# Improvements for Finding Impossible Differentials of Block Cipher Structures.

1. IntroductionImpossible differential cryptanalysis, introduced by Biham et al. [1] and Knudsen [2] independently, is a special case of differential cryptanalysis that uses differentials with probability zero to sieve the right keys from the wrong keys. It is one of the most powerful attacks for block ciphers and is considered in many block cipher designs [3-10]. The best cryptanalytic results for some block ciphers are obtained by impossible differential cryptanalysis [1, 11]. For example, the currently best attack on the 31-round Skipjack is still the impossible differential cryptanalysis by Biham et al. [1].

The key step in impossible differential cryptanalysis of a block cipher is to find the longest impossible differential. Given two variables [x.sub.1], [x.sub.2] [member of] [F.sup.n.sub.2] , the difference of [x.sub.1] and [x.sub.2] is usually denoted as [increment of x] = [x.sub.1] [direct sum] [x.sub.2]. An impossible differential for an n-subblock block cipher is in the form ([[DELTA].sub.in-] in [??] [[DELTA].sub.out]), where [[DELTA].sub.in] = ([increment of x]1 ,..., [DELTA][x.sub.n]) and [[[DELTA.sub.]out] = ([DELTA][y.sub.1], ..., [DELTA][y.sub.n]). [DELTA]in [??] [DELTA], ... [[DELTA].sub.out]) means the probability of the output difference is [[DELTA].sub.out] after r rounds of a block cipher for an input difference [[DELTA].sub.in] is zero. At the first glance, impossible differentials are obtained manually by observing the block cipher structure. However, since the emergence of impossible differential cryptanalysis, automated techniques for finding impossible differentials have been introduced.

The first automated technique is called the Shrinking method introduced by Biham et al. [1]. This method is simple but very useful. It only considers truncated differentials whose differences distinguish only between zero and arbitrary nonzero difference. Given a block cipher, the adversary first designs a mini version of this block cipher, which scales down the block cipher but preserves the global structure. Then the adversary exhaustively searches for this mini cipher and obtains some truncated impossible differentials. Usually these truncated impossible differentials of the mini cipher remain impossible differentials in the normal version. This method can deal with most block ciphers in the real world. However, it becomes very slow if the number of subblocks of a block cipher is as large as 16, since exhaustive search on the mini version of this type of cipher is still a heavy load for most computers.

The second automated technique is based on the miss in the middle approach. This method combines two differentials, one from the input and the other from the output, both with probability 1. However, these two differentials cannot meet in the middle since they can never be equal in the middle. The U method [12, 13] and the UID method [14] both belong to this category. In the U method and the UID method, the adversary first represents the block cipher structure as a matrix; then given a differential pair ([DELTA]in, [DELTA]out), he calculates the m-round intermediate difference from [DELTA]in forwardly and the (r - m)-round intermediate difference from [A.sub.out] backwardly by the matrix method. If there is a contradiction for these two intermediate differences, then an impossible differential ([DELTA]i[??] [A.sub.out]) is verified. Representing a block cipher by the matrix has been a popular method in impossible differential and integral and zero correlation linear cryptanalysis [8,10,15-20].

In [21], Wu and Wang extend the U-method and UID method to a more generalized method which does not use the miss in the middle approach. They treat the r-round block cipher structure as a system of equations, which describe the propagation behavior of differences in the inner primitives, especially sbox permutations or branch swapping of the block cipher structure. To judge if a truncated differential ([DELTA]in, [DELTA]out) is impossible, they predict information about unknown variables from the known ones iteratively. Finally a truncated differential is verified by checking the constrained conditions in the system. This method is similar to a linear programming method for solving optimization problems.

In [22], Sun et al. show that Wu and Wang's automatic search method can find all impossible differentials of a cipher that are independent of the choices of the inner primitives. However, Wu and Wang's method can only find all truncated impossible differentials since the choice of truncated difference may result in missing some impossible differentials. Wu and Wang's method only considers differences [DELTA]in = ([x.sub.1], ..., [x.sub.n]) and [A.sub.out] = ([y.sub.1], ..., [y.sub.n]), where [x.sub.1] and [y.sub.1] are zero or nonzero values. They assign an indicator to indicate the choice of xi and y, representing by 0 a subblock without difference and by 1 a subblock with a difference. The relationships between nonzero differences have been omitted. For example, [y.sub.i] may be equal to some x, where 1 [less than or equal to] i, [less than or equal to] [mathematical expression not reproducible]n. If some linear constraints between nonzero variables in [DELTA]in and [DELTA]out are needed, Wu and Wang claimed their method could still work by translating all linear constraints into the system of equations. However, this method increases the run complexity and implementation of the search method. Since it changes the equation system for every value of ([DELTA]in, [DELTA]out) and if the relationship between [DELTA]in and [DELTA]out is complicated, the matrix will be very large.

The idea of the UID method is that it represents the differential with symbols and utilizes the propagation property of the linear accumulated symbols. The idea of the Wu-Wang method is to utilize solving linear equations to determine an impossible differential. We show that the Wu-Wang method can be improved by combining the idea of the UID method and Wu-Wang method. Instead of using 1 to represent the nonzero difference, we use a letter symbol to represent a difference and different symbols represent different nonzero values. This method can represent more relationships between these subblocks. For example, if [DELTA]in = (a, 0, 0, a) and [DELTA]out = (a, 0,0, b) for a 4-subblock structure where a and b are different nonzero values, then we have [x.sub.1] = [x.sub.4] = [y.sub.1] and [y.sub.4] [not equal to] [x.sub.1]. In our method, the matrix of the system does not need to be changed with ([DELTA]in, [DELTA]out). We also improve the Wu-Wang method by simplifying the test of whether there are solutions for linear systems. Since the most time consuming part is the matrix operation, our improved method can find more impossible differentials in less time.

We implement the method in java language and apply it to many block cipher structures, including Gen-CAST256 [15], Gen-Skipjack [23], Four-Cell [24], Gen-MARS [12], GenRC6 [23], SMS4 [14], Misty [25], MIBS [26], Camellia* [27], LBlock [28], E2 [29], and SNAKE [30] ones. For these block ciphers, we rediscover all known impossible differentials. Especially for the 8-round MIBS cipher, we find 4 new impossible differentials, which are not listed in Wu and Wang's work. Our improvement largely reduced the run time for finding impossible differentials. In [31], the results for MIBS, LBlock, and E2 are obtained in a few hours on a 2.66 GHz processor with MAGMA package. However, our results for MIBS, LBlock, and E2 are obtained within 10 seconds on a 2.20 GHz processor.

2. Preliminaries

In this section we introduce some basic concepts and notions used in this paper. We first introduce the block cipher structures. Next we review the solvability of a system of linear equations.

2.1. Block Cipher Structures. There are mainly two block cipher structures, which are the Feistel structure and its generalizations and the substitute permutation network (SPN). The round function of most of those structures consists of three basic operations: the sbox look-up, the exclusive or addition (Xor), and the branch swapping, where the only nonlinear component is the sbox look-up operation. In differential cryptanalysis, the Xor differences of plaintext/ciphertext pairs are considered; we omit the key and constant addition since they have no relevance to our analysis. We assume that a block cipher structure has n subblocks (branches), and the input and output differences are denoted by ([DELTA][x.sub.1], ..., [DELTA][x.sub.n]) and ([DELTA][y.sub.1], ..., [DELTA][y.sub.n]), respectively.

2.2. The Solvability of a Linear System. Now we review the basics in linear algebra of determining the solvability of a system of linear equations. Let m, n be two positive integers, m < n; let Ax = b be a system of m linear equations with n variables, where A is m x n matrix over [F.sub.2]; and x = ([x.sub.1], ..., [x.sub.n]) and b = ([b.sub.1], ..., [b.sub.m]) are two bit vectors; then the augmented m x(n +1) matrix B = [A | b] can determine the solvability of the linear system.

A regular method is to deduce the reduced row echelon form (a.k.a. row canonical form) of matrix B by Gauss-Jordan elimination algorithm. The reduced row echelon form of a matrix is unique and denoted by B'. One starts to check B' from the last row to the first, to see if there exists a row in which the first n entries are zeros and the last entry is nonzero. If there are such rows, then the linear system has no solution. For example, if the augmented matrix B of a linear system in reduced row echelon form is

[mathematical expression not reproducible] (1)

where [b.sub.3] is nonzero, then the linear system has no solution.

3. Mathematical Models for Finding IDs of Block Cipher Structures

Our improvement is based on Wu and Wang's method. If the nonlinear sbox [S.sub.i] in a block cipher structure is a permutation, then there is a constraint on the input difference [x.sub.t] and output difference [y.sub.i] for that is, [x.sub.i] and [y.sub.i] can only both be zero or both be nonzero, denoted by [x.sub.i] - [y.sub.i]. The intermediate value of a block cipher structure is called the state. The state is updated with the round structure. In order to find impossible differential for an r-round block cipher structure, we first set differential variables for the states and then transform the r-round block cipher structure into a system of linear equations and constraints, denoted by S. Then for a given differential ([DELTA]in, [DELTA]out), where [DELTA]in = ([a.sub.1], ..., [a.sub.n]) and [DELTA]out = ([b.sub.1], ..., [b.sub.n]), we can check if it is impossible by solving S with initial values ([a.sub.1], ..., an , [b.sub.1], ..., [b.sub.n]); if S has no solution, then [DELTA]in [DELTA]out.

Here we take the 5-round Feistel structure as an example. We first assign differential variables for 5-round Feistel structure. In Figure 1, [F.sub.i], 1 [less than or equal to] i [less than or equal to]5 are permutations; the output difference of F; for input difference [X.sub.i] is [Y.sub.i]; thus [X.sub.i] ~ [Y.sub.i]. According to the computation graph of 5-round Feistel structure, we obtain the following system S of equations and constraints:

[mathematical expression not reproducible] (2)

In order to checkif (a, 0) [right arrow] (a, 0) is an impossible differential where a is a nonzero value, we solve the above system with [X.sub.0] = a, [X.sub.1] = 0, [X.sub.5] = 0, and [X.sub.6] = a. Since [X.sub.1] - [Y.sub.1] and [X.sub.5] - [Y.sub.5] we have [Y.sub.1] = 0 and [Y.sub.5] = 0. From linear equations of S, we get [Y.sub.3] = 0; thus [X.sub.3] = 0 since X3 - Y3; next from linear equations S we obtain [Y.sub.2] = 0; however [X.sub.2] = a and [X.sub.2] - Y2; thus the system S has no solution and (a, 0) [right arrow] (a, 0) is an impossible differential for 5-round Feistel structure.

Now we want to find all impossible differentials for 5-round Feistel structure; we enumerate all the possible differential pairs ([DELTA]in, [DELTA]out) e {(0, a), (a, 0), (a, a), (0, b), (b, 0), (b, b), (b, a), (a, b)}, where a and b are two different nonzero values. For each value of ([DELTA]in, [DELTA]out), we judge if it is an impossible differential; after all cases are tested, we will find all impossible differentials.

Thus the general algorithm for finding all r-round impossible differentials for a block cipher structure is outlined as follows:

(1) Generate all the possible differential pairs ([DELTA]in, [DELTA]out) in a set D.

(2) Assign differential variables according to the computation figure of the r-round block cipher structure. Generate the system S of linear equations and constraints with the differential variables.

(3) For each ([DELTA]in, [DELTA]out) [member of] D, solve the system S with initial value ([DELTA]in, [DELTA]out) and check if S has no solution. If there is no solution, then ([DELTA]in [right arrow] [DELTA]out) is an impossible differential. After all cases are checked we obtain all impossible differentials.

4. The Detailed Algorithm

In this section we describe the detailed algorithm and implementation details.

4.1. Generate All Possible Differential Pairs. We use symbols [a.sub.i], [b.sub.i], 1 [less than or equal to] i [less than or equal to] n, to denote different 2n as the nonzero values. For a block cipher structure, the input difference is ([DELTA][I.sub.1.sub.1] , ..., A[I.sub.n]), where [DELTA][I.sub.i] [member of] {0, [a.sub.1], ..., [a.sub.n]}, and the output difference is ([DELTA][0.sub.1], ..., [DELTA][0.sub.n]), where [DELTA][O.sub.i] [member of] {0, [a.sub.1], ..., [a.sub.n]], [b.sub.1], ..., [b.sub.n]}. Note that the input difference and output difference will not be zero since this will be trivial in differential cryptanalysis. Thus there are total ([(n + 1).sup.n] - 1) x ([(2n + 1).sup.n] - 1) differential pairs. This value is large for many block cipher structures.

However, an impossible differential ([DELTA][I.sub.1], ..., [DELTA][I.sub.n]) [??] ([DELTA][O.sub.1], ..., [DELTA][O.sub.n]) for a block cipher structure is usually simple; that is, there are very few nonzero values in ([DELTA][I.sub.1], ..., [DELTA][I.sub.n]) and ([DELTA][O.sub.1], ..., [DELTA][O.sub.n]). Since the input or output differential are complicate, it will propagate fast due to the round structure of the cipher. Thus it is reasonable to consider simple differential pairs. Actually all the impossible differentials found for block cipher structures in the literature are simple.

In this paper we only consider the input difference ([DELTA][I.sub.1], ..., [DELTA][I.sub.n]), where [DELTA][A.sub.i] [member of] {0, a}, and the output difference ([DELTA][O.sub.1], ..., [DELTA][O.sub.n]), where [DELTA][O.sub.i] [member of] {0, a, b}. Thus there are total (2n - 1)(3" - 1) differential pairs that need to be checked.

4.2. Generate the System S. Given a block cipher structure, we first need to draw the computational figure and assign differential variables, as introduced in the analysis of 5-round Feistel structure. This step is varying according to different block cipher structures. However, since most block cipher structures iterate the same round structure for several times, these variables are regular and easy to implement in a computer program. As in the analysis of 5-round Feistel structure, the input difference of a nonlinear permutation is denoted by variable [X.sub.i] and the output difference is denoted by variable [Y.sub.i]. Thus if we see a variable [Y.sub.i], it must be some output difference of a nonlinear permutation.

For a block cipher structure with r rounds, there are p variables [X.sub.i], 0 [less than or equal to] i [less than or equal to] p, and q numbers of variables [Y.sub.i], 1 [less than or equal to] i [less than or equal to] q. The numbers p and q are determined by the round structure and the round number r. For the r-round Feistel structure, p = r+ 2 and q = r. We first denote all variables in a variable vector as

[bar.X] = ([X.sub.0], ..., [X.sub.p-1], [Y.sub.1], ..., [Y.sub.q]), (3)

and then linear equations in system S can be written as M[bar.X] = 0, where M is a kr x (p + q) matrix over [F.sub.2] and 0 is a (p + q)dimensional zero vector, where k is the number of linear equations in one round of the block cipher structure. The augmented matrix of these linear equations is B = [M | 0]. For the 5-round Feistel structure, the augmented matrix B is denoted in Table 1.

The set of constraints in S can be maintained as a map N. Let id([X.sub.i]) denote the index of the variable [X.sub.t] in vector X; given a constraint [X.sub.i] ~ [Y.sub.i], we add (id([X.sub.i]), id([Y.sub.j])) into the map N. For the 5-round Feistel structure, N = {(1, 7), {2, 8), {3, 9), (4, 10), (5, 11}}. In the real implementation, it is noted that, for most block cipher structures, the distance between constraints [X.sub.i] and [Y.sub.i] is fixed and determined by the round structure and the round number; that is, id([Y.sub.i]) - id([X.sub.i]) is a constant. For example, the distance of constraints [X.sub.i] and [Y.sub.i] for a r-round Feistel structure is r+1. Thus the map N is not needed to be implemented but only the fixed index distance is needed. This observation facilitates the real implementation of the algorithm.

4.3. Determine the Solvability of S. In the beginning, we assign a symbol "?" to each variable in the variable vector X, which means every variable is undetermined. Given a [bar.X], differential pair ([DELTA]in, [DELTA]out), we need to check if there exist solutions of the system S with the initial value ([DELTA]in, [DELTA]out). We first need to initialize the variable vector [bar.X] according to ([DELTA]in, [DELTA]out). As in the 5-round Feistel structure, for a differential pair [DELTA]in = (a,0), [DELTA]out = (a, 0), the variable vector [bar.X] is initialized as follows:

[X.sub.0] [X.sub.1] [X.sub.2] [X.sub.3] [X.sub.4] [X.sub.5] [X.sub.6] a 0 ? ? ? 0 a [Y.sub.1] [Y.sub.2] [Y.sub.3][ [Y.sub.4] [Y.sub.5] ? ? ? ? ?

For a constraint [X.sub.i] ~ [Y.sub.i], the algorithm updates ([X.sub.i], [Y.sub.i]) and detects contradictions [a.sub.1] follows.

(i) The value [X.sub.i] is updated:

(a) If [X.sub.i] = 0 and [Y.sub.i] = ?, then [Y.sub.i] is set to 0.

(b) If [X.sub.i] is a nonzero symbol and Yt = ?, then [Y.sub.t] is set to the nonzero symbol "*."

(c) If [X.sub.i] = 0 and [Y.sub.i] is an nonzero symbol, then we obtain a contradiction.

(ii) The value [Y.sub.i] is updated:

(a) If [Y.sub.i] = 0 and [X.sub.i] = ?, then Xi is set to 0.

(b) If [Y.sub.i] = 0 and [X.sub.i] is an nonzero symbol, then we obtain a contradiction.

We use [direct sum] to denote the symmetrical difference (Xor) of [X.sub.1] and [X.sub.2]. For example, if [X.sub.1] = {[a.sub.1]} and [X.sub.2] = {}, then [X.sub.1] [direct sum] [X.sub.2] = {[a.sub.1], [b.sub.1]}; if [X.sub.1] = {[a.sub.1]} and [X.sub.2] = {0}, then [X.sub.1] [direct sum] [X.sub.2] = {[a.sub.1]}; if [X.sub.1] = {[a.sub.1]} and [X.sub.2] = {[a.sub.1], [b.sub.1], then [X.sub.1] [direct sum] [X.sub.2] = {[b.sub.1]}.

The function UpdateMatrix (B, [bar.X]) updates the augmented matrix B according to the variable vector X. If the ith variable in [bar.X] is 0, then the corresponding ith column of B is set to a zero vector. As in [21], this method keeps solutions of the augmented matrix B unchanged. If [[bar.X].sub.i] is not in the set {0, ?, *}, we check each row of B; if the value of the ith column at the rth row [B.sub.r,i] is 1, then we set Xor [[bar.X.sub.i] to the last element of the rth row of B and set [B.sub.ri] to 0 (Algorithm 1).

ALGORITHM 1: Function UpdateMatrix(B, X). // Update the augmented matrix B according to the variable vector [bar.x] (1) K [left arrow] the size of X; (2) for i [left arrow] 0 to K - 1 do (3) t [left arrow] [bar.X][i]; (4) if t is 0 then (5) Every element of the ith column of B is set to 0. (6) else if t is not "?" and t is not "*" then (7) L [left arrow] the number of rows of * B; (8) for r [left arrow] 0 to L-1 do (9) if B[r, i] is 1 then (10) B[r, i] [left arrow] 0; (11) B[r, K - 1] [left arrow] B[r, K-1] [direct sum] t; (12) end (13) end (14) end (15) end

The function UpdateVector ([bar.X], N, j, J) updates the jth variable [[bar.X].sub.j] with the value /; at the same time all constraints in N are maintained. As described in the beginning of this subsection, the function updates [[bar.X].sub.j] with the value J by checking each constraint in N and returns true if it succeeds or false if there is a contradiction. There are many subcases, as described in the detailed algorithm. During the updating process, there maybe contradictions. For example, if [[bar.X.sub.j] = {a} and J = {a, b} which means J = a [direct sum] b, there is a contradiction since a [direct sum]b can never be a. If J is {0} but the corresponding variable which is the sbox output of [[bar.X].sub.j] is nonzero or J is {0} but the corresponding variable which is the sbox input of [[bar.X].sub.j] is nonzero, there will be contradictions (Algorithm 2).

The function ReducedRowEchelon(B) transforms the i x [kappa] matrix B into the reduced row echelon form by Gauss-Elimination algorithm. Note that every element in the first [kappa]-1 columns of B is in [F.sub.2], while elements in the last column of B are represented by a set of symbols. Thus the Xor operation in the last column of B is the symmetrical difference operation. The readers can refer to [32] for the detailed algorithm of transforming a matrix into the reduced row echelon form.

The detailed algorithm for checking if a differential is impossible is described in Algorithm 3. In Algorithm 3, the variable vector [bar.X] is first initialized according to the differential pair ([DELTA]in, [DELTA]out) and the constraint array N. Then the algorithm continues checks if there is a contradiction with a loop test until B and [bar.X] are not updated any more. During the loop the algorithm first updates B according to [bar.X] by the UpdateMatrix(B, [bar.X]) function and then transforms B into the reduced row echelon form by the ReducedRowEchelon(B) function to see if B has solutions. If B has no solutions, the algorithm obtains a contradiction and stops. Otherwise if there exists a solution for a variable from the reduced row echelon form, the index and the value of the variable are denoted as (j, J). The algorithm updates the variable vector [bar.X] with (],]) by the UpdateVector([bar.X], N, j, J) function; if the updating process returns false, a contradiction is obtained and the algorithm stops; otherwise, the algorithm continues to run.

4.4. Complexity. For the i x k matrix B and the [kappa] - 1 dimension vector [bar.X], the time complexity of the function UpdateMatrix is i x [kappa], the time complexity of the function ReducedRowEchelon is [i.sup.2] x [kappa], and the time complexity of the function UpdateVector is a constant c, while loop continues running k/2 times since there at most k-1 values in X and in each loop either 2 variables are updated or there is a contradiction. Thus the total complexity of the algorithm is (c/2) x [i.sup.2][[kappa].sup.2], where c is a small constant. The space complexity is dominated by storing the matrix B and is about l x [kappa]. The time complexity of the Wu-Wang method is T x [l.sup.2] [[kappa].sup.2] and this T is much larger than our c. The Wu-Wang method stores 3 matrices; thus its space complexity is at least triple our method.

4.5. Comparison with Previous Method. In [31], Wu and Wang proved that the U-method and the UID method are specific cases of the Wu-Wang method. They found that their method can find longer impossible differential for the MIBS cipher than by U-method and the UID method. However, in the UID method, for an impossible differential pair (([DELTA][I.sub.1], ..., [DELTA][I.sub.n]), ([DELTA][O.sub.1], ..., [DELTA][O.sub.n])), the relationship between input variables and output variables is considered since UID method uses symbols to denote values. For example, the UID method considers the relation between [DELTA][I.sub.i] and [DELTA][O.sub.j] and checks if they are equal; however the U-method and Wu-Wang method only use 0 and 1 to denote zero and nonzero values, which omit the relationship between input and output differentials.

ALGORITHM 2: Function UpdateVector([bar.X], N, j, J). // Update the variable vector [bar.X] according to the variable (j,J) where J is the value of the jth variable in [bar.X]. N is the array of constraints. input: the variable vector [bar.X], the constraint array N, (j, J). output: A boolean flag indicates if the update procedure success. (1) flag [left arrow]true; (2) foreach a [member of] N do (3) [k.sub.0] [left arrow] a[0]; [k.sub.1] [left arrow] a[1]; (4) if j is equal to [k.sub.0] then (5) if J [direct sum] [mathematical expression not reproducible] is not 0 then (6) flag [left arrow]false; // Ex. J = a [direct sum] b but [mathematical expression not reproducible] = a, a contradiction. (7) return flag; (8) else if J is 0 and [mathematical expression not reproducible] is ? then (9) if [bar.X][[k.sub.1]] is not 0 then flag [left arrow]false; (10) return flag; (11) end (12) [mathematical expression not reproducible]; (13) else if J is a nonzero value then (14) [mathematical expression not reproducible] (15) end (16) else if j is equal to [k.sub.1] then (17) if J [direct sum] [mathematical expression not reproducible] is not 0 then flag [left arrow]false (18) return flag; (19) else if [mathematical expression not reproducible] is ? and J is 0 then (20) [mathematical expression not reproducible] (21) end (22) end (23) end (24) return flag;

Our improved method combines the advantages of the UID method and Wu-Wang method. Every impossible differential found by the UID method and Wu-Wang method can be found by our improved method. As Wu and Wang's method, impossible differentials found by our improved method must be correct if the algorithm is implemented correctly. Compared with Wu and Wang's method, our improved method is more complete. The symbol representation of a difference can represent more relationships between different difference values. Thus it can find more impossible differentials and the matrix B does not change with different values of ([DELTA]in, [DELTA]out) in the beginning of the algorithm, while, in the Wu-Wang method, to add linear relationships between nonzero values in ([DELTA]in, [DELTA]out), the matrix B must change with different values of ([DELTA]in, [DELTA]out). This will consume more time during the run of the algorithm.

The most time consuming part in the algorithm is the matrix operation. To check if the augmented matrix has any solutions, the Wu-Wang method needs to compute the rank of the matrices M and B. We show that this step is not required since we can check the solvability of the system from the reduced row echelon form of the matrix B, as introduced in the preliminaries section. Thus our improvement largely reduces the search time of finding impossible differentials of a block cipher structure.

5. Applications and Experiment Results

We implement the algorithm in java language and apply it to many block cipher structures, including Gen-CAST256 [33], Misty [25], Gen-Skipjack [23], Four-Cell [24], GenMARS [33], Gen-RC6 [33], SMS4 [34], MIBS [26], Camellia* [27, 31], LBlock [28], E2 [29], and SNAKE [30]. We present the java code of this algorithm and complete impossible differential results in GitHub [35]. To reduce the space of this paper, we present some of the impossible differential results in Table 2. The file Impossible Differential.txt in [35] lists the complete impossible differential results for these block cipher structures. Most impossible differentials discovered by our algorithm are the same as the Wu-Wang method.

Moreover, for the 8-round MIBS, we find new 4 impossible differentials, which are not found by the Wu-Wang method since these 4 new impossible differentials are not simple truncated impossible differentials. MIBS is a 16-subblock Feistel structure with substitution and permutation (SP) round function. In the SP round function, the 8 subblocks are first substituted by 8 sboxes; then an 8x8 matrix is applied as the permutation. The permutation matrix P is

[mathematical expression not reproducible] (4)

ALGORITHM 3: The algorithm for checking an impossible differential. input: A differential pair ([DELTA]in, [DELTA]out) and the system S output: A boolean flag indicates if ([DELTA]in, [DELTA]out) is an impossible differential (1) B is the l x [kappa] augmented matrix of S; (2) [bar.X] is the k-1 dimension variable vector; (3) N is the map of constraints of S; (4) flag [left arrow]false; (5) index [left arrow]true; (6) Initialize every variable in [bar.X] according to ([DELTA]in, [DELTA]out) and the constraints in N; (7) while index do (8) UpdateMatrix (B, [bar.X]) // Update B according to [bar.X]; /* Transform B into the reduced-row-echelon form by Gauss- Jordan Elimination */ (9) ReducedRowEchelon (B); (10) if B has no solution then (11) flag[left arrow]true; (12) break; (13) else (14) index [left arrow] false; (15) count [left arrow] 0; (16) for i [left arrow] i to 1 do (17) [??] [left arrow] Row i of B; (18) if the sum of the first [kappa] - 1 elements of [??] is 1 then (19) j <-- the index of the element 1 in [??]; (20) j [left arrow] the last element of [??]// the solution of the jth variable in [bar.X] (21) /* update the variable vector [bar.X] with (j,J) and return true if there is no contradiction and return false otherwise. */ (22) b [left arrow]UpdateVector ([bar.X], N, j, J); (23) if b is false then (24) flag [left arrow] true; (25) return flag; (26) else (27) index [left arrow] true; (28) end (29) end (30) end (31) end (32) end (33) return flag;

There are total 10 impossible differentials found for 8-round MIBS by our improved algorithm. The new four 8-round impossible differentials found are listed in Table 3.

Compare with Wu and Wang's algorithm, this improvement is more general since it not only finds more impossible differentials for a block cipher structures, but also has better efficiency. The results for MIBS are obtained on a 2.66 GHz processor with MAGMA package in a few hours by Wu and Wang's algorithm [31]. However, our results for MIBS are obtained on a 2.20 GHz processor in java language in less than 10 seconds. Thus, the algorithm presented in this paper is more efficient than Wu and Wang's algorithm.

6. Conclusion

In this paper we improve Wu and Wang's algorithm for finding impossible differentials of block cipher structures. The improved method is more general than Wu and Wang's method where it can find more impossible differentials with less time. We apply this method to many block cipher structures. The experiment results show that this improvement can largely reduce the search time for the impossible differentials of a block cipher, since there are known relationships between impossible differential and integral and zero correlation linear cryptanalysis [22, 36, 37]. This method can be used as a cryptanalytic tool to evaluate the security of a block cipher against these kinds of cryptanalysis.

https://doi.org/10.1155/2017/5980251

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

Yiyuan Luo was supported by NSFC (61402280) and Academic Discipline Project of Shanghai Dianji University (16YSXK04). Xuejia Lai was supported by NSFC (61272440, 61472251, and U1536101), China Postdoctoral Science Foundation (2013M531174, 2014T70417), National Cryptography Development Fund MMJJ20170105, and Science and Technology on Communication Security Laboratory.

References

[1] E. Biham, A. Biryukov, and A. Shamir, "Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials," Journal of Cryptology. The Journal of the International Association for Cryptologic Research, vol. 18, no. 4, pp. 291-311, 2005.

[2] L. R. Knudsen, "DEAL-A 128-bit block cipher," Tech. Rep. 151, Department of Informatics, University of Bergen, 1998.

[3] R. Zong, X. Dong, and X. Wang, "Impossible Differential Attack on Simpira v2," Science China Information Sciences, 2017

[4] L. Cheng, B. Sun, and C. Li, "Revised cryptanalysis for sms4," Science China Information Sciences, vol. 60, no. 12, article 122101, 2017.

[5] Y. Dai and S. Chen, "Cryptanalysis of full PRIDE block cipher," Science China. Information Sciences, vol. 60, no. 5, 052108, 12 pages, 2017.

[6] W. Zhang, Z. Bao, D. Lin, V. Rijmen, B. Yang, and I. Verbauwhede, "RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms," Science China Information Sciences, pp. 1-15, 2015.

[7] G.-Q. Liu and C.-H. Jin, "Algebraic techniques in slender-set differential cryptanalysis of PRESENT-like cipher," Science China Information Sciences, vol. 59, no. 9, Article ID 99104, 2016.

[8] T. Lin, X. Lai, W. Xue, and G. Huang, "Discussion on the theoretical results of white-box cryptography," Science China Information Sciences, vol. 59, no. 11, Article ID 112101, 2016.

[9] Y. Ding, J. Zhao, L. Li, and H. Yu, "Impossible differential analysis on round-reduced PRINCE," Journal of Information Science and Engineering, vol. 33, no. 4, pp. 1041-1053, 2017

[10] W. Wu, L. Zhang, and X. Yu, "The DBlock family of block ciphers," Science China Information Sciences, vol. 58, no. 3, 2015.

[11] C. Boura, M. a. Naya-Plasencia, and V. Suder, "Scrutinizing and improving impossible differential attacks: applications to CLEFIA, Camellia, LBlock and Simon," in Advances in cryptology--ASIACRYPT 2014. Part I, vol. 8873 of Lecture Notes in Comput. Sci., pp. 179-199, Springer, Berlin, Germany, 2014.

[12] J. Kim, S. Hong, J. Sung, S. Lee, J. Lim, and S. Sung, "Impossible differential cryptanalysis for block cipher structures," in Progress in cryptology--INDOCRYPT 2003, vol. 2904 of Lecture Notes in Comput. Sci., pp. 82-96, Springer, Berlin, Germany, 2003.

[13] J. Kim, S. Hong, and J. Lim, "Impossible differential cryptanalysis using matrix method," Discrete Mathematics, vol. 310, no. 5, pp. 988-1002, 2010.

[14] Y. Luo, X. Lai, Z. Wu, and G. Gong, "A unified method for finding impossible differentials of block cipher structures," Information Sciences, vol. 263, pp. 211-220, 2014.

[15] H. Yap, "Impossible differential characteristics of extended feistel networks with provable security against differential cryptanalysis," Communications in Computer and Information Science, vol. 29, pp. 103-121, 2009.

[16] G. Liu, C. Jin, and Z. Kong, "Key recovery attack for PRESENT using slender-set linear cryptanalysis," Science China Information Sciences, vol. 59, no. 3, Article ID 32110, 2016.

[17] R. Zhao, R. Zhang, Y. Li, and B. Wu, "Construction of MDS block diffusion matrices for block ciphers and hash functions," Science China. Information Sciences, vol. 59, no. 9, Article ID 99101, 099101, 3 pages, 2016.

[18] T. P. Berger, M. Minier, and G. Thomas, "Extended generalized Feistel networks using matrix representation," in Selected areas in cryptography--SAC 2013, vol. 8282 of Lecture Notes in Comput. Sci., pp. 289-305, Springer, Berlin, Germany, 2014.

[19] T. P. Berger and M. Minier, "Some results using the matrix methods on impossible, integral and zero-correlation distinguishers for Feistel-like ciphers," in Progress in cryptology--INDOCRYPT 2015, vol. 9462 of Lecture Notes in Comput. Sci., pp. 180-197, Springer, 2015.

[20] C. Blondeau and M. Minier, "Analysis of impossible, integral and zero-correlation attacks on type-II generalized feistel networks using the matrix method," Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9054, pp. 92-113, 2015.

[21] S. Wu and M. Wang, "Automatic search of truncated impossible differentials for word-oriented block ciphers," in Progress in cryptology--INDOCRYPT 2012, vol. 7668 of Lecture Notes in Comput. Sci., pp. 283-302, Springer, Heidelberg, 2012.

[22] B. Sun, Z. Liu, V. Rijmen et al., "Links among impossible differential, integral and zero correlation linear cryptanalysis," in Advances in cryptology--CRYPTO 2015. Part I, vol. 9215 of Lecture Notes in Comput. Sci., pp. 95-115, Springer, Berlin, Germany, 2015.

[23] J. Sung, S. Lee, J. Lim, S. Hong, and S. Park, "Provable security for the Skipjack-like structure against differential cryptanalysis and linear cryptanalysis," in Advances in cryptology--ASIACRYPT 2000 (Kyoto),vol. 1976 of Lecture Notes in Comput. Sci., pp. 274-288, Springer, Berlin, Germany, 2000.

[24] J. Choy, G. Chew, K. Khoo, and H. Yap, "Cryptographic properties and application of a generalized unbalanced feistel network structure," Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5594, pp. 73-89, 2009.

[25] M. Matsui, "New block encryption algorithm MISTY," in Fast Software Encryption, vol. 1267 of Lecture Notes in Computer Science, pp. 54-68, Springer-Verlag, 1997

[26] M. Izadi, B. Sadeghiyan, S. S. Sadeghian, and H. A. Khanooki, "MIBS: A new lightweight block cipher," Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5888, pp. 334-348, 2009.

[27] K. Aoki, T. Ichikawa, M. Kanda et al., "Camellia: a 128-bit block cipher suitable for multiple platforms--design and analysis," in Selected areas in cryptography (Waterloo, ON, 2000), vol. 2012 of Lecture Notes in Comput. Sci., pp. 39-56, Springer, Berlin, Germany, 2001.

[28] W. Wu and L. Zhang, "LBlock: A lightweight block cipher," Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6715, pp. 327-344, 2011.

[29] M. Kanda, S. Moriai, K. Aoki et al., "E2-A new 128-bit block cipher," IEICE Transactions Fundamentals - Special Section on Cryptography and Information Security, vol. E83-A, no. 1, pp. 48-59, 2000.

[30] C. Lee and Y. Cha, "The block cipher: SNAKE with provable resistance against DC and LC attacks," in JW-ISC1997, pp. 3-17, 1997.

[31] S. Wu and M. Wang, "Automatic search of truncated impossible differentials for word-oriented block ciphers," http://eprint.iacr .org/2012/214.pdf.

[32] RosettacodeOrg. How to compute the reduced row echelon form of a matrix. http://rosettacode.org/wiki/ReduceThrow _echelon_form.

[33] S. Moriai and S. Vaudenay, "On the pseudorandomness of top-level schemes of block ciphers," in Advances in cryptology--ASIACRYPT 2000 (Kyoto), vol. 1976 of Lecture Notes in Comput. Sci., pp. 289-302, Springer, Berlin, Germany, 2000.

[34] SMS4. Specication of SMS4, block cipher for WLAN products SMS4. Avaiable at: http://www.oscca.gov.cn/UpFile/200621016423197990.pdf.

[35] Y. Luo, Source codes and results for finding impossible differentials for block cipher structures. https://github.com/ianroo/impossibledifferential.

[36] A. Bogdanov, L. R. Knudsen, G. Leander, F.-X. Standaert, J. Steinberger, and E. Tischhauser, "Key-alternating ciphers in a provable setting: encryption using a small number of public permutations (extended abstract)," in Advances in cryptology--EUROCRYPT 2012, vol. 7237 of Lecture Notes in Comput. Sci., pp. 45-62, Springer, Berlin, Germany, 2012.

[37] C. Blondeau, A. Bogdanov, and M. Wang, "On the (in)equivalence of impossible differential and zero-correlation distinguishers for Feistel- and Skipjack-type ciphers," in Applied Cryptography and Network Security, vol. 8479 of Lecture Notes in Computer Science, pp. 271-288, Springer-Verlag, 2014.

Yiyuan Luo (1) and Xuejia Lai (2,3)

(1) School of Electronics and Information, Shanghai Dian Ji University, Shanghai, China

(2) Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, China

(3) Westone Cryptologic Research Center, Beijing 100070, China

Correspondence should be addressed to Yiyuan Luo; luoyy@sdju.edu.cn

Received 30 March 2017; Accepted 17 July 2017; Published 29 August 2017

Academic Editor: Jesus Dlaz-Verdejo

Caption: Figure 1: State variables for 5-round Feistel structure.

Table 1: The 5x13 augmented matrix of 5-round Feistel structure. 0 1 2 3 4 [X.sub.0] [X.sub.1] [X.sub.2] [X.sub.3] [X.sub.4] 1 1 0 1 0 0 2 0 1 0 1 0 3 0 0 1 0 1 4 0 0 0 1 0 5 0 0 0 0 1 5 6 7 8 9 [X.sub.5] [X.sub.6] [Y.sub.1] [Y.sub.2] [Y.sub.3] 1 0 0 1 0 0 2 0 0 0 1 0 3 0 0 0 0 1 4 1 0 0 0 0 5 0 1 0 0 0 10 11 12 [Y.sub.4] [Y.sub.5] 0 1 0 0 0 2 0 0 0 3 0 0 0 4 1 0 0 5 0 1 0 Table 2: Summary of impossible differentials (IDs) of some well-known block ciphers structures found by different methods. Block cipher UID [14] Wu-Wang [31] Gen-Skipjack 16: (0, 0, 0, a) [[??].sub.l6] -- (b, 0, 0, b) Gen-CAST256 19: (0, 0, 0, a) [[??].sub.l9] -- (a, 0, 0, 0) Four-Cell 18: (a, 0, 0, 0) [[??].sub.l8] -- (b, b, 0, 0) Gen-MARS 11: (0, 0, 0, a) [[??].sub.l1] -- (a, 0, 0, 0) Gen-RC6 9: (0, 0, a, 0) [[??].sub.9] -- (0, a, 0,0) (a, 0,0,0) [[??].sub.9] (0, 0, 0, a) SMS4 11: (0, 0, 0, a) [[??].sub.11] -- (a, 0, 0, 0) Misty -- -- SNAKE -- -- Camellia * -- 8-round, 4 IDs MIBS -- 8-round, 6 IDs LBlock -- 14-round, 80 IDs E2 -- 6-round, 56 IDs Block cipher This paper Gen-Skipjack Same as UID Gen-CAST256 Same as UID Four-Cell Same as UID Gen-MARS Same as UID Gen-RC6 Same as UID SMS4 Same as UID Misty 4 : (0,a) [[??].sub.4] (fe, b) SNAKE 11 : (0,0,0,0,0,0,a,0) [[??].sub.4] (0,0, b, 0, 0, 0, 0, 0) Camellia * Same as Wu-Wang MIBS 8-round, 10 IDs LBlock Same as Wu-Wang E2 Same as Wu-Wang Table 3: Impossible differentials for 8-round MIBS. There are 4 new found impossible differentials. a and b are nonzero values and a and b can have the same value. Number [DELTA]in 1 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, 0, 0, 0, a, 0, 0) 2 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, 0, 0, 0, a, 0, 0) 3 (0, 0, 0, 0, 0, 0, 0, 0; a, 0, 0, 0, 0, 0, 0, a) 4 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, 0, 0, a, 0, 0, a) 5 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, a, 0, 0, 0, 0, 0) 6 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, a, 0, 0, 0, 0, 0) 7 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, 0, 0, a, 0, 0, 0) 8 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, 0, 0, a, 0, 0, 0) 9 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, 0, 0, 0, 0, a, 0) 10 (0, 0, 0, 0, 0, 0, 0, 0; 0, 0, 0, 0, 0, 0, 0, a) Number [DELTA]out Reference 1 (b, 0, 0, 0, 0, 0, 0, b; 0, 0, 0, 0, 0, 0, 0, 0) This paper 2 (0, 0, 0, 0, b, 0, 0, b; 0, 0, 0, 0, 0, 0, 0, 0) 3 (0, 0, 0, 0, 0, b, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0) 4 (0, 0, 0, 0, 0, b, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0) 5 (0, 0, 0, 0, b, 0, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0) [31] 6 (0, 0, 0, 0, 0, 0, 0, b; 0, 0, 0, 0, 0, 0, 0, 0) 7 (0, 0, b, 0, 0, 0, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0) 8 (0, 0, 0, 0, 0, 0, b, 0; 0, 0, 0, 0, 0, 0, 0, 0) 9 (0, 0, 0, 0, b, 0, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0) 10 (0, 0, b, 0, 0, 0, 0, 0; 0, 0, 0, 0, 0, 0, 0, 0)

Printer friendly Cite/link Email Feedback | |

Title Annotation: | Research Article |
---|---|

Author: | Luo, Yiyuan; Lai, Xuejia |

Publication: | Security and Communication Networks |

Article Type: | Report |

Date: | Jan 1, 2017 |

Words: | 7563 |

Previous Article: | Detecting Web-Based Botnets Using Bot Communication Traffic Features. |

Next Article: | A Two-Factor RSA-Based Robust Authentication System for Multiserver Environments. |

Topics: |