To evaluate the security of μ2 algorithm in impossible differential cryptanalysis,a 9-round impossible differen-tial distinguisher of μ2 algorithm was constructed based on matrix method and meet-in-the middle technique firstly.Then,with the utilization of key-bridge technique,a 13-round key recovery attack was presented to μ2 algorithm by expanding the 9-round distinguisher forward and backward 2 rounds,respectively.The results show that the master key can be re-covered 45 bit in the attack,the data complexity of plaintexts is 242.5,and the time complexity of 13 rounds of algorithm encryptions is 265.3.Compared with the previous research,the study achieves the longest attack rounds,and the data com-plexity is effectively reduced.
万方数据