Research Article | Open Access
On the Complexity of Impossible Differential Cryptanalysis
While impossible differential attack is one of the most well-known and familiar techniques for symmetric-key cryptanalysts, its subtlety and complicacy make the construction and verification of such attacks difficult and error-prone. We introduce a new set of notations for impossible differential analysis. These notations lead to unified formulas for estimation of data complexities of ordinary impossible differential attacks and attacks employing multiple impossible differentials. We also identify an interesting point from the new formulas: in most cases, the data complexity is only related to the form of the underlying distinguisher and has nothing to do with how the differences at the beginning and the end of the distinguisher propagate in the outer rounds. We check the formulas with some examples, and the results are all matching. Since the estimation of the time complexity is flawed in some situations, in this work, we show under which condition the formula is valid and give a simple time complexity estimation for impossible differential attack which is always achievable.
Impossible differential attack, introduced by Knudsen  and Biham et al.  independently, is one of the most well-known cryptanalytic techniques for symmetric-key cryptanalysts [3–9]. Generally, in impossible differential cryptanalysis, we guess some key bits involved in the outer rounds of the target cipher. Then the guess is rejected if it leads to impossible differentials at the inner rounds. Despite its extensive application in symmetric-key cryptanalysis, errors in the analysis are often discovered and many papers in the literature presented subtle flaws. Note that the flaws typically arise in the estimation of the time and data complexities rather than in the distinguisher, similar to searching differential and linear characteristic [10–13], the methodology of searching for impossible differential is fairly mature, and automatic tools are available [14–17]. To relieve the difficulty of the complexity analysis, Boura et al. presented generic complexity analysis formulas along with the development of new ideas for optimizing impossible differential cryptanalysis . However, at FSE 2016, Derbez identified some flaws in the formulas for the time complexity estimation given in , and concrete examples were presented such that the time complexities estimated with the formulas given in  are not achievable.
Our contribution follows Boura, Naya-Plasencia, Suder, and Derbez’s work at ASIACRYPT 2014, FSE 2016, and ESC 2017; we investigate further some aspects of the estimation of the impossible differential attack which have not been explored or stated explicitly in previous work.
Firstly, we introduce a new set of notations for impossible differential analysis. With these notations, there is no difference between ordinary impossible differentials and multiple impossible differentials. Under some reasonable assumptions (the same assumptions were made implicitly in [18, 19]), we modify the formula in  for calculating the data complexity into a form getting rid of the parameters of the number of bit-conditions (the and notations in ) that have to be verified to follow some specified behavior in the outer rounds of a target cipher. Moreover, in the formulas derived with the new notations, we identify a very interesting and somehow strange point: in most cases, the data complexity is only related to the form of the underlying distinguisher and has nothing to do with how the differences at the beginning and the end of the distinguisher propagate in the outer rounds. That is, in most cases, the data complexity can be completely determined by the underlying impossible differential distinguisher employed in the attack. Hence, estimating the data complexity with the new formulas is much more easier and straightforward than that of .
Secondly, since Derbez showed concrete examples where Boura et al.’s formula of the time complexity of impossible differential attack is invalid, we are interested in the condition under which the estimation of Boura et al. is correct, and we prove that the time complexity of the key-sieving process given by Boura et al. is not only achievable but also optimal if the key bits involved in the outer rounds are independent. Using the early abort technique presented by Lu et al. in [20, 21], we give the optimal result with detailed process.
Finally, we give a formula to estimate the time complexity of the key-sieving process in the case where the key bits involved in the outer rounds are not independent. The estimation is not guaranteed to be equal to the complexity of the optimal attack as discussed by Derbez in , but it is always achievable. Therefore, the formula serves to give a rough estimation of an impossible differential attack without diving into complicated calculations and time-consuming search algorithms, which should be very useful in fast prototyping in cryptanalysis.
We present a new set of notations for impossible differential analysis in Section 2. Section 3 briefly shows impossible differential attacks. In Section 4, we modify the data formula, which is related to a few parameters and unifies multiple impossible differential attacks with ordinary impossible differential attacks. In Section 5 we prove that the formula of the time complexity is achievable and optimal with the key bits independent and give a rough estimation formula for the key bits without independence. At last we conclude the paper in Section 6.
Let be the finite field of two elements. For a set , its number of elements is denoted by , and let . Also, for an integer , let .
In addition, we use some notations like regular expression to represent a set of bit strings. For example, is equivalent to the set , is equivalent to , and is equivalent to , which is alternatively denoted by , where the subscript tells the number of occurrences of the symbol concerned.
Definition 1. Let be a block cipher and , ; if , for all , we call an impossible differential of , which is denoted by . More generally, let , ; we call an impossible differential, denoted by , if for any , , such that , and for any , , such that .
Note that this notation is different from the notation of impossible differential we typically see in the literature, since in our notation, it is possible that and , such that is not an impossible differential.
Let , where is simply written as if is clear from the context. Then we have , and in the special case for any and , . It is worth mentioning, with the new notation, that we can unify ordinary impossible differentials and multiple impossible differentials in impossible differential cryptanalysis.
For example, if , , and , with the new notation, we call an impossible differential, and .
Definition 2. Let , and the structure derived from is defined to be the set of all -bit strings such that for all . Given a bit string , is defined to be the set .
For example, if and , then and , . Recall that, in differential type of cryptanalysis, if we want to get many pairs of data whose differences are in a set , we typically first prepare a structure from which the needed pairs will be generated. From Figure 1, we can see the relationship in , , and .
3. Impossible Differential Attack
In contrast to ordinary differential attack which relies on differentials with high probability, impossible differential attack reduces the key space by identifying wrong key guesses with the aid of differentials which never occur.
We show how to convert an impossible differential distinguisher into a key-recovery attack in Figure 2. Firstly, we need to append some outer rounds ( with rounds and with rounds) around the distinguisher with rounds covering . Then we propagate the differences in and to both directions in the outer rounds to get and , where is the set of all differences having the possibility of creating an intermediate difference in at the beginning of , and is defined similarly. For fixed outer rounds, and are not dependent on the involved secret key bits in the outer rounds. Actually they can be computed by propagating the difference patterns upwards and downwards according to the differential distribution table of the components of the cipher. Now we can identify the involved secret key bits in the outer rounds. These key bits are the secret information we are going to recover in the attack, which we call the targeted key bits. Finally, we prepare some structures and encrypt the plaintexts in to get the corresponding ciphertexts. For each pair of plaintexts in satisfying , guess the secret key information involved in the outer rounds. If the partial encryption/decryption of and leads to impossible differentials, the guess is certainly incorrect. With this strategy, hopefully we can reject lots of wrong guesses of , and the key space is therefore reduced. To calculate complexity of the attack, we define which is the number of bit-conditions that have to be verified to obtain from . In other words, the differences are propagated from with probability 1 while the differential is verified with probability . Similarly, we can get the definition of .
4. On the Data Complexity of Impossible Differential Attack
Assuming that we have identified an impossible differential , we propagate and differentials to both directions to get and . Then we prepare many structures by varying . For each structure , there are pairs of plaintexts satisfying . Filtering the pairs by the condition that the differences of ciphertexts pairs are in , we can get approximately plaintext pairs such that Moreover, there are approximatelypairs satisfying and .
Definition 3. A pair of plaintexts is -effective if and only if and .
According to the definitions of and , only -effective pairs have the potential to suggest wrong key guesses, since it is only possible for such pairs to lead to the impossible differential under wrong key guesses. From the above discussion, we have the following fact.
Fact 4. From one structure , approximately -effective pairs can be generated.
For an -effective pair , the probability that under some random guess of the key information involved in can be estimated as . Similarly, let be the ciphertexts of the -effective pair . Then the probability that under some random guess of the key information involved in can be estimated as .
Fact 5. The probability that an -effective pair leads to an impossible differential after partial encryption/decryption with a random key guess is that is, there are bit-conditions that need to be verified for an -effective pair to satisfy an impossible differential in .
Note that is coincidence to the notation of presented in  for any and , . Hence, the notion of is actually a special case of our notion . This is demonstrated by the following two concrete examples.
Example 6 (on the bit-conditions). Take the impossible differential attacks on SIMON  presented in Appendix A.3 in  as an example. The impossible differential used in the attack and the outer rounds are redrawn in Figure 3, from which we have , , Therefore, , which is the same as  where is calculated as . As can be seen in Figure 3, , where is the number of bit-conditions in th round.
Example 7 (on the bit-conditions). Take the impossible differential attacks on 13-round CLEFIA-128  presented in Section 3.2 of , for example. The impossible differentials used in the attack and the outer rounds are redrawn in Figure 4, from which we have , , , and . Therefore, , which is the same as , where is calculated as which are depicted in Figure 4.
For an -effective pair , we can guess the key bits involved in and and get and . If , the key guess must be incorrect and therefore can be removed from the candidate key space safely. In this case, we say that a key guess is rejected by a set of plaintext pairs if and only if the guess is rejected by at least one pair in . Let be the target key space, and let be the set of -effective pairs generated from the chosen plaintexts. The goal of an impossible differential attack is to reject as many as possible keys in such that the target key space can be reduced significantly.
According to Fact 5, the probability that a key guess for is rejected by a given -effective pair is . Therefore, the probability that a guess is not rejected by is .
Therefore, the number of candidates keys in the target key space after performing the impossible differential analysis is . In the literature, we typically regard approximately as . Consequently, we need approximately -effective pairs to reduce the target key space by bit.
Theorem 8. With the probability , in other words, to reduce -bit information of the space of key candidates, the data complexity is , where
Proof. We are now ready to have a careful look at the data complexity needed to reduce at least bit of information of the space of key candidates by considering two cases.
In the first case, 1 structure is enough to generate -effective pairs. That is, namely, . Assuming that we need plaintexts from , then from which we can get
In the second case, 1 structure is not enough to produce -effective pairs, and we need structures. In this case, we have Therefore, we need plaintexts.
From the above two cases, we can obtain formula (8).
Corollary 9. With the probability , in other words, to reduce -bit information of the space of key candidates, the data complexity is , where
From Theorem 8, we can get Corollary 9 easily with the same method. According to Theorem 8, while , namely, for one bit-level impossible differential, the minimum data complexity is . Obviously, the amount of all data is , which is less than the minimum data complexity needed for a feasible impossible differential attack.
Corollary 10. If only using one bit-level impossible differential, which is , then there does not exist a successful impossible differential attack.
In our formulas, the computation of the data complexity for standard impossible differential analysis and attacks based on multiple impossible differentials are unified. Moreover, our formulas reveal some interesting facts which have not been spotted previously. Taking formula (8), for example, in almost all papers [9, 20, 24–28], it is the case that This is very reasonable, since the cryptanalysts cannot propagate upwards too much; otherwise would contain almost all strings in , which is obviously an unpleasant situation. Therefore, in most cases, the data complexity can be computed from the distinguisher directly and has nothing to do with how / propagate upwards/downwards. This formula offers an extremely simple procedure for computing the data complexity of impossible differential attack. Let us show some examples.
Example 11 (multiple impossible differential attack on SIMON32/64 and SIMON96/96). In , Boura et al. used multiple impossible differentials to attack SIMON32/64. There are 8 independent input patterns by one original 11-round impossible differential we can see the detail in Table 1. It is obvious that Thus the data complexity is approximately to reduce information of the key candidates space from formula (12). Similarly, using 8 16-round impossible differentials, to reduce the target key space by approximately bit, the data complexity is approximately . These data complexities are in accordance with the results proposed in .
Example 12 (multiple impossible differential attack on CLEFIA-128). In , Tsunoo et al. mounted an impossible differential attack on CLEFIA  by using multiple impossible differentials discovered in . There are the following two 9-round impossible differentials in CLEFIA Only considering that there is one active byte in and presented in Table 2, we will show how to use our formula to determine the data complexity of an impossible differential attack based on these differentials.
From Table 3, we can see that Therefore, to reduce the target key space by approximately bit, the minimal number of data complexity is approximately , which matches the results presented in [18, 24] perfectly.