Note on Impossible Differential Attacks
 2 Citations
 1k Downloads
Abstract
While impossible differential cryptanalysis is a wellknown and popular cryptanalytic method, errors in the analysis are often discovered and many papers in the literature present flaws. Wishing to solve that, Boura et al. [1] presented at ASIACRYPT’14 a generic vision of impossible differential attacks with the aim of simplifying and helping the construction and verification of this type of cryptanalysis. In particular, they gave generic complexity analysis formulas for mounting such attacks and develop new ideas for optimizing them.
In this paper we carefully study this generic formula and show impossible differential attacks for which the real time complexity is much higher than estimated by it. In particular, we show that the impossible differential attack against 25round TWINE128, presented at FSE’15 by Biryukov et al. [2], actually has a complexity higher than the natural bound of exhaustive search.
Keywords
Truncated impossible differential Cryptanalysis Block cipher TWINE Complexity1 Introduction
Impossible differential cryptanalysis, which was independently introduced by Knudsen [3] and Biham et al. [4], is wellknown and popular cryptanalytic method. Unlike differential attacks [5] that exploit differential characteristics of high probability, the aim of impossible differential cryptanalysis is to use differentials that have a probability of zero to occur in order to eliminate the key candidates leading to such impossible transitions. The first step to mount an impossible differential attack is to find an impossible differential covering a large number of rounds. This is a procedure that has been extensively studied and several approaches have been proposed to derive such impossible transitions efficiently [6, 7, 8]. Once an impossible differential has been chosen and placed, one uses it to restrict the possible values of some key bits involved in outer rounds. Indeed, if a candidate key partially encrypts/decrypts a given pair to the impossible differential, then this key is wrong. In this way, we discard as many wrong keys as possible and exhaustively search the rest of the keys. Organizing the attack is usually done with the early abort technique [9], introduced by Lu et al. at CTRSA 2008, originally to improve impossible differential attacks against Camellia and MISTY1. With this technique, one does not guess all the involved key material at once but step by step, discarding unwished pairs as soon as possible to reduce the time complexity of the whole procedure.
While the attack principle is rather clear, errors in the analysis are often discovered and many papers in the literature present flaws [9, 10, 11, 12]. These flaws include errors in the computation of the time or the data complexity, in the analysis of the memory requirements or of the complexity of some intermediate steps of the attacks. Wishing to solve that, Boura et al. [1] presented at ASIACRYPT’14 a generic vision of impossible differential attacks with the aim of simplifying and helping the construction and verification of this type of cryptanalysis. In particular, they gave generic complexity analysis formulas for mounting such attacks and develop new ideas for optimizing them. These advances led to the improvement of previous attacks against well known ciphers such as CLEFIA128 and Camellia, while also to new attacks against 23round LBlock and all members of the Simon family.
Our Contribution. In this paper we carefully study the early abort technique from Lu et al. and the generic formula given by Boura et al.. In particular we build impossible differential attacks against a toy cipher for which the real time complexity is much higher than estimated by the formula. Then we describe an algorithm looking for optimal complexity of impossible differential attacks under the early abort technique. We finally apply it on an attack of Biryukov et al. [2] presented at FSE’15 against roundreduced TWINE128 [13] and show that its complexity is higher than the natural bound of the exhaustive search.
Organization of the Paper. In Sect. 2 we introduce the notations and give the formula of Boura et al.. In Sect. 3 we highlight the computational problem behind the early abort technique and provide simple examples for which the real complexity is far from the one given by the formula. Finally, in Sect. 4 we describe the algorithm we used to show that the complexity of the impossible differential attack against 25round TWINE128 from Biryukov et al. was underestimated and actually higher than \(2^{128}\).
2 Preliminaries
2.1 Impossible Differential Attacks
We first briefly remain how an impossible differential attack is constructed and introduce our notations (for sake of simplicity we use the exact same ones than in [1]).
Mounting an impossible differential attack starts by splitting the cipher E in three parts \(E = E_3 \circ E_2 \circ E_1\) and by finding an impossible differential transition \((\varDelta _X \nrightarrow \varDelta _Y)\) through \(E_2\). Then \(\varDelta _X\) (resp. \(\varDelta _Y\)) is propagated through \(E_1^{1}\) (resp. \(E_3\)) with probability 1 to obtain \(\varDelta _{in}\) (resp. \(\varDelta _{out}\)). We denote by \(c_{in}\) and \(c_{out}\) the \(\log _2\) of the probability of the transitions \(\varDelta _{in} \rightarrow \varDelta _X\) and \(\varDelta _{out} \rightarrow \varDelta _Y\) respectively. Finally we denote by \(k_{in}\) and \(k_{out}\) the key materials involved in those transitions. All in all the attack consists in discarding the keys k for which at least one pair follows the characteristic through \(E_1\) and \(E_3\) and in exhausting the remaining ones.
2.2 A Generic Formula

data: \(C_{N_\alpha }\)

memory: \( N_\alpha \)

time: \( C_{N_\alpha } + \left( 1 + 2^{\left k_{in} \cup k_{out} \right  c_{in}  c_{out}} \right) N_{\alpha } C_{E^{\prime }} + 2^{\vert k \vert  \alpha } \)
This formula was given without proof but authors claimed that “it approximates really well the actual time complexity, as it can be seen in the applications, and in particular, in the tight correspondence shown between the LBlock estimation and the exact calculation from [14]”.
3 CounterExamples
3.1 The Problem
 0.

Discard pairs which cannot follow the impossible differential.
 1.
 Guess \(k_{\sigma (1)}\)
 (a)

partially encrypt/decrypt pairs
 (b)

discard pairs which cannot follow the impossible differential.
 2.
 Guess \(k_{\sigma (2)}\)
 (a)

partially encrypt/decrypt pairs
 (b)
 discard pairs which cannot follow the impossible differential.$$\begin{aligned} \vdots \end{aligned}$$
 b.
 Guess \(k_{\sigma (b)}\)
 (a)

partially encrypt/decrypt pairs
 (b)

discard pairs which cannot follow the impossible differential.
 (c)

if all pairs have been discarded then perform an exhaustive search over remaining key bits.
3.2 A Simple CounterExample

AddRoundKey (AK) adds a 128bit subkey to the state.

SubBytes (SB) applies the same 8bit to 8bit invertible Sbox S 16 times in parallel on each byte of the state,

ShriftRows (SR) shifts the ith row left by i positions,

MixColumns (MC) replaces each of the four column C of the state by \(M\times C\) where M is a constant \(4\times 4\) maximum distance separable matrix over \(GF(2^8)\).
We remind that in the AES, the 128bit internal state is seen as a \(4\times 4\) matrix of bytes where each byte is seen as an element of the finite field \(GF(2^8)\).
 1.Guess \(k_0\)
 (a)
partially encrypt/decrypt pairs
 (b)
discard pairs which cannot follow the impossible differential.
 (a)
 2.Guess \(k_5\)
 (a)
partially encrypt/decrypt pairs
 (b)
discard pairs which cannot follow the impossible differential.
 (a)
 3.Guess \(k_{10}\)
 (a)
partially encrypt/decrypt pairs
 (b)
discard pairs which cannot follow the impossible differential.
 (a)
 4.Guess \(k_{15}\)
 (a)
partially encrypt/decrypt pairs
 (b)
discard pairs which cannot follow the impossible differential.
 (a)
Related Key Bytes. Let now study cases where \(k_0\), \(k_5\), \(k_{10}\) and \(k_{15}\) are related by one linear equation, so they can assume only \(2^{24}\) values instead of \(2^{32}\). In that case the generic formula estimates the complexity to \((1 + 2^{24  24}) \cdot N \cdot S_E^{1} = 2 \cdot N \cdot S_E^{1}\), independently of the linear relation.

\((2^8 + 2^{8  3} + 2^{8 + 8  3  7} + 2^{8 + 8 + 8  3  7  7}) \cdot N \cdot S_E^{1} \approx 2^{8.9} \cdot N \cdot S_E^{1}\)

\((2^8 + 2^{8 + 8  3} + 2^{8 + 8  3  7} + 2^{8 + 8 + 8  3  7  7}) \cdot N \cdot S_E^{1} \approx 2^{13.1} \cdot N \cdot S_E^{1}\)

\((2^8 + 2^{8 + 8  3} + 2^{8 + 8 + 8  3  7} + 2^{8 + 8 + 8  3  7  7}) \cdot N \cdot S_E^{1} \approx 2^{14.6} \cdot N \cdot S_E^{1}\)

\((2^8 + 2^{8 + 8  3} + 2^{8 + 8  3  7} + 2^{8 + 8 + 8  3  7  7}) \cdot N \cdot S_E^{1} \approx 2^{13.1} \cdot N \cdot S_E^{1}\)

\((2^8 + 2^{8 + 8  3} + 2^{8 + 8 + 8  3  7} + 2^{8 + 8 + 8  3  7  7}) \cdot N \cdot S_E^{1} \approx 2^{14.6} \cdot N \cdot S_E^{1}\)

\((2^8 + 2^{8 + 8  3} + 2^{8 + 8 + 8  3  7} + 2^{8 + 8 + 8  3  7  7}) \cdot N \cdot S_E^{1} \approx 2^{14.6} \cdot N \cdot S_E^{1}\)
As we can see the first order is much better than the other ones, as it leads to a much smaller complexity. Thus the real complexity of the attack is \(2^{8.9} \cdot N \cdot S_E^{1}\), higher than the estimated one by a factor \(2^{7.9}\). We note that the deviation from the expected complexity is bigger than in the independent subkey bytes case.
3.3 Remarks
Those results highlight some issues with the generic formula of Boura et al.. Firstly, there exist impossible differential attacks for which the estimated time complexity is too optimistic and thus attacks with estimated time complexity close to the natural bound may actually not be faster than exhaustive search. Secondly, the formula only takes into account the number of equations between involved key bits while we showed that different equations may lead to different time complexities. In particular, the correct sequence of guesses has to take into account the fastest filtering first. It seems Boura et al. make the assumption that the order of key guesses/filtering does not matter as all key bits are equally filtering. But this is far from being correct, especially in the context of ARX constructions.
4 Application to TWINE
At FSE’15, Biryukov et al. [2] used Boura et al. formula to compute the complexity of their impossible differential attack against 25round TWINE128 [13]. The attack involves 52 key nibbles which can assume only \(2^{124}\) values instead of \(2^{208}\) thanks to the key schedule and the resulting time complexity is \(2^{124.5}\) encryptions, very close to the natural bound of the exhaustive search. As a consequence, and according to remarks of the previous section, it seems probable for the actual time complexity of this attack to be higher than \(2^{128}\), making it a nonvalid attack.
4.1 Description of TWINE
4.2 Biryukov et al. impossible differential attack
The difference in the plaintexts has to be zero in 11 nibbles such that \(c_{in} + c_{out} = 16 + 60 = 76\). The key material \(k_{in} \cup k_{out}\) is composed of \(7 + 45 = 52\) roundkey nibbles which can assume only \(2^{124}\) thanks to the keyschedule of TWINE128 as they all can be computed from the whole subkey \(WK_{24}\) except nibble 1.
As a consequence, and according to formula of Boura et al., the complexity of their attack is \(D = \alpha \cdot 2^{75.5  39} \cdot 2^{20} = \alpha \cdot 2^{56.5}\), \(M = \alpha \cdot 2^{75.5}\) and \(T \approx \alpha \cdot 2^{123.5} \cdot C_{E^{\prime }} + 2^{128  \alpha }\), complexity parametrized by \(\alpha \). As they estimate the ratio \(C_{E^{\prime }}\) to \(52/200 \approx 2^{1.9}\), the value of \(\alpha \) minimizing the overall complexity is 5.87.
4.3 Real Complexity of the Attack
Computing the real complexity of Biryukov et al. attack seems impossible due to the huge number of involved key nibbles. Indeed, there are 52 key nibbles leading to \(52! \approx 2^{225}\) orders for the early abort technique. Thus a naive approach would fail and a clever one has to be used.
5 Conclusion
In this paper we have shown that the generic complexity analysis formula presented by Boura et al. at ASIACRYPT’14 does not always give a right estimation of the time complexity of impossible differential attacks. As proof we constructed simple counterexamples for which the real complexity is much higher than expected, one reaching a deviation of \(2^{13.6}\) from the formula. As a consequence the formula is to use with caution, in particular when time complexity is close to the natural bound of the exhaustive search.
While we searched for, we were unable to find an impossible differential attack for which the real time complexity would be lower than the estimated one. Finding such an attack or proving that the formula provides a lower bound on the complexity would be an interesting future work.
Finally we also showed that, if using only the early abort technique, the time complexity of the impossible differential attack against 25round TWINE128, presented at FSE’15 by Biryulov et al., is higher than expected, and in particular, higher than \(2^{128}\).
Supplementary material
References
 1.Boura, C., NayaPlasencia, M., Suder, V.: Scrutinizing and improving impossible differential attacks: applications to clefia, camellia, lblock and simon. In: Proceedings, Part I, Advances in Cryptology  ASIACRYPT 2014–20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., 7–11 December 2014, pp. 179–199 (2014)Google Scholar
 2.Biryukov, A., Derbez, P., Perrin, L.: Differential analysis and meetinthemiddle attack against roundreduced TWINE. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 3–27. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 3.Knudsen, L.R.: Deal  a 128bit block cipher. Technical report, Department of Informatics (1998)Google Scholar
 4.Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 5.Biham, E., Shamir, A.: Differential cryptanalysis of deslike cryptosystems. In: CRYPTO 1991 (1991)Google Scholar
 6.Kim, J.S., Hong, S.H., Sung, J., Lee, S.J., Lim, J.I., Sung, S.H.: Impossible differential cryptanalysis for block cipher structures. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 82–96. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 7.Luo, Y., Lai, X., Wu, Z., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263, 211–220 (2014)CrossRefzbMATHGoogle Scholar
 8.Wu, S., Wang, M.: Automatic search of truncated impossible differentials for wordoriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 9.Lu, J., Kim, J.S., Keller, N., Dunkelman, O.: Improving the efficiency of impossible differential cryptanalysis of reduced camellia and MISTY1. In: Malkin, T. (ed.) CTRSA 2008. LNCS, vol. 4964, pp. 370–386. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 10.Minier, M., NayaPlasencia, M.: A related key impossible differential attack against 22 rounds of the lightweight block cipher lblock. Inf. Process. Lett. 112(16), 624–629 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 11.Wu, W., Zhang, L., Zhang, W.: Improved impossible differential cryptanalysis of reducedround camellia. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 442–456. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 12.Zhang, W., Han, J.: Impossible differential analysis of reduced round CLEFIA. In: Yung, M., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 181–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 13.Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: 19th International Conference Selected Areas in Cryptography, SAC 2012, Windsor, ON, Canada, 15–16 August 2012, Revised Selected Papers, pp. 339–354 (2012)Google Scholar
 14.Boura, C., Minier, M., NayaPlasencia, M., Suder, V.: Improved impossible differential attacks against roundreduced lblock. IACR Cryptol. ePrint Arch. 2014, 279 (2014)zbMATHGoogle Scholar
 15.NIST: Advanced Encryption Standard (AES), FIPS 197. Technical report, NIST, November 2001Google Scholar
 16.Suzaki, T., Minematsu, K.: Improving the generalized feistel. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 19–39. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 17.Derbez, P., Fouque, P.: Exhausting demirciselçuk meetinthemiddle attacks against reducedround AES. In: Fast Software Encryption  20th International Workshop, FSE 2013, Singapore, 11–13 March 2013, Revised Selected Papers, pp. 541–560 (2013)Google Scholar