Differential Factors: Improved Attacks on SERPENT

Abstract

A differential attack tries to capture the round keys corresponding to the S-boxes activated by a differential. In this work, we show that for a fixed output difference of an S-box, it may not be possible to distinguish the guessed keys that have a specific difference. We introduce these differences as differential factors. Existence of differential factors can reduce the time complexity of differential attacks and as an example we show that the \(10\), \(11\), and \(12\)-round differential-linear attacks of Dunkelman et al. on Serpent can actually be performed with time complexities reduced by a factor of 4, 4, and 8, respectively.

C. Tezcan—The work of the first author was supported by The Scientific and Technological Research Council of Turkey (TÜBİTAK) under the grant 112E101 titled “Improbable Differential Cryptanalysis of Block Ciphers”.

Appendices

A Equivalent Definitions with only One Variable

When defining differential factors in Sect. 3, we used two variables \(x\) and \(y\) since they are directly linked to the input pairs in differential cryptanalysis. One can observe that the same definition and theorems of Sect. 3 for bijective S-boxes can be given by using a single variable. We provide them as follows.

Definition 7

\(S\) has a differential factor \(\lambda \) for the output difference \(\mu \) if

$$\begin{aligned} S^{-1}(S(x)\oplus \mu )\oplus \lambda =S^{-1}(S(x\oplus \lambda )\oplus \mu ) \end{aligned}$$

for all \(x\).

Proposition 1

Definition 5 is equivalent to Definition 7.

Proof

Since \(S(x)\oplus S(y)=\mu \), we have \(y=S^{-1}(S(x)\oplus \mu )\). Similarly, \(y\oplus \lambda =S^{-1}(S(x\oplus \lambda )\oplus \mu )\) since \(S(x\oplus \lambda )\oplus S(y\oplus \lambda )=\mu \). XORing both equations gives \(\lambda = S^{-1}(S(x)\oplus \mu )\oplus S^{-1}(S(x\oplus \lambda )\oplus \mu )\) and we are done.    \(\square \)

Definition 8

\(S\) has a differential factor \(\lambda \) for the output difference \(\mu \) if

$$\begin{aligned} S(S^{-1}(x)\oplus \lambda )\oplus \mu =S(S^{-1}(x\oplus \mu )\oplus \lambda ) \end{aligned}$$

for all \(x\).

Proposition 2

Definition 5 is equivalent to Definition 8.

Proof

Let \(y=S(x)\). Then the Definition 7 becomes

$$\begin{aligned} S^{-1}(y\oplus \mu )\oplus \lambda =S^{-1}(S(S^{-1}(y)\oplus \lambda )\oplus \mu ) \end{aligned}$$

for all \(y\). Applying the \(S\) operation on both sides of the equation gives

$$\begin{aligned} S(S^{-1}(y\oplus \mu )\oplus \lambda )=S(S^{-1}(y)\oplus \lambda )\oplus \mu \end{aligned}$$

for all \(y\) and we are done.    \(\square \)

Thus, Propositions 1 and 2 prove the Theorem 1.

Proposition 3

If \(\lambda _1\) and \(\lambda _2\) are differential factors for an output difference \(\mu \), then \(\lambda _1\oplus \lambda _2\) is also differential factor for the output difference \(\mu \). i.e. All differential factors \(\lambda _i\) for \(\mu \) forms a vector space.

Proof

We have

$$\begin{aligned} S^{-1}(S(x)\oplus \mu )\oplus \lambda _1=S^{-1}(S(x\oplus \lambda _1)\oplus \mu ) \end{aligned}$$

for all \(x\), by Definition 7. And we have

$$\begin{aligned} S^{-1}(S(x\oplus \lambda _1)\oplus \mu )\oplus \lambda _2=S^{-1}(S(x\oplus \lambda _1+\lambda _2)\oplus \mu ) \end{aligned}$$

since \(\lambda _2\) is a differential factor. Thus, we get

$$\begin{aligned} S^{-1}(S(x)\oplus \mu )\oplus \lambda _2\oplus \lambda _2= S^{-1}(S(x\oplus \lambda _1\oplus \lambda _2)\oplus \mu ) \end{aligned}$$

for all \(x\) and we are done.    \(\square \)

B 3-Round Differentials with Higher Probability

The rounds of the 3-round differential used in the differential-linear attacks of [7, 17] have probabilities \(2^{-5}\), \(2^{-1}\), and \(1\) but the authors observed experimentally that this differential has probability \(2^{-7}\) instead of \(2^{-6}\). We observed that there are 3-round differentials of Serpent with probability \(2^{-5}\) that can be combined with the same linear approximations. The rounds of these differential have probabilities \(2^{-5}\), \(1\), and \(1\) and for this reason, the theoretical and practical probabilities of these differentials are the same. However, these differentials activate six S-boxes at the first round of the attack instead of five. So replacing the original differential with one of them results in capturing four more subkey bits but time complexity of the attacks also increases by a factor of \(2^{4}\).

Since the data complexity of a differential-linear attack is of \(O(p^{-2}q^{-4})\) and replacing the differential result in \(p=2^{-5}\) instead of \(2^{-7}\), one would expect the modified attacks to have data and time complexities reduced by a factor of \(2^{4}\). However, experiment results show that the gain in the modified attacks is at most a factor of \((2^{-0.32})^2\). This is because the transition between the original differential and the linear approximation is far better than expected. For instance, when the original 3-round differential is combined with a 1-round linear approximation of bias \(2^{-5}\), Dunkelman et al. experimentally verified that the 4-round differential-linear path has bias \(2^{-13.75}\), instead of \(2\cdot 2^{-7}\cdot (2^{-5})^2=2^{-16}\). We performed similar experiments on five different 3-round differentials with probability \(2^{-5}\) using \(2^{34}\) pairs and the results are summarized in Table 4.

Table 4. 4-Round biases for 3-round differentials with probability \(2^{-5}\) and 1-round linear approximation with bias \(2^{-5}\).

We replace the original differential with the second one from Table 4 and obtain new 10, and 11 round differential-linear attacks. This change provides a 4-round bias of \(2^{-13,43}\) instead of \(2^{-13.75}\). Thus the data and time complexity gain in the modified attack is a factor of \((2^{-0.32})^2\). This differential activates six S-boxes instead of five so we capture four more subkey bits and the time complexity is multiplied by \(2^{4}\). We summarize this modified attack in Table 5. Note that there are two differential factors for this differential, too. Since the rest of our modified attacks are almost identical to the attacks of [17], we refer the interested reader to [17].

Table 5. 11-Round differential-linear attack with a 3-round differential of probability \(2^{-5}\). Output differences \(\mu =4_x\) and \(\mu =E_x\) that contain differential factors for \(S_1\) are shown in bold. Undisturbed bits are shown in italic.