#### Abstract

This paper studies the security of 7-round ARIA-192 against multiple impossible differentials cryptanalysis. We propose six special 4-round impossible differentials which have the same input difference and different output difference with the maximum number of nonzero common bytes. Based on these differentials, we construct six attack trails including the maximum number of common subkey bytes. Under such circumstances, we utilize an efficient sieving process to improve the efficiency of eliminating common subkeys; therefore, both data and time complexities are reduced. Furthermore, we also present an efficient algorithm to recover the master key via guess-and-determine technique. Taking advantage of the above advances, we have obtained the best result so far for impossible differential cryptanalysis of ARIA-192, with time, data, and memory complexities being 7-round ARIA encryptions, chosen plaintexts, and bytes, respectively.

#### 1. Introduction

Impossible differential attack [1] is a significant method in cryptanalysis for block ciphers. Researchers will first build one or more differentials whose probabilities are zero. Then based on these differentials, they will construct attack trails and obtain the correct subkeys by rejecting all the wrong subkeys. The second phase is called the subkey sieving phase. Actually, the subkey sieving phase is highly technical: in 2008, Lu et al. [2] introduced the early abort technique. They guessed a small quantity of subkeys and selected the useful pairs which can produce the expected difference so as to reduce time complexity. At ASIACRYPT 2014, Boura et al. [3] presented the state-test technique to reduce time complexity by decreasing the quantity of subkey bits during an attack. Li et al. [4] presented the new early abort technique which does not need to check all the remaining pairs, therefore reducing time complexity. As a powerful form of cryptanalysis, impossible differential attack is extensively used to analyze many block ciphers, such as ARIA [5] and AES [6].

In 2008, multiple impossible differentials cryptanalysis was proposed by Tsunoo et al. [7], and Lu et al. also presented the idea that multiple variants of the attack trail can be applied using the same data set [8]. After that, Boura et al. [3] and Li et al. [4, 9] also used multiple impossible differentials to attack CLEFIA, Camellia, FOX, and so on and got good results. They aimed at recovering more subkey bits and increasing the probability of the remaining pairs, thus reducing data complexity. For example, Li et al. [9] presented multiple impossible differentials attacks on FOX with better results than other cryptanalysis of FOX known so far. They constructed four impossible differentials to recover four parts of subkeys. Note that these four differentials play the same role, and the order of differentials to be used does not affect the result.

ARIA, a 128-bit substitution-permutation network block cipher, was proposed as Korean standard block cipher algorithm in 2004. After analyzing its security against liner, differential, impossible differential, and square attacks, the designers declared that ARIA has a better resistance against the above cryptanalysis than AES. Wu et al. [10] constructed a 4-round impossible differential and presented a 6-round attack on ARIA. The cryptanalytic result was further enhanced by Li et al. [11] and Shenhua and Chunyan [12], respectively. Then Du and Chen [13] proposed a 7-round impossible differential attack on ARIA-256. Xie and Chen [14] presented a 7-round impossible differential attack on ARIA-192 (however, we find a flaw in the steps of its cryptanalysis). Despite all these contributions, the previous studies neither recover the actual master key of ARIA nor have a research on the security against multiple impossible differentials cryptanalysis.

At EUROCRYPT 2016, Sun et al. proved that if the details of the -boxes are not considered, the length of the impossible differential of ARIA could not be improved [15], so we would like to improve the sieving process to obtain better results. Different from preceding studies, our multiple impossible differentials cryptanalysis is expected to reduce the retention rate of wrong subkeys in subkey sieving phase, thus reducing data complexity and time complexity. We also optimize the order of attack trails (i.e., the attack trails with the maximum number of common bytes are priority). If we conclude that a current common subkey is wrong, it is unnecessary for this common subkey to be sieved by other attack trails; therefore, the efficiency of eliminating common subkeys can be improved. Based on this efficient sieving process, we propose the first multiple impossible differentials attack on 7-round ARIA-192, which improves impossible differential attack in two dimensions (i.e., data and time complexities). Table 1 is the comparison of cryptanalytic results on ARIA.

The remainder of the paper is organized as follows. Section 2 briefly describes the ARIA cipher and provides the notations adopted in this paper. Section 3 constructs the 4-round multiple impossible differentials. Section 4 presents our impossible differential attacks on 7-round ARIA-192 combined with various techniques. Section 5 concludes this paper.

#### 2. Preliminaries

##### 2.1. Description of ARIA

The block cipher ARIA is a 128-bit model and the numbers of the round are 12/14/16 corresponding to the keys of 128/192/256 bits, respectively. The plaintext, the ciphertext, and the internal state of ARIA are treated as a matrix, as shown in Figure 1.

Three operations are applied in every round as follows.

*(1) Round Key Addition (AK).* This operation includes an with the round subkeys which are derived from the master key.

*(2) Substitution Layer (SL)*. This operation, based on four types of 8-bit -boxes , , , and , has two types of substitution layers and . is for the odd rounds, and is for the even rounds. The specific layers are as follows.

*(3) Diffusion Layer (DL)*. A linear map is given by , where Note that Diffusion Layer is an involution and therefore . In the last round, the is substituted by to generate ciphertexts.

The key schedule algorithm can be divided into two parts, that is, Initialization and Round Key Generation. This section focuses on the description of ARIA-192. For more details, please refer to [5].

*(1) Initialization*. The master key is 192 bits in size which is loaded to 256 bits , and the remaining 64-bit space on is filled with zero.

Then, four 128-bit values of are generated from as follows:where is the even round function and is the odd round function. Three 128-bit values of are constants.

*(2) Round Key Generation*. Eight round subkeys are generated as follows :

##### 2.2. Notations

Some notations are given as follows: : plaintext : ciphertext : the difference of : byte in the -th round subkey : cannot be after -round : the intermediate values of bytes in the -th round after the

In this paper, we denote the whitening key as .

#### 3. Four-Round Impossible Differentials of ARIA

We find six 4-round impossible differentials of ARIA with the same input difference. As shown in Figure 2, two bytes of the input difference are nonzero, and the others are zero. Four bytes of the output difference are nonzero and equal, and the others are zero. The other five differentials have the same input difference and different output difference with the maximum number of nonzero common bytes. The positions of nonzero difference are shown in Table 2.

Taking the first differential as an example, we describe its property as follows.

*Property 1. *There is a 4-round impossible differential of ARIA:where and is nonzero difference.

*Proof. *First, we analyze the first two rounds of the differential. Two nonzero difference bytes , can be obtained from the input difference through the and operations. Then calculate , where are nonzero difference bytes. is preserved after the and operations, and then is obtained. After operation, we can obtain and .

Second, we analyze the last two rounds of the differential. We can obtain , from the output difference after the operations , , and . The of makes , . Then after the operations , , we obtain , and therefore , which contradicts .

Figure 2 underlines this contradiction, and the other five impossible differentials can also be proven in a similar way.

#### 4. A Multiple Impossible Differentials Attack on 7-Round ARIA-192

As shown in Figure 3, two rounds at the top and one round at the bottom are added to the 4-round differentials. We first propose the multiple impossible differentials attack on 7-round ARIA-192 combined with a series of techniques.

##### 4.1. Properties of Diffusion Layer

In this section, we first analyze the flaw in [14] and then describe the two linear properties used in this paper.

In attacking 6-byte subkey , 6-byte values of are needed. From the definition of the Diffusion Layer, we know that the 6-byte values are functions of 14-byte . However, the attack scenario in [14] did not attack 2-byte whitening keys and cannot obtain 2-byte values of , so the input difference of the differential cannot be obtained and the attack does not work. Section 4 of [14] presented another attack scenario attacking 14-byte , but the time complexity exceeded 7-round ARIA encryptions. To sum up, the attack scenario of ARIA-192 in [14] does not work. This paper corrects this flaw. Moreover, we present the multiple impossible differentials attack on 7-round ARIA-192.

We provide Properties 2 and 3 of Diffusion Layer. By using Property 2, if the input difference before in the first round satisfies eight difference equations of Property 2, we conclude that 10-byte difference are zero. Similarly, by using Property 3, if the 6-byte difference satisfies and the others are zero, we conclude that 2-byte difference and the others are zero. We describe these two properties as follows.

*Property 2. *Let and denote the input difference and output difference of the Diffusion Layer in the first round. Then if and only if the following eight equations are satisfied simultaneously.

*Property 3. *Let and denote the input difference and output difference of the Diffusion Layer in the second round. Six-byte difference satisfies and the others are zero; we can reach that 2-byte difference satisfies and the others are zero.

See Appendix for the proof of these two properties.

##### 4.2. An Efficient Sieving Process

In this section, we introduce an efficient sieving process. For simplicity, we abbreviate the notation in Table 3.

The idea of the efficient sieving process is summarized as below. We would like to construct some special attack trails with the maximum number of common bytes. Then the common subkeys can be repeatedly sieved by multiple attack trails. If we conclude that the current common subkey is wrong, it is unnecessary for this common subkey to be sieved by other attack trails, therefore reducing the retention rate in sieving subkeys and improving the result.

First, we find some impossible differentials which have the same input difference and different output difference with the maximum number of nonzero common bytes. In this paper, only 2-byte extra nonzero output differences are needed, and then five extra differentials can be constructed.

Second, we optimize the order of attack trails to be used (i.e., the attack trails with the maximum number of common bytes are priority). In this paper, although each attack trail discards possible values of 24 subkey bytes, the first two attack trails have 23 common subkey bytes, and only 26 subkey bytes need to be sieved in our attack scenario, which concludes six attack trails. Then these common subkeys can be sieved multiple times and the wrong subkeys will be rejected as soon as possible, therefore reducing the complexity.

In Section 4.3, we use the efficient sieving process to reduce data complexity and time complexity from steps to in online phase. In Section 4.6, we analyze the complexity when attackers only use one of these attack trails with the same techniques. The comparison of the two complexities indicates that this efficient sieving process is practical.

##### 4.3. The Procedure of 7-Round Attack on ARIA-192

In this section, the procedure will be divided into two phases.

*Precomputation Phase*. Let denote one of four types of 8-bit -boxes and and denote the input and output difference of -boxes. When and are nonzero bytes, the equation has one solution on average.

According to four types of -boxes , , , and , we construct four tables , respectively. Then store the calculated in indexed by possible values of .

*Online Phase*. The online phase can be summarized in the following steps. Through the quick sort method [20], steps and select useful plaintext pairs whose ciphertext pairs meet the requirements of the structure. By using Properties 2 and 3, steps select the plaintext pairs which can obtain the input difference of the distinguisher. According to six special impossible differential attack trails, steps reject wrong subkeys through the efficient sieving process. Taking advantage of master key recovery algorithm, step rejects wrong subkeys and recovers the master key of ARIA-192.

The specific steps are as follows:(1)Select plaintexts which are fixed in 2 bytes , and take all the values in other 14 bytes. These plaintexts are called a structure. We take structures and obtain plaintext pairs.(2)By the quick sort method [20], we can choose the pairs whose ciphertext pairs have zero difference in all but the 4 bytes at . Then pairs remain in structures. Store the remaining plaintext pairs at 14 bytes and the corresponding ciphertext pairs at 4 bytes in table , which are indexed by the serial number of plaintext pairs (hereafter referred to as SN).(3)Guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (16). We store remaining and its SN in table indexed by .(4)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies the equation (17). We store remaining and its SN in table indexed by .(5)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies the equation (18). We store remaining and its SN in table indexed by .(6)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (19). We store remaining and its SN in table indexed by .(7)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (20). We store remaining and its SN in table indexed by .(8)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (21). We store remaining and its SN in table indexed by .(9)For current , we have known , and then can be obtained from (22). The value of can be obtained by accessing the row in table . Compute , and can be obtained. Store remaining and its SN in table indexed by .(10)For current , we have known , and then can be obtained from (23). The value of can be obtained by accessing the row in table . Compute , and can be obtained. Store remaining and its SN in table indexed by .(11)For current , can be obtained by computing . We choose the pairs whose 6-byte difference is all nonzero. Guess and then obtain 6-byte difference . For each of these 6-byte differences, 6-byte values of can be obtained by accessing the row in corresponding table . Compute and obtain . We store SN in table indexed by possible values of .(12)For current , guess 1-byte nonzero difference and then obtain 4-byte difference . From the cipher pairs, we can obtain . For each of these 4-byte differences, 4-byte values of can be obtained by accessing the row in corresponding table . Compute and obtain . We store candidate subkeys in table indexed by . For each , if all are discarded, we conclude that the current cannot be right, so it is discarded.(13)For current and the remaining subkeys in table , we use the second attack trail to sieve wrong subkeys and perform the following substeps.(13.1)For each plaintext pairs in , use the current to select useful pairs whose differences are zero in all but 2 bytes at after 2 rounds of ARIA encryptions (i.e., the input difference of distinguishers). Compute to satisfy (16)–(23) step by step. Then compute and choose the pairs which satisfy Property 3. The quantity of the remaining pairs is .(13.2)The procedure of sieving wrong subkeys is similar to step . For each , if all are wrong, the current cannot be right and is thus discarded. Otherwise, access the list with index in table . If is also a candidate subkey in , we store candidate subkeys in table .(14)For current and the remaining subkeys in table , we use the third attack trail to sieve wrong subkeys.(14.1)The procedure of choosing the expected pairs of is similar to step (13.1).(14.2)For each in table , if a decrypts a ciphertext pairs to the impossible differential, then this corresponding subkey is wrong and is thus discarded. If all the remaining subkeys in table are wrong, the current subkey is wrong, and then return to step and check the next . Otherwise, store the remaining subkeys in table .(15)For current and the remaining subkeys in table , we use the fourth attack trail to sieve wrong subkeys.(15.1)The procedure of choosing expect pairs of is similar to step (13.1).(15.2)For each in table , we need to guess one-byte subkey . The procedure of sieving subkeys is similar to step . If all subkeys in are wrong, then return to step and check the next , or store the remaining subkeys in table .(16)For current and the remaining subkeys in table , we use the fifth and the sixth attack trails to sieve wrong subkeys.(16.1)The procedure of choosing the expected pairs of is similar to step (13.1).(16.2)For each in table , the procedure of sieving wrong subkeys is similar to step . If all subkeys in are wrong, return to step and check the next , or store the remaining subkeys in table .(17)Taking advantage of master key recovery algorithm, if the candidate subkey passes the check of the algorithm, we conclude that this subkey is right and recover the master key, or return to step and check the next .

##### 4.4. Complexity Analysis

The complexity in Precomputation Phase can be neglected compared with the complexity in online phase. The complexities of steps are shown in Table 4.

In step , the time complexity is 7-round ARIA encryptions, and the memory demands bytes.

Step needs 7-round ARIA encryptions.

The time complexity of step has the same value as step .

Each wrong subkey is rejected by pairs with a probability of . Step just needs to cheek subkeys in table . Taking advantage of new early abort [9], the probability that a wrong subkey can pass tests of pairs while rejecting tests of pairs is , and the mathematical expectation is . Thus, the time complexity of step is 7-round ARIA encryptions.

Step just needs to check the remaining subkeys of , so the time complexity is 7-round ARIA encryptions.

Step just needs to check the remaining subkeys of , so the time complexity is and 7-round ARIA encryptions, respectively.

The complexity of step is detailed in Section 4.5

##### 4.5. The Procedure of Recovering the Master Key for ARIA-192

In 2015, Akshima et al. [19] presented the master key recovery attacks on ARIA for the first time. Through the guess-and-determine technique, we present an efficient algorithm to recover the master key. Taking step of the master key recovery algorithm as an example, if we guess values of as proposed in [19], the time complexity is equal to 7-round ARIA encryptions. Based on guess-and-determine technique, the time complexity can be reduced to 7-round ARIA encryptions in this paper. For better understanding, we first describe the idea of master key recovery algorithm, and then the specific steps are specified.(1)Attack possible values for :(a)By and (7), we can obtain 112 bits whose 61 bits belong to the first eight bytes and other 51 bits belong to the last eight bytes.(b)From the key schedule algorithm, we obtain . According to (4), can be obtained by calculating .(c)Take advantage of the common 51 bits of to reject some wrong guesses of . We obtain remaining and 125 bits of . Note that now we cannot obtain 61-th, 62-th, and 63-th bit of and denote 125 bits of as .(2)Attack the 61-th, 62-th, and 63-th bits of :(a)By (8) and , we obtain 48 bits of .(b)By (5) and , we obtain .(c)Take advantage of the common 48 bits of to obtain remaining .(3)For each ,(a)by (6) and , we obtain ;(b)by (14) and , obtain 48 bits of ,(c)taking advantage of the common 48 bits of , we can reject some wrong guesses. We obtain the remaining , and thus can recover the first seven subkeys by calculating (7)–(14). Randomly select plaintexts. If these corresponding ciphertexts can be obtained after 7-round ARIA encryptions, we judge that this subkey is right and recover the master key, or reject this candidate subkey and check the next.

The details of step are as follows.(1.1)Guess 7-byte , and can be obtained by calculating (4) and (7). So the retention rate is and the quantity of is .(1.2)Guess 2-byte , , and can be obtained by calculating (4) and (7). So the retention rate is and the quantity of is .(1.3)Guess 1-byte , and can be obtained by calculating (4) and (7). So the retention rate is and the quantity of is .(1.4)Guess 2-byte , , and can be obtained by calculating (4) and (7). So the retention rate is and the quantity of is .(1.5)Guess 2-byte , , and can be obtained by calculating (4) and (7). So the retention rate is and the quantity of is (note that ).(1.6)Guess 1-byte , and 5-bit of can be obtained by calculating (4) and (7). So the retention rate is and the quantity of , is .(1.7)Guess 1-byte . By , , we can obtain . Six-bit can be obtained by calculating (4) and (7). So the retention rate is and the quantity of is .

To sum up, the time complexity of steps is , and , respectively. So the time complexity of step is 7-round ARIA encryptions.

The details of step are as follows.(2.1)We first sieve the remaining . According to and (8), we can obtain . Then can be obtained by calculating (5). So the retention rate is and the quantity of is .(2.2)Guess 61-th, 62-th, and 63-th bits of and we can obtain . Then other 32-bit common can be obtained, so the retention rate is and the quantity of is .

To sum up, the time complexity of step is 7-round ARIA encryptions.

The time complexity of step is 1-round ARIA encryptions. Consequently, for a subkey , our algorithm needs 7-round ARIA encryptions to recover the master key.

##### 4.6. The Summary of Complexity

By the analysis in Sections 4.4 and 4.5, we take and obtain .

In step of Section 4.4, the number of the remaining subkeys is , and this step demands 7-round ARIA encryptions.

Consequently, our cryptanalysis demands chosen plaintexts. The memory complexity is dominated by step , which is bytes. The time complexity is dominated by steps and , which is 7-round ARIA encryptions.

By attacking as many common subkey bytes as possible when using different attack trails, the efficient sieving process can improve the efficiency of sieving wrong subkey, so it helps to reduce the retention rate of wrong subkeys to . Furthermore, based on one of these attack trails, we analyze the complexity with the same attack scenario, which need to take , and the time, data, and memory complexities are , , and , respectively. The comparison of the two complexities is shown in Table 5.

It is known from the comparison that the efficient sieving process can increase the efficiency of sieving subkeys, so the results are improved to an extent.

#### 5. Conclusion

In this paper, we utilize an efficient sieving process, which can be applied to multiple impossible differentials attack. The efficient sieving process can reduce the retention rate of wrong subkeys; thus, both data complexity and time complexity can be reduced. Taking advantage of a series of techniques, we present multiple impossible differentials cryptanalysis on 7-round ARIA-192 and recover the master key, with the best result so far for impossible differential cryptanalysis of ARIA-192.

#### Appendix

*Proof of Property 2. *By the definition of and , we know that and then by eight equations (16)–(23), we know that To prove the property in the opposite direction, by the definition of and , we know that by the above equation, we can obtain eight equations (16)–(23).

To sum up, the necessary and sufficient condition of is that the eight equations (16)–(23) are satisfied simultaneously.

*Proof of Property 3. *Based on the condition that 6-byte difference satisfies and the others are zero, we know from the definition of that so we can reach that 2-byte difference and the others are zero.

To prove the property in the opposite direction, based on the condition that and the others are zero, we know from the definition of that so we can reach that 6-byte difference and the others are zero.

To sum up, the necessary and sufficient condition that 6-byte difference satisfies equation and the others are zero is that 2-byte difference satisfied equation and the others are zero.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

The authors would like to thank Ting Cui, Lin Ding, and XinRan Li for their useful help. The work in this paper is supported by the Natural Science Foundation of China (Grants nos. 61772547, 61402523, and 61272488).