. We also evaluate the security of RC6 theoretically and show that a variant of the χ2-attack is faster than an exhaustive key search for the 192-bit-key and 256-bit-key RC6 with up to 16 rounds. As a result, we succeed in answering such an open question that a variant of the χ2-attack can be used to attack RC6 with 16 or more rounds.

In this paper, we give a theoretical analysis of χ2 attack proposed by Knudsen and Meier on the RC6 block cipher. To this end, we propose a method of security evaluation against χ2 attack precisely including key dependency by introducing a method "Transition Matrix Computing." Previously, no theoretical security evaluation against χ2 attack was known, it has been done by computer experiments. We should note that it is the first result concerning the way of security evaluation against χ2 attack is shown theoretically.

We investigate the cryptanalysis of reduced-round RC6 without whitening. Up to now, key recovery algorithms against the reduced-round RC6 itself, the reduced-round RC6 without whitening, and even the simplified variants have been infeasible on a modern computer. In this paper, we propose an efficient and feasible key recovery algorithm against reduced-round RC6 without whitening. Our algorithm is very useful for analyzing the security of the round-function of RC6. Our attack applies to a rather large number of rounds. RC6 without whitening with r rounds can be broken with a success probability of 90% by using 28.1r - 13.8 plaintexts. Therefore, our attack can break RC6 without whitening with 17 rounds by using 2123.9 plaintexts with a probability of 90%.

RC6 is a common-key block cipher that was proposed as one of the AES candidates. Although any weakness of RC6 in the use of the confidentiality is not known, Saarinen pointed out the existence of almost equivalent keys in RC6 with 176-byte keys. This means that the Davies-Meyer hash function based on RC6 with 176-byte keys is not a good collision-resistance function. However, Saarinen could not find a precise collision of it. In this paper, we propose a practical method for obtaining a collision of the Davies-Meyer hash function based on RC6-32/20/176. In other words, there exist equivalent user supplied keys in RC6-32/20/176, and it is possible to obtain them practically. This means that the essential key space of RC6-32/20/176 is smaller than the space provided by 176-byte keys. Our computer simulation shows that a collision can be found in about 100 minutes. We should notice that the result of this paper does not affect the security of the AES version of RC6 because RC6-32/20/176 discussed in this paper is different from the parameter of the AES version.