Abstract
On the provable security of a block cipher against impossible differential cryptanalysis, the maximal length of impossible differentials is an essential aspect. Most previous work on finding impossible differentials for AES, omits the non-linear component (S-box), which is important for the security. In EUROCRYPT 2016, Sun et al. showed how to bound the length of impossible differentials of a SPN “structure” using the primitive index of its linear layer. They proved that there do not exist impossible differentials longer than four rounds for the AES “structure”, instead of the AES cipher. Since they do not consider the details of the S-box, their bound is not feasible for a concrete cipher. With their result, the upper bound of the length of impossible differentials for AES, is still unknown. We fill this gap in our paper. By revealing some important properties of the AES S-box, we further prove that even though the details of the S-box are considered, there do not exist truncated impossible differentials covering more than four rounds for AES, under the assumption that round keys are independent and uniformly random. Specially, even though the details of the S-box and key schedule are both considered, there do not exist truncated impossible differentials covering more than four rounds for AES-256.
This is a preview of subscription content, log in via an institution to check access.
Access this article
We’re sorry, something doesn't seem to be working properly.
Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.
Similar content being viewed by others
Notes
“Transparent” means that the transformations do not mix the input state pattern.
References
Bahrak B., Aref M.R.: Impossible differential attack on seven-round AES-128. IET Inf. Secur. 2(2), 28–32 (2008).
Beierle C., Jovanovic P., Lauridsen M. M., Leander G., Rechberger C.: Analyzing permutations for AES-like ciphers: understanding ShiftRows. In: CT-RSA, pp. 37–58 (2015).
Biham E., Biryukov A., Shamir A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. J. Cryptol. 18(4), 291–311 (2005).
Biham E., Keller N.: Cryptanalysis of reduced variants of Rijndael. In: The 3rd AES Conference (2000).
Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).
Cheon J.H., Kim M., Kim K., Lee J.-Y., Kang S.: Improved impossible differential cryptanalysis of Rijndael and Crypton. In: ICISC, pp. 39–49 (2001).
Cui T., Jin C., Zhang B., Chen Z.: Searching all truncated impossible differentials in SPN. IET Inf. Secur. doi:10.1049/iet-ifs.2015.0052.
Daemen J., Rijmen V.: AES proposal: Rijndael. http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf.
Daemen J., Rijmen V.: The wide trail design strategy. In: IMA International Conference pp. 222–238 (2001).
Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. In: SCN, pp. 78–94 (2006).
Grassi L., Rechberger C., Rnjom S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. (2), 192–225 (2016).
Hungerford T.W.: Algebra. Springer, New York (1974).
Kanda M., Matsumoto T.: Security of Camellia against truncated differential cryptanalysis. In: FSE, pp. 286–299 (2001).
Kim J., Hong S., Lim J.: Impossible differential cryptanalysis using matrix method. Discret. Math. 310(5), 988–1002 (2010).
Knudsen L.R.: DEAL-A 128-bit block cipher. Technical Report, Department of Informatics, University of Bergen, Norway (1998).
Knudsen L.R.: Truncated and higher order differentials. In: FSE, pp. 196–211 (1994).
Lidl R., Niederreiter H.: Finite Fields. Cambridge University Press, Cambridge (1996).
Luo Y., Lai X., Wu Z., Gong G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263, 211–220 (2014).
Matsui M.: Linear cryptanalysis method for DES cipher. In: Eurocrypt, pp. 386–397 (1993).
NIST. FIPS 197: announcing the advanced encryption standard (AES). Technical Report, National Institute of Standards and Technology (NIST) (2001). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
Nyberg K.: Differentially uniform mappings for cryptography. In: Eurocrypt, pp. 55–64 (1993).
Phan C.W.: Impossible differential cryptanalysis of 7-round Advanced Encryption Standard (AES). Inf. Process. Lett. 91(1), 33–38 (2004).
Sun B., Liu M., Guo J., Qu L., Rijmen V.: New insights on AES-like SPN ciphers. In: Crypto (1), pp. 605–624 (2016).
Sun B., Liu M., Guo J., Rijmen V., Li R.: Provable security evaluation of structures against impossible differential and zero correlation linear cryptanalysis. In: Eurocrypt (1), pp. 196–213 (2016).
Sun B., Liu Z., Rijmen V., Li R., Cheng L., Wang Q., AlKhzaimi H., Li C.: Links among impossible differential, integral and zero correlation linear cryptanalysis. In: Crypto (1), pp. 95–115 (2015).
Wu S., Wang M.: Automatic search of truncated impossible differentials for word-oriented block ciphers. In: Indocrypt, pp. 283–302 (2012).
Acknowledgements
We would like to thank editors and anonymous reviewers for their patience and constructive suggestions. This work was supported by National Natural Science Foundation of China (Grant Nos. 61272488, 61402523 and 61772547).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by C. Carlet.
Rights and permissions
About this article
Cite this article
Wang, Q., Jin, C. Upper bound of the length of truncated impossible differentials for AES. Des. Codes Cryptogr. 86, 1541–1552 (2018). https://doi.org/10.1007/s10623-017-0411-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-017-0411-z