Impossible differential cryptanalysis of SPN ciphers

Impossible differential cryptanalysis is a very popular tool for analysing the security of modern block ciphers and the core of such attack is based on the existence of impossible differentials. Currently, most methods for finding impossible differentials are based on the miss-in-the-middle technique and they are very ad hoc. In this study, the authors concentrate on substitution–permutation network (SPN) ciphers whose diffusion layer is defined by a linear transformation P. Based on the theory of linear algebra, the authors propose several criteria on P and its inversion P-1 to characterise the existence of 3/4-round impossible differentials. The authors further discuss the possibility to extend these methods to analyse 5/6-round impossible differentials. Using these criteria, impossible differentials for reduced-round Rijndael are found that are consistent with the ones found before. New 4-round impossible differentials are discovered for block cipher ARIA. Many 4-round impossible differentials are firstly detected for a kind of SPN cipher that employs a 32×32 binary matrix proposed at ICISC 2006 as its diffusion layer. It is concluded that the linear transformation should be carefully designed in order to protect the cipher against impossible differential cryptanalysis.

[1]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[2]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[3]  Eli Biham,et al.  Miss in the Middle Attacks on IDEA and Khufu , 1999, FSE.

[4]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[5]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[6]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[7]  Jung Hwan Song,et al.  Constructing and Cryptanalysis of a 16 × 16 Binary Matrix as a Diffusion Layer , 2003, WISA.

[8]  Daesung Kwon,et al.  New Block Cipher: ARIA , 2003, ICISC.

[9]  Jongsung Kim,et al.  Impossible Differential Cryptanalysis for Block Cipher Structures , 2003, INDOCRYPT.

[10]  Jung Hwan Song,et al.  On Constructing of a 32 ×32 Binary Matrix as a Diffusion Layer for a 256-Bit Block Cipher , 2006, ICISC.

[11]  Dengguo Feng,et al.  Impossible Differential Cryptanalysis of Reduced-Round ARIA and Camellia , 2007, Journal of Computer Science and Technology.

[12]  Jorge Nakahara,et al.  Impossible-Differential Attacks on Large-Block Rijndael , 2007, ISC.

[13]  Dengguo Feng,et al.  New Results on Impossible Differential Cryptanalysis of Reduced AES , 2007, ICISC.

[14]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[15]  Jongsung Kim,et al.  Improving the Efficiency of Impossible Differential Cryptanalysis of Reduced Camellia and MISTY 1 , 2007 .

[16]  Jongsung Kim,et al.  New Impossible Differential Attacks on AES , 2008, INDOCRYPT.

[17]  Peng Zhang,et al.  New Impossible Differential Cryptanalysis of ARIA , 2008, IACR Cryptol. ePrint Arch..

[18]  Orr Dunkelman,et al.  An Improved Impossible Differential Attack on MISTY1 , 2008, ASIACRYPT.

[19]  Ping Li,et al.  Impossible Differential Cryptanalysis on Feistel Ciphers with SP and SPS Round Functions , 2010, ACNS.

[20]  Vincent Rijmen,et al.  Improved Impossible Differential Attacks on Large-Block Rijndael , 2012, ICISC.