Differential Factors: Improved Attacks on SERPENT

  • Cihangir TezcanEmail author
  • Ferruh Özbudak
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8898)


A differential attack tries to capture the round keys corresponding to the S-boxes activated by a differential. In this work, we show that for a fixed output difference of an S-box, it may not be possible to distinguish the guessed keys that have a specific difference. We introduce these differences as differential factors. Existence of differential factors can reduce the time complexity of differential attacks and as an example we show that the \(10\), \(11\), and \(12\)-round differential-linear attacks of Dunkelman et al. on Serpent can actually be performed with time complexities reduced by a factor of 4, 4, and 8, respectively.


S-box Differential factor Serpent Differential-linear attack 

Supplementary material


  1. 1.
    Biham, E., Anderson, R., Knudsen, L.R.: Serpent: a new block cipher proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, p. 222. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. J. Cryptol. 18(4), 291–311 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Biham, E., Dunkelman, O., Keller, N.: Linear cryptanalysis of reduced round serpent. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 16. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  4. 4.
    Biham, E., Dunkelman, O., Keller, N.: The rectangle attack - rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 340. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  5. 5.
    Biham, E., Dunkelman, O., Keller, N.: Enhancing differential-linear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  6. 6.
    Biham, E., Dunkelman, O., Keller, N.: New results on boomerang and rectangle attacks. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, p. 1. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  7. 7.
    Biham, E., Dunkelman, O., Keller, N.: Differential-linear cryptanalysis of serpent. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 9–21. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  8. 8.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all 3 \(\times \) 3 and 4 \(\times \) 4 S-boxes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 76–91. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  10. 10.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: Spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  12. 12.
    Canniere, C.D., Sato, H., Watanabe, D.: Hash function Luffa: Specification. Submission to NIST (Round 2) (2009)Google Scholar
  13. 13.
    Chaum, D., Evertse, J.H.: Crytanalysis of DES with a reduced number of rounds: sequences of linear factors in block ciphers. In: Williams, H.C. (ed.) CRYPTO. LNCS, vol. 218, pp. 192–211. Springer, Heidelberg (1985)Google Scholar
  14. 14.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  15. 15.
    Daemen, J., Peeters, M., Assche, G.V., Rijmen, V.: Nessie proposal: NOEKEON. NESSIE proposal, 27 October 2000Google Scholar
  16. 16.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    Dunkelman, O., Indesteege, S., Keller, N.: A differential-linear attack on 12-round serpent. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 308–321. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  18. 18.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  19. 19.
    Helleseth, T. (ed.): Advances in Cryptology - EUROCRYPT 1993. LNCS, vol. 765. Springer, Heidelberg (1994) zbMATHGoogle Scholar
  20. 20.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  21. 21.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999) Google Scholar
  22. 22.
    Kohno, T., Kelsey, J., Schneier, B.: Preliminary cryptanalysis of reduced-round Serpent. In: AES Candidate Conference, pp. 195–211 (2000)Google Scholar
  23. 23.
    Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994) Google Scholar
  24. 24.
    Lim, C.H.: Crypton: A new 128-bit block cipher - specification and analysis (1998)Google Scholar
  25. 25.
    Lim, C.H.: A revised version of CRYPTON - CRYPTON V1.0. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, p. 31. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  26. 26.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) Google Scholar
  27. 27.
    McLaughlin, J., Clark, J.A.: Filtered nonlinear cryptanalysis of reduced-round serpent, and the wrong-key randomization hypothesis. In: Stam, M. (ed.) IMACC 2013. LNCS, vol. 8308, pp. 120–140. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  28. 28.
    National Bureau of Standards: Data Encryption Standard. FIPS PUB 46. National Bureau of Standards, U.S. Department of Commerce, Washington D.C., (15 January 1977)Google Scholar
  29. 29.
    Nguyen, P.H., Wu, H., Wang, H.: Improving the algorithm 2 in multidimensional linear cryptanalysis. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 61–74. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  30. 30.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  31. 31.
    Preneel, B., Takagi, T. (eds.): CHES 2011. LNCS, vol. 6917. Springer, Heidelberg (2011)zbMATHGoogle Scholar
  32. 32.
    Saarinen, M.J.O.: Cryptographic analysis of all 4 \(\times \) 4 s-boxes. In: Miri, A., Vaudenay, S. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 7118, pp. 118–133. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  33. 33.
    Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson, N.: Twofish: A 128-bit block cipher. In: First Advanced Encryption Standard (AES) Conference (1998)Google Scholar
  34. 34.
    Selçuk, A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008)CrossRefzbMATHGoogle Scholar
  35. 35.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  36. 36.
    Tezcan, C.: The improbable differential attack: cryptanalysis of reduced round CLEFIA. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 197–209. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  37. 37.
    Tezcan, C.: Improbable differential attacks on PRESENT using undisturbed bits. J. Comput. Appl. Math. 259, 503–511 (2014)CrossRefGoogle Scholar
  38. 38.
    Tezcan, C., Taşkın, H.K., Demircioğlu, M.: Improbable differential attacks on SERPENT using undisturbed bits. In: Poet, R., Rajarajan, M. (eds.) Proceedings of the 7th International Conference on Security of Information and Networks, Glasgow, Scotland, UK, September 9-11, 2014. p. 145. ACM (2014)Google Scholar
  39. 39.
    V. Dolmatov (ed.): GOST 28147–89: Encryption, decryption, and message authentication code (MAC) algorithms. In: Internet Engineering Task Force RFC 5830 (March 2010)Google Scholar
  40. 40.
    Varici, K., Özen, O., Çelebi Kocair: Sarmal: Sha-3 proposal. Submission to NIST (2008)Google Scholar
  41. 41.
    Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  42. 42.
    Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: Rectangle: A bit-slice ultra-lightweight block cipher suitable for multiple platforms. IACR Cryptology ePrint Archive 2014, 84 (2014)Google Scholar
  43. 43.
    Zheng, Y. (ed.): Advances in Cryptology - ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501. Springer, Heidelberg (2002)zbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Mathematics and Institute of Applied MathematicsMiddle East Technical UniversityAnkaraTurkey
  2. 2.Institute of Informatics, CyDeS Cyber Defence and Security LabMiddle East Technical UniversityAnkaraTurkey

Personalised recommendations