Distinguishing Attack on XO-64

Abstract

XO-64 block cipher provides a high performance with small hardware requirement in implementation. It is designed in improvement of high applicability, high flexibility, and high reliability in fast and efficient telecommunication system, based on conception of data-dependent operation (DDO); same as some other ciphers MD-64, KT-64, Eagle-64, Eagle-128...; and substitution permutation network (SPN). Besides achieving high-speed rate in FPGA devices, this cipher also shows high secure against known attacks, such as differential attack, linear attack. In this paper, by constructing related-key differential characteristics with high probability on 6-round reduced XO-64, we explore the possibility to distinguish between a 6-round reduced XO-64 and a 64-bit random permutation. A distinguishing attack on a 6-round reduced XO-64 is proposed, requires complexities of 244 in data, 247 in memory, and 265 in computation time. In future, our attack method is expected to extend to related-key recovery attack on this cipher algorithm, and other ciphers with same type of structure designs so far.