Abstract
A differential attack tries to capture the round keys corresponding to the S-boxes activated by a differential. In this work, we show that for a fixed output difference of an S-box, it may not be possible to distinguish the guessed keys that have a specific difference. We introduce these differences as differential factors. Existence of differential factors can reduce the time complexity of differential attacks and as an example we show that the \(10\), \(11\), and \(12\)-round differential-linear attacks of Dunkelman et al. on Serpent can actually be performed with time complexities reduced by a factor of 4, 4, and 8, respectively.
C. Tezcan—The work of the first author was supported by The Scientific and Technological Research Council of Turkey (TÜBİTAK) under the grant 112E101 titled “Improbable Differential Cryptanalysis of Block Ciphers”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Biham, E., Anderson, R., Knudsen, L.R.: Serpent: a new block cipher proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, p. 222. Springer, Heidelberg (1998)
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. J. Cryptol. 18(4), 291–311 (2005)
Biham, E., Dunkelman, O., Keller, N.: Linear cryptanalysis of reduced round serpent. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 16. Springer, Heidelberg (2002)
Biham, E., Dunkelman, O., Keller, N.: The rectangle attack - rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 340. Springer, Heidelberg (2001)
Biham, E., Dunkelman, O., Keller, N.: Enhancing differential-linear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002)
Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, p. 1. Springer, Heidelberg (2002)
Biham, E., Dunkelman, O., Keller, N.: Differential-linear cryptanalysis of serpent. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 9–21. Springer, Heidelberg (2003)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)
Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all 3 \(\times \) 3 and 4 \(\times \) 4 S-boxes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 76–91. Springer, Heidelberg (2012)
Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: Spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011)
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
Canniere, C.D., Sato, H., Watanabe, D.: Hash function Luffa: Specification. Submission to NIST (Round 2) (2009)
Chaum, D., Evertse, J.H.: Crytanalysis of DES with a reduced number of rounds: sequences of linear factors in block ciphers. In: Williams, H.C. (ed.) CRYPTO. LNCS, vol. 218, pp. 192–211. Springer, Heidelberg (1985)
Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)
Daemen, J., Peeters, M., Assche, G.V., Rijmen, V.: Nessie proposal: NOEKEON. NESSIE proposal, 27 October 2000
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)
Dunkelman, O., Indesteege, S., Keller, N.: A differential-linear attack on 12-round serpent. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 308–321. Springer, Heidelberg (2008)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011)
Helleseth, T. (ed.): Advances in Cryptology - EUROCRYPT 1993. LNCS, vol. 765. Springer, Heidelberg (1994)
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1994)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999)
Kohno, T., Kelsey, J., Schneier, B.: Preliminary cryptanalysis of reduced-round Serpent. In: AES Candidate Conference, pp. 195–211 (2000)
Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994)
Lim, C.H.: Crypton: A new 128-bit block cipher - specification and analysis (1998)
Lim, C.H.: A revised version of CRYPTON - CRYPTON V1.0. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, p. 31. Springer, Heidelberg (1999)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
McLaughlin, J., Clark, J.A.: Filtered nonlinear cryptanalysis of reduced-round serpent, and the wrong-key randomization hypothesis. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 120–140. Springer, Heidelberg (2013)
National Bureau of Standards: Data Encryption Standard. FIPS PUB 46. National Bureau of Standards, U.S. Department of Commerce, Washington D.C., (15 January 1977)
Nguyen, P.H., Wu, H., Wang, H.: Improving the algorithm 2 in multidimensional linear cryptanalysis. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 61–74. Springer, Heidelberg (2011)
Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)
Preneel, B., Takagi, T. (eds.): CHES 2011. LNCS, vol. 6917. Springer, Heidelberg (2011)
Saarinen, M.J.O.: Cryptographic analysis of all 4 \(\times \) 4 s-boxes. In: Miri, A., Vaudenay, S. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 7118, pp. 118–133. Springer, Heidelberg (2011)
Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson, N.: Twofish: A 128-bit block cipher. In: First Advanced Encryption Standard (AES) Conference (1998)
Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008)
Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011)
Tezcan, C.: The improbable differential attack: cryptanalysis of reduced round CLEFIA. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 197–209. Springer, Heidelberg (2010)
Tezcan, C.: Improbable differential attacks on PRESENT using undisturbed bits. J. Comput. Appl. Math. 259, 503–511 (2014)
Tezcan, C., Taşkın, H.K., Demircioğlu, M.: Improbable differential attacks on SERPENT using undisturbed bits. In: Poet, R., Rajarajan, M. (eds.) Proceedings of the 7th International Conference on Security of Information and Networks, Glasgow, Scotland, UK, September 9-11, 2014. p. 145. ACM (2014)
V. Dolmatov (ed.): GOST 28147–89: Encryption, decryption, and message authentication code (MAC) algorithms. In: Internet Engineering Task Force RFC 5830 (March 2010)
Varici, K., Özen, O., Çelebi Kocair: Sarmal: Sha-3 proposal. Submission to NIST (2008)
Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: Rectangle: A bit-slice ultra-lightweight block cipher suitable for multiple platforms. IACR Cryptology ePrint Archive 2014, 84 (2014)
Zheng, Y. (ed.): Advances in Cryptology - ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501. Springer, Heidelberg (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Equivalent Definitions with only One Variable
When defining differential factors in Sect. 3, we used two variables \(x\) and \(y\) since they are directly linked to the input pairs in differential cryptanalysis. One can observe that the same definition and theorems of Sect. 3 for bijective S-boxes can be given by using a single variable. We provide them as follows.
Definition 7
\(S\) has a differential factor \(\lambda \) for the output difference \(\mu \) if
for all \(x\).
Proposition 1
Definition 5 is equivalent to Definition 7.
Proof
Since \(S(x)\oplus S(y)=\mu \), we have \(y=S^{-1}(S(x)\oplus \mu )\). Similarly, \(y\oplus \lambda =S^{-1}(S(x\oplus \lambda )\oplus \mu )\) since \(S(x\oplus \lambda )\oplus S(y\oplus \lambda )=\mu \). XORing both equations gives \(\lambda = S^{-1}(S(x)\oplus \mu )\oplus S^{-1}(S(x\oplus \lambda )\oplus \mu )\) and we are done. \(\square \)
Definition 8
\(S\) has a differential factor \(\lambda \) for the output difference \(\mu \) if
for all \(x\).
Proposition 2
Definition 5 is equivalent to Definition 8.
Proof
Let \(y=S(x)\). Then the Definition 7 becomes
for all \(y\). Applying the \(S\) operation on both sides of the equation gives
for all \(y\) and we are done. \(\square \)
Thus, Propositions 1 and 2 prove the Theorem 1.
Proposition 3
If \(\lambda _1\) and \(\lambda _2\) are differential factors for an output difference \(\mu \), then \(\lambda _1\oplus \lambda _2\) is also differential factor for the output difference \(\mu \). i.e. All differential factors \(\lambda _i\) for \(\mu \) forms a vector space.
Proof
We have
for all \(x\), by Definition 7. And we have
since \(\lambda _2\) is a differential factor. Thus, we get
for all \(x\) and we are done. \(\square \)
B 3-Round Differentials with Higher Probability
The rounds of the 3-round differential used in the differential-linear attacks of [7, 17] have probabilities \(2^{-5}\), \(2^{-1}\), and \(1\) but the authors observed experimentally that this differential has probability \(2^{-7}\) instead of \(2^{-6}\). We observed that there are 3-round differentials of Serpent with probability \(2^{-5}\) that can be combined with the same linear approximations. The rounds of these differential have probabilities \(2^{-5}\), \(1\), and \(1\) and for this reason, the theoretical and practical probabilities of these differentials are the same. However, these differentials activate six S-boxes at the first round of the attack instead of five. So replacing the original differential with one of them results in capturing four more subkey bits but time complexity of the attacks also increases by a factor of \(2^{4}\).
Since the data complexity of a differential-linear attack is of \(O(p^{-2}q^{-4})\) and replacing the differential result in \(p=2^{-5}\) instead of \(2^{-7}\), one would expect the modified attacks to have data and time complexities reduced by a factor of \(2^{4}\). However, experiment results show that the gain in the modified attacks is at most a factor of \((2^{-0.32})^2\). This is because the transition between the original differential and the linear approximation is far better than expected. For instance, when the original 3-round differential is combined with a 1-round linear approximation of bias \(2^{-5}\), Dunkelman et al. experimentally verified that the 4-round differential-linear path has bias \(2^{-13.75}\), instead of \(2\cdot 2^{-7}\cdot (2^{-5})^2=2^{-16}\). We performed similar experiments on five different 3-round differentials with probability \(2^{-5}\) using \(2^{34}\) pairs and the results are summarized in Table 4.
We replace the original differential with the second one from Table 4 and obtain new 10, and 11 round differential-linear attacks. This change provides a 4-round bias of \(2^{-13,43}\) instead of \(2^{-13.75}\). Thus the data and time complexity gain in the modified attack is a factor of \((2^{-0.32})^2\). This differential activates six S-boxes instead of five so we capture four more subkey bits and the time complexity is multiplied by \(2^{4}\). We summarize this modified attack in Table 5. Note that there are two differential factors for this differential, too. Since the rest of our modified attacks are almost identical to the attacks of [17], we refer the interested reader to [17].
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Tezcan, C., Özbudak, F. (2015). Differential Factors: Improved Attacks on SERPENT. In: Eisenbarth, T., Öztürk, E. (eds) Lightweight Cryptography for Security and Privacy. LightSec 2014. Lecture Notes in Computer Science(), vol 8898. Springer, Cham. https://doi.org/10.1007/978-3-319-16363-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-16363-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16362-8
Online ISBN: 978-3-319-16363-5
eBook Packages: Computer ScienceComputer Science (R0)