Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018 (2018), Article ID 7393401, 11 pages
https://doi.org/10.1155/2018/7393401
Research Article

On the Complexity of Impossible Differential Cryptanalysis

1State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
2Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, China
3School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
4NTT Secure Platform Laboratories, Tokyo, Japan

Correspondence should be addressed to Lei Hu; nc.ca.si@uh

Received 12 September 2017; Accepted 20 December 2017; Published 17 April 2018

Academic Editor: Jiankun Hu

Copyright © 2018 Qianqian Yang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

While impossible differential attack is one of the most well-known and familiar techniques for symmetric-key cryptanalysts, its subtlety and complicacy make the construction and verification of such attacks difficult and error-prone. We introduce a new set of notations for impossible differential analysis. These notations lead to unified formulas for estimation of data complexities of ordinary impossible differential attacks and attacks employing multiple impossible differentials. We also identify an interesting point from the new formulas: in most cases, the data complexity is only related to the form of the underlying distinguisher and has nothing to do with how the differences at the beginning and the end of the distinguisher propagate in the outer rounds. We check the formulas with some examples, and the results are all matching. Since the estimation of the time complexity is flawed in some situations, in this work, we show under which condition the formula is valid and give a simple time complexity estimation for impossible differential attack which is always achievable.

1. Introduction

Impossible differential attack, introduced by Knudsen [1] and Biham et al. [2] independently, is one of the most well-known cryptanalytic techniques for symmetric-key cryptanalysts [39]. Generally, in impossible differential cryptanalysis, we guess some key bits involved in the outer rounds of the target cipher. Then the guess is rejected if it leads to impossible differentials at the inner rounds. Despite its extensive application in symmetric-key cryptanalysis, errors in the analysis are often discovered and many papers in the literature presented subtle flaws. Note that the flaws typically arise in the estimation of the time and data complexities rather than in the distinguisher, similar to searching differential and linear characteristic [1013], the methodology of searching for impossible differential is fairly mature, and automatic tools are available [1417]. To relieve the difficulty of the complexity analysis, Boura et al. presented generic complexity analysis formulas along with the development of new ideas for optimizing impossible differential cryptanalysis [18]. However, at FSE 2016, Derbez identified some flaws in the formulas for the time complexity estimation given in [18], and concrete examples were presented such that the time complexities estimated with the formulas given in [19] are not achievable.

Our contribution follows Boura, Naya-Plasencia, Suder, and Derbez’s work at ASIACRYPT 2014, FSE 2016, and ESC 2017; we investigate further some aspects of the estimation of the impossible differential attack which have not been explored or stated explicitly in previous work.

Firstly, we introduce a new set of notations for impossible differential analysis. With these notations, there is no difference between ordinary impossible differentials and multiple impossible differentials. Under some reasonable assumptions (the same assumptions were made implicitly in [18, 19]), we modify the formula in [18] for calculating the data complexity into a form getting rid of the parameters of the number of bit-conditions (the and notations in [18]) that have to be verified to follow some specified behavior in the outer rounds of a target cipher. Moreover, in the formulas derived with the new notations, we identify a very interesting and somehow strange point: in most cases, the data complexity is only related to the form of the underlying distinguisher and has nothing to do with how the differences at the beginning and the end of the distinguisher propagate in the outer rounds. That is, in most cases, the data complexity can be completely determined by the underlying impossible differential distinguisher employed in the attack. Hence, estimating the data complexity with the new formulas is much more easier and straightforward than that of [18].

Secondly, since Derbez showed concrete examples where Boura et al.’s formula of the time complexity of impossible differential attack is invalid, we are interested in the condition under which the estimation of Boura et al. is correct, and we prove that the time complexity of the key-sieving process given by Boura et al. is not only achievable but also optimal if the key bits involved in the outer rounds are independent. Using the early abort technique presented by Lu et al. in [20, 21], we give the optimal result with detailed process.

Finally, we give a formula to estimate the time complexity of the key-sieving process in the case where the key bits involved in the outer rounds are not independent. The estimation is not guaranteed to be equal to the complexity of the optimal attack as discussed by Derbez in [19], but it is always achievable. Therefore, the formula serves to give a rough estimation of an impossible differential attack without diving into complicated calculations and time-consuming search algorithms, which should be very useful in fast prototyping in cryptanalysis.

We present a new set of notations for impossible differential analysis in Section 2. Section 3 briefly shows impossible differential attacks. In Section 4, we modify the data formula, which is related to a few parameters and unifies multiple impossible differential attacks with ordinary impossible differential attacks. In Section 5 we prove that the formula of the time complexity is achievable and optimal with the key bits independent and give a rough estimation formula for the key bits without independence. At last we conclude the paper in Section 6.

2. Notations

Let be the finite field of two elements. For a set , its number of elements is denoted by , and let . Also, for an integer , let .

In addition, we use some notations like regular expression to represent a set of bit strings. For example, is equivalent to the set , is equivalent to , and is equivalent to , which is alternatively denoted by , where the subscript tells the number of occurrences of the symbol concerned.

Definition 1. Let be a block cipher and , ; if , for all , we call an impossible differential of , which is denoted by . More generally, let , ; we call an impossible differential, denoted by , if for any , , such that , and for any , , such that .

Note that this notation is different from the notation of impossible differential we typically see in the literature, since in our notation, it is possible that and , such that is not an impossible differential.

Let , where is simply written as if is clear from the context. Then we have , and in the special case for any and , . It is worth mentioning, with the new notation, that we can unify ordinary impossible differentials and multiple impossible differentials in impossible differential cryptanalysis.

For example, if , , and , with the new notation, we call an impossible differential, and .

Definition 2. Let , and the structure derived from is defined to be the set of all -bit strings such that for all . Given a bit string , is defined to be the set .

For example, if and , then and , . Recall that, in differential type of cryptanalysis, if we want to get many pairs of data whose differences are in a set , we typically first prepare a structure from which the needed pairs will be generated. From Figure 1, we can see the relationship in , , and .

Figure 1: The relationship in , , and .

3. Impossible Differential Attack

In contrast to ordinary differential attack which relies on differentials with high probability, impossible differential attack reduces the key space by identifying wrong key guesses with the aid of differentials which never occur.

We show how to convert an impossible differential distinguisher into a key-recovery attack in Figure 2. Firstly, we need to append some outer rounds ( with rounds and with rounds) around the distinguisher with rounds covering . Then we propagate the differences in and to both directions in the outer rounds to get and , where is the set of all differences having the possibility of creating an intermediate difference in at the beginning of , and is defined similarly. For fixed outer rounds, and are not dependent on the involved secret key bits in the outer rounds. Actually they can be computed by propagating the difference patterns upwards and downwards according to the differential distribution table of the components of the cipher. Now we can identify the involved secret key bits in the outer rounds. These key bits are the secret information we are going to recover in the attack, which we call the targeted key bits. Finally, we prepare some structures and encrypt the plaintexts in to get the corresponding ciphertexts. For each pair of plaintexts in satisfying , guess the secret key information involved in the outer rounds. If the partial encryption/decryption of and leads to impossible differentials, the guess is certainly incorrect. With this strategy, hopefully we can reject lots of wrong guesses of , and the key space is therefore reduced. To calculate complexity of the attack, we define which is the number of bit-conditions that have to be verified to obtain from . In other words, the differences are propagated from with probability 1 while the differential is verified with probability . Similarly, we can get the definition of .

Figure 2: Generic vision of impossible differential attack.

4. On the Data Complexity of Impossible Differential Attack

Assuming that we have identified an impossible differential , we propagate and differentials to both directions to get and . Then we prepare many structures by varying . For each structure , there are pairs of plaintexts satisfying . Filtering the pairs by the condition that the differences of ciphertexts pairs are in , we can get approximately plaintext pairs such that Moreover, there are approximatelypairs satisfying and .

Definition 3. A pair of plaintexts is -effective if and only if and .

According to the definitions of and , only -effective pairs have the potential to suggest wrong key guesses, since it is only possible for such pairs to lead to the impossible differential under wrong key guesses. From the above discussion, we have the following fact.

Fact 4. From one structure , approximately -effective pairs can be generated.

For an -effective pair , the probability that under some random guess of the key information involved in can be estimated as . Similarly, let be the ciphertexts of the -effective pair . Then the probability that under some random guess of the key information involved in can be estimated as .

Fact 5. The probability that an -effective pair leads to an impossible differential after partial encryption/decryption with a random key guess is that is, there are bit-conditions that need to be verified for an -effective pair to satisfy an impossible differential in .

Note that is coincidence to the notation of presented in [18] for any and , . Hence, the notion of is actually a special case of our notion . This is demonstrated by the following two concrete examples.

Example 6 (on the bit-conditions). Take the impossible differential attacks on SIMON [22] presented in Appendix A.3 in [18] as an example. The impossible differential used in the attack and the outer rounds are redrawn in Figure 3, from which we have , , Therefore, , which is the same as [18] where is calculated as . As can be seen in Figure 3,  , where is the number of bit-conditions in th round.

Figure 3: The initial rounds (a) and the final rounds (b) of the attack on SIMON32/64.

Example 7 (on the bit-conditions). Take the impossible differential attacks on 13-round CLEFIA-128 [23] presented in Section 3.2 of [18], for example. The impossible differentials used in the attack and the outer rounds are redrawn in Figure 4, from which we have , , , and . Therefore, , which is the same as [18], where is calculated as which are depicted in Figure 4.

Figure 4: The attack on CLEFIA-128.

For an -effective pair , we can guess the key bits involved in and and get and . If , the key guess must be incorrect and therefore can be removed from the candidate key space safely. In this case, we say that a key guess is rejected by a set of plaintext pairs if and only if the guess is rejected by at least one pair in . Let be the target key space, and let be the set of -effective pairs generated from the chosen plaintexts. The goal of an impossible differential attack is to reject as many as possible keys in such that the target key space can be reduced significantly.

According to Fact 5, the probability that a key guess for is rejected by a given -effective pair is . Therefore, the probability that a guess is not rejected by is .

Therefore, the number of candidates keys in the target key space after performing the impossible differential analysis is . In the literature, we typically regard approximately as . Consequently, we need approximately -effective pairs to reduce the target key space by bit.

Theorem 8. With the probability , in other words, to reduce -bit information of the space of key candidates, the data complexity is , where

Proof. We are now ready to have a careful look at the data complexity needed to reduce at least bit of information of the space of key candidates by considering two cases.
In the first case, 1 structure is enough to generate -effective pairs. That is, namely, . Assuming that we need plaintexts from , then from which we can get
In the second case, 1 structure is not enough to produce -effective pairs, and we need structures. In this case, we have Therefore, we need plaintexts.
From the above two cases, we can obtain formula (8).

Corollary 9. With the probability , in other words, to reduce -bit information of the space of key candidates, the data complexity is , where

From Theorem 8, we can get Corollary 9 easily with the same method. According to Theorem 8, while , namely, for one bit-level impossible differential, the minimum data complexity is . Obviously, the amount of all data is , which is less than the minimum data complexity needed for a feasible impossible differential attack.

Corollary 10. If only using one bit-level impossible differential, which is , then there does not exist a successful impossible differential attack.

In our formulas, the computation of the data complexity for standard impossible differential analysis and attacks based on multiple impossible differentials are unified. Moreover, our formulas reveal some interesting facts which have not been spotted previously. Taking formula (8), for example, in almost all papers [9, 20, 2428], it is the case that This is very reasonable, since the cryptanalysts cannot propagate upwards too much; otherwise would contain almost all strings in , which is obviously an unpleasant situation. Therefore, in most cases, the data complexity can be computed from the distinguisher directly and has nothing to do with how / propagate upwards/downwards. This formula offers an extremely simple procedure for computing the data complexity of impossible differential attack. Let us show some examples.

Example 11 (multiple impossible differential attack on SIMON32/64 and SIMON96/96). In [18], Boura et al. used multiple impossible differentials to attack SIMON32/64. There are 8 independent input patterns by one original 11-round impossible differential we can see the detail in Table 1. It is obvious that Thus the data complexity is approximately to reduce information of the key candidates space from formula (12). Similarly, using 8 16-round impossible differentials, to reduce the target key space by approximately bit, the data complexity is approximately . These data complexities are in accordance with the results proposed in [18].

Table 1: Impossible differential characteristics for SIMON32/64.

Example 12 (multiple impossible differential attack on CLEFIA-128). In [24], Tsunoo et al. mounted an impossible differential attack on CLEFIA [23] by using multiple impossible differentials discovered in [29]. There are the following two 9-round impossible differentials in CLEFIA Only considering that there is one active byte in and presented in Table 2, we will show how to use our formula to determine the data complexity of an impossible differential attack based on these differentials.

Table 2: Differential values for and .

From Table 3, we can see that Therefore, to reduce the target key space by approximately bit, the minimal number of data complexity is approximately , which matches the results presented in [18, 24] perfectly.

Table 3: Impossible differential characteristics for CLEFIA-128.

5. On the Time Complexity of Impossible Differential Attack

The time complexity of the impossible differential attack is estimated by Boura et al. with the formulawhere is the amount of needed data for obtaining the pairs, is the number of candidate keys, is the ratio of the partial encryption to the full encryption, is the key candidates needed to exhaustive search, and is the full encryption. The first term is the cost of generating -effective pairs. The second term corresponds to the cost of the key-sieving procedure. Finally, the third term is the cost of exhaustive search for the key candidates which are not removed by the key-sieving procedure. Among these three terms, the second one is the most obscure part. Next, we focus attention on the second part. So before we go further, we would like to give some comments on it. Note that the comments are never meant to be precise, but try to get some intuitive understanding.

Let be -effective plaintext pairs. We create tuples of the form , where and . We arrange these tuples into rows as follows: No matter how we perform the impossible differential attack, the partial encryption and decryption of the plaintext pairs with guessed key will be performed inevitably for those such that is rejected by . Let Then is approximately . Therefore, the time complexity of the key-sieving process is at least , which is optimal. That is, the second term of Boura et al.’s formula is in some sense a minimum estimation of the complexity of the key-sieving process.

In [19], Derbez presented some concrete examples where there is no attack whose complexity is as low as Boura et al.’s estimation. Consequently, we want to ask the question: under which condition is Boura et al.’s estimation valid? The following shows that when the key bits are independent Boura et al.’s formula is valid and achievable. For the other case when the key bits are not independent we give a simple discussion.

5.1. When the Key Bits Are Independent

Assumption 13. In order to give a technique to achieve the optimal time complexity, there are some assumptions in the target cipher. We focus our attention on these ciphers which consist of subkey XOR, nonlinear, and linear operations. For nonlinear layer, it should be composed by S-boxes or bitwise AND. In other words, the difference values of nonlinear operation should be shown in a table with less storage and we can ignore the time complexity of creating table. Therefore, most block ciphers satisfy this assumption.

Let us assume that is the round input set and is the set propagated by with probability 1. During the key filtering phase of impossible differential attack, includes two parts: one involved the value of difference and the other part involved no difference but need to get these values. Therefore, for target ciphers satisfying our assumptionAn example is depicted in Figure 5, where .

Figure 5: Example: grey color stands for nibbles with nonzero difference.

In the following, we present the early abort technique in which the time complexity will achieve the optimal result if the involved key bits are independent. Assuming that there are outer rounds, let denote the involved key bits and let denote the number of bit-conditions. Given -effective plaintext pairs , for each , completes the following steps:(i)Step 0: derive by table look-up. . In detail, at first guess the value of and decrypt the corresponding plaintext pairs partially to calculate the output difference after nonlinear operation, then get the value of by table look-up technique and finally guess the value of to get .(ii)Step 1: derive by table look-up. .(iii)(iv)Step : derive by table look-up. .

For Step 0, the time complexity is Therefore, the complexity of the whole procedure with a given permutation iswhere and . Obviously, is the ratio of the cost of partial encryption to the full encryption.

Combining (20) with the early abort technique, , . Hence .

Fact 14. If the involved key bits are independent, then .

From Fact 14, we know that there is a permutation such that the time complexity of the key-sieving process is approximatelywhich is the same as Boura’s formula. Without considering the time complexity of the key schedule, if the target ciphers are under our assumption and the involved key bits are independent, we can conclude that Boura et al.’s formula is correct.

Example 15 (impossible differential attack on a toy cipher). Let us consider the toy block cipher used by Derbez in [19] as an example which is defined as follows: where is a 128-bit block cipher and where , , , and , respectively, are the AddRoundKey, SubBytes, ShriftRows, and MixColumns operations from the AES: (i)AddRoundKey (AK): XORing the state with round key;(ii)SubBytes (SB): nonlinearity transformation using 8-bit to 8-bit invertible S-Box;(iii)ShiftRows (SR): permutation with cyclic shift of each row to the left;(iv)MixColumns (MC): linearity transformation to mix all the column by invertible matrix.

Assume that there is an impossible differential over where has one active byte. As shown in Figure 6, appending one round on the top of the distinguisher we give an impossible differential cryptanalysis. The bit-condition is and there are 32 key bits. In the case that the key bits are independent, we give the time complexity of the attack as follows:(i)Step 1: guess ; there are values. For each value of , decrypt pairs to calculate the difference value after operation. Thus the input difference and output difference of S-Box are both known in nibbles 0, 5, 10, and 15 for each pair.(ii)Step 2: by table look-up four times, get the values of , , , and in turn.

Figure 6: Impossible differential attack against the toy cipher .

Step 1 and Step 2 are the detailed explanation about Step 0. For -effective pairs, the time complexity in above steps is which is in conformity with formula (23).

5.2. When the Key Bits Are Not Independent

The previous section shows in some sense that the estimation of Boura is not only achievable but also optimal when the key bits involved are independent.

In the following, we give a formula to estimate the complexity of the key-sieving process which is always valid regardless whether the involved key bits are independent or not We show how to determine by example.

Example 16 (multiple impossible differential attack on CLEFIA-128). From Figure 4 showing the attack on CLEFIA-128 by using multiple impossible differentials, there are 4 outer rounds. For there are 32 bits of , 32 bits of , and 8 bits of to be guessed. Similarly, for we also need to guess 8 bits of , 32 bits of , and 32 bits of . Therefore, and . Considering the relationship between the subkeys, the subkeys and share 22 bits in common. Thus the number of information key bits is and for each round the bit-conditions are , , , and . Because the key bits are not independent, we should calculate by steps, which could not calculate by the formula .

The process to calculate is as follows:(i)Step 0: guess the subkeys of the first round, and ; thus .(ii)Step 1: guess the subkeys of the second round, and ; thus .(iii)Step 2: guess the subkeys of the 13th round, and ; thus .(iv)Step 3: guess the subkeys of the 12th round, and ; thus .

The above steps show which is equal to ; thus . The key point is that in Step 2 , it does not generate greater value than , and the time complexity of the key-sieving process is To trade-off the data complexity and the time complexity, choosing , the time complexity is with , , , and , which is as a result presented in [18].

6. Conclusion

Thanks to the new notations, we give a unified data complexity formula for both the ordinary impossible differential attacks and attacks based on multiple impossible differentials. This formula not only is more convenient to use, but also reveals an interesting fact that the data complexity of an impossible differential attack can be derived by the mere knowledge of the underlying impossible differential distinguisher in most cases. Moreover, we show under which condition Boura et al.’s formula is valid and give a simple time complexity estimation for impossible differential attack which is always achievable. We believe that these results make the evaluation of the impossible differential attack more straightforward and reliable.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The work of this paper was supported by the National Natural Science Foundation of China (Grants 61732021, 61472417, 61772519, 61472415, and 61402469), the Fundamental Theory and Cutting Edge Technology Research Program of Institute of Information Engineering, CAS (Grant no. Y7Z0251103), and the State Key Laboratory of Information Security, Chinese Academy of Sciences. The work of Siwei Sun is supported by the Youth Innovation Promotion Association of Chinese Academy of Sciences and the Institute of Information Engineering (Qing-Nian-Zhi-Xing project).

References

  1. L. Knudsen, “DEAL-a 128-bit block cipher,” Complexity, vol. 258, no. 2, 1998. View at Google Scholar
  2. E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials,” in Advances in Cryptology - EUROCRYPT ’99, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, pp. 12–23, Prague, Czech Republic, May 1999.
  3. L. Wen, M.-Q. Wang, and J.-Y. Zhao, “Related-key impossible differential attack on reduced-round LBlock,” Journal of Computer Science and Technology, vol. 29, no. 1, pp. 165–176, 2014. View at Publisher · View at Google Scholar · View at Scopus
  4. J. Zhao, M. Wang, J. Chen, and Y. Zheng, “New impossible differential attack on SAFER block cipher family,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E98A, no. 3, pp. 843–852, 2015. View at Publisher · View at Google Scholar · View at Scopus
  5. Y. Todo, “Impossible differential attack against 14-round Piccolo-80 without relying on full code book,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E99A, no. 1, pp. 154–157, 2016. View at Publisher · View at Google Scholar · View at Scopus
  6. K. Kondo, Y. Sasaki, Y. Todo, and T. Iwata, “Analyzing key schedule of SIMON: Iterative key differences and application to related-key impossible differentials,” in Advances in Information and Computer Security, Proceedings of the 12th International Workshop on Security, IWSEC 2017, pp. 141–158, Hiroshima, Japan, August 2017.
  7. B. Sun, Z. Liu, V. Rijmen et al., “Links among impossible differential, integral and zero correlation linear cryptanalysis,” in the Advances in Cryptology - CRYPTO 2015, Proceedings of 35th Annual Cryptology Conference, pp. 95–115, Santa Barbara, CA, USA, August 2015.
  8. B. Sun, M. Liu, J. Guo, V. Rijmen, and R. Li, “Provable security evaluation of structures against impossible differential and zero correlation linear cryptanalysis,” in Advances in Cryptology - EUROCRYPT 2016, Proceedings of the 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 196–213, Springer, Vienna, Austria, May 2016.
  9. S. Bing, L. Ruilin, M. Wang, L. Ping, and L. Chao, “Impossible differential cryptanalysis of CLEFIA,” Cryptology ePrint Archive, vol. 151, 2008. View at Google Scholar
  10. N. Mouha, Q. Wang, D. Gu, and B. Preneel, “Differential and linear cryptanalysis using mixed-integer linear programming,” in Information Security and Cryptology, Proceedings of the 7th International Conference, Inscrypt 2011, pp. 57–76, Beijing, China, November 2011.
  11. W. Shengbao and W. Mingsheng, “Security evaluation against differential cryptanalysis for block cipher structures,” Cryptology ePrint Archive, vol. 551, 2011. View at Google Scholar
  12. S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. Song, “Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers,” in Advances in Cryptology - ASIACRYPT 2014, Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security, pp. 158–178, Kaoshiung, Taiwan, December 2014.
  13. K. Fu, M. Wang, Y. Guo, S. Sun, and L. Hu, “MILP-based automatic search algorithms for differential and linear trails for speck,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Preface, vol. 9783, pp. 268–288, 2016. View at Publisher · View at Google Scholar · View at Scopus
  14. J. Kim, S. Hong, J. Sung, S. Lee, J. Lim, and S. Sung, “Impossible differential cryptanalysis for block cipher structures,” in Cryptology - INDOCRYPT 2003, Proceedings of the 4th International Conference on Cryptology in India, pp. 82–96, New Delhi, India, December 2003.
  15. Y. Luo, X. Lai, Z. Wu, and G. Gong, “A unified method for finding impossible differentials of block cipher structures,” Information Sciences, vol. 263, pp. 211–220, 2014. View at Publisher · View at Google Scholar · View at Scopus
  16. Y. Sasaki and Y. Todo, “New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers,” in Advances in Cryptology - EUROCRYPT 2017, Proceedings of the 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 185–215, Paris, France, April 2017.
  17. C. Tingting, J. Keting, F. Kai, C. Shiyao, and W. Meiqin, “New automatic search tool for impossible differentials and zero-correlation linear approximations,” Tech. Rep., Cryptology ePrint Archive, 2016, http://eprint.iacr.org/2016/689. View at Google Scholar
  18. C. Boura, M. Naya-Plasencia, and V. Suder, “Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon,” in Advances in Cryptology - ASIACRYPT 2014, Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security, Part I, pp. 179–199, Kaoshiung, Taiwan, December 2014. View at MathSciNet
  19. P. Derbez, “Note on impossible differential attacks,” in Fast Software Encryption, Proceedings of the 23rd International Conference, FSE 2016, vol. 9783, pp. 416–427, Bochum, Germany, March 2016.
  20. J. Lu, O. Dunkelman, N. Keller, and J. Kim, “New impossible differential attacks on AES,” in Progress in Cryptology - INDOCRYPT 2008, Proceedings of the 9th International Conference on Cryptology in India, pp. 279–293, Kharagpur, India, December 2008.
  21. J. Lu, J. Kim, N. Keller, and O. Dunkelman, “Improving the efficiency of impossible differential cryptanalysis of reduced camellia and MISTY1,” in Topics in Cryptology - CT-RSA 2008, Proceedings of The Cryptographers’ Track at the RSA Conference 2008, vol. 4964, pp. 370–386, San Francisco, CA, USA, April 2008.
  22. R. Beaulieu, S. Treatman-Clark, D. Shors, B. Weeks, J. Smith, and L. Wingers, “The SIMON and SPECK families of lightweight block ciphers,” IACR Cryptology ePrint Archive, vol. 404, 2013. View at Google Scholar
  23. T. Shirai, A. Toru, K. Shibutani, and I. Tetsu, “The 128-bit blockcipher CLEFIA (extended abstract),” in Fast Software Encryption, Proceedings of the 14th International Workshop, FSE 2007, pp. 181–195, Luxembourg, 2007.
  24. Y. Tsunoo, E. Tsujihara, M. Shigeri, T. Suzaki, and T. Kawabata, “Cryptanalysis of CLEFIA using multiple impossible differentials,” in Proceedings of the 2008 International Symposium on Information Theory and its Applications, ISITA2008, 6, 1 page, Auckland, New Zealand, December 2008. View at Publisher · View at Google Scholar · View at Scopus
  25. S. Siwei and D. Gerault, “Pascal Lafourcade, Qianqian Yang, Yosuke Todo, Kexin Qiao, and Lei Hu. Analysis of aes, skinny, and others with constraint programming,” IACR Trans. Symmetric Cryptol, vol. 2017, no. 1, pp. 281–306, 2017. View at Google Scholar
  26. Y. Liu, L. Li, D. Gu et al., “New observations on impossible differential cryptanalysis of reduced-round camellia,” in Fast Software Encryption, Proceedings of the 19th International Workshop, FSE 2012, pp. 90–109, Washington, DC, USA, March 2012.
  27. B. Bahrak and M. R. Aref, “Impossible differential attack on seven-round AES-128,” IET Information Security, vol. 2, no. 2, pp. 28–32, 2008. View at Publisher · View at Google Scholar · View at Scopus
  28. J. Chen, Y. Futa, A. Miyaji, and C. Su, “Improving impossible differential cryptanalysis with concrete investigation of key scheduling algorithm and its application to lblock,” in Proceedings of the 8th International Conference, NSS 2014, pp. 184–197, Xi’an, China, October 2014.
  29. K. Nyberg, T. Etsuko, S. Maki, and S. Teruo, “Impossible differential cryptanalysis of CLEFIA,” in Fast Software Encryption, Proceedings of the 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 2008.