Research Article  Open Access
Multiple Impossible Differentials Cryptanalysis on 7Round ARIA192
Abstract
This paper studies the security of 7round ARIA192 against multiple impossible differentials cryptanalysis. We propose six special 4round impossible differentials which have the same input difference and different output difference with the maximum number of nonzero common bytes. Based on these differentials, we construct six attack trails including the maximum number of common subkey bytes. Under such circumstances, we utilize an efficient sieving process to improve the efficiency of eliminating common subkeys; therefore, both data and time complexities are reduced. Furthermore, we also present an efficient algorithm to recover the master key via guessanddetermine technique. Taking advantage of the above advances, we have obtained the best result so far for impossible differential cryptanalysis of ARIA192, with time, data, and memory complexities being 7round ARIA encryptions, chosen plaintexts, and bytes, respectively.
1. Introduction
Impossible differential attack [1] is a significant method in cryptanalysis for block ciphers. Researchers will first build one or more differentials whose probabilities are zero. Then based on these differentials, they will construct attack trails and obtain the correct subkeys by rejecting all the wrong subkeys. The second phase is called the subkey sieving phase. Actually, the subkey sieving phase is highly technical: in 2008, Lu et al. [2] introduced the early abort technique. They guessed a small quantity of subkeys and selected the useful pairs which can produce the expected difference so as to reduce time complexity. At ASIACRYPT 2014, Boura et al. [3] presented the statetest technique to reduce time complexity by decreasing the quantity of subkey bits during an attack. Li et al. [4] presented the new early abort technique which does not need to check all the remaining pairs, therefore reducing time complexity. As a powerful form of cryptanalysis, impossible differential attack is extensively used to analyze many block ciphers, such as ARIA [5] and AES [6].
In 2008, multiple impossible differentials cryptanalysis was proposed by Tsunoo et al. [7], and Lu et al. also presented the idea that multiple variants of the attack trail can be applied using the same data set [8]. After that, Boura et al. [3] and Li et al. [4, 9] also used multiple impossible differentials to attack CLEFIA, Camellia, FOX, and so on and got good results. They aimed at recovering more subkey bits and increasing the probability of the remaining pairs, thus reducing data complexity. For example, Li et al. [9] presented multiple impossible differentials attacks on FOX with better results than other cryptanalysis of FOX known so far. They constructed four impossible differentials to recover four parts of subkeys. Note that these four differentials play the same role, and the order of differentials to be used does not affect the result.
ARIA, a 128bit substitutionpermutation network block cipher, was proposed as Korean standard block cipher algorithm in 2004. After analyzing its security against liner, differential, impossible differential, and square attacks, the designers declared that ARIA has a better resistance against the above cryptanalysis than AES. Wu et al. [10] constructed a 4round impossible differential and presented a 6round attack on ARIA. The cryptanalytic result was further enhanced by Li et al. [11] and Shenhua and Chunyan [12], respectively. Then Du and Chen [13] proposed a 7round impossible differential attack on ARIA256. Xie and Chen [14] presented a 7round impossible differential attack on ARIA192 (however, we find a flaw in the steps of its cryptanalysis). Despite all these contributions, the previous studies neither recover the actual master key of ARIA nor have a research on the security against multiple impossible differentials cryptanalysis.
At EUROCRYPT 2016, Sun et al. proved that if the details of the boxes are not considered, the length of the impossible differential of ARIA could not be improved [15], so we would like to improve the sieving process to obtain better results. Different from preceding studies, our multiple impossible differentials cryptanalysis is expected to reduce the retention rate of wrong subkeys in subkey sieving phase, thus reducing data complexity and time complexity. We also optimize the order of attack trails (i.e., the attack trails with the maximum number of common bytes are priority). If we conclude that a current common subkey is wrong, it is unnecessary for this common subkey to be sieved by other attack trails; therefore, the efficiency of eliminating common subkeys can be improved. Based on this efficient sieving process, we propose the first multiple impossible differentials attack on 7round ARIA192, which improves impossible differential attack in two dimensions (i.e., data and time complexities). Table 1 is the comparison of cryptanalytic results on ARIA.
 
mk: recover the actual master key; : not given in the related paper. 
The remainder of the paper is organized as follows. Section 2 briefly describes the ARIA cipher and provides the notations adopted in this paper. Section 3 constructs the 4round multiple impossible differentials. Section 4 presents our impossible differential attacks on 7round ARIA192 combined with various techniques. Section 5 concludes this paper.
2. Preliminaries
2.1. Description of ARIA
The block cipher ARIA is a 128bit model and the numbers of the round are 12/14/16 corresponding to the keys of 128/192/256 bits, respectively. The plaintext, the ciphertext, and the internal state of ARIA are treated as a matrix, as shown in Figure 1.
Three operations are applied in every round as follows.
(1) Round Key Addition (AK). This operation includes an with the round subkeys which are derived from the master key.
(2) Substitution Layer (SL). This operation, based on four types of 8bit boxes , , , and , has two types of substitution layers and . is for the odd rounds, and is for the even rounds. The specific layers are as follows.
(3) Diffusion Layer (DL). A linear map is given by , where Note that Diffusion Layer is an involution and therefore . In the last round, the is substituted by to generate ciphertexts.
The key schedule algorithm can be divided into two parts, that is, Initialization and Round Key Generation. This section focuses on the description of ARIA192. For more details, please refer to [5].
(1) Initialization. The master key is 192 bits in size which is loaded to 256 bits , and the remaining 64bit space on is filled with zero.
Then, four 128bit values of are generated from as follows:where is the even round function and is the odd round function. Three 128bit values of are constants.
(2) Round Key Generation. Eight round subkeys are generated as follows :
2.2. Notations
Some notations are given as follows:â€‰: plaintextâ€‰: ciphertextâ€‰: the difference of â€‰: byte in the th round subkeyâ€‰: cannot be after roundâ€‰: the intermediate values of bytes in the th round after the
In this paper, we denote the whitening key as .
3. FourRound Impossible Differentials of ARIA
We find six 4round impossible differentials of ARIA with the same input difference. As shown in Figure 2, two bytes of the input difference are nonzero, and the others are zero. Four bytes of the output difference are nonzero and equal, and the others are zero. The other five differentials have the same input difference and different output difference with the maximum number of nonzero common bytes. The positions of nonzero difference are shown in Table 2.

Taking the first differential as an example, we describe its property as follows.
Property 1. There is a 4round impossible differential of ARIA:where and is nonzero difference.
Proof. First, we analyze the first two rounds of the differential. Two nonzero difference bytes , can be obtained from the input difference through the and operations. Then calculate , where are nonzero difference bytes. is preserved after the and operations, and then is obtained. After operation, we can obtain and .
Second, we analyze the last two rounds of the differential. We can obtain , from the output difference after the operations , , and . The of makes , . Then after the operations , , we obtain , and therefore , which contradicts .
Figure 2 underlines this contradiction, and the other five impossible differentials can also be proven in a similar way.
4. A Multiple Impossible Differentials Attack on 7Round ARIA192
As shown in Figure 3, two rounds at the top and one round at the bottom are added to the 4round differentials. We first propose the multiple impossible differentials attack on 7round ARIA192 combined with a series of techniques.
4.1. Properties of Diffusion Layer
In this section, we first analyze the flaw in [14] and then describe the two linear properties used in this paper.
In attacking 6byte subkey , 6byte values of are needed. From the definition of the Diffusion Layer, we know that the 6byte values are functions of 14byte . However, the attack scenario in [14] did not attack 2byte whitening keys and cannot obtain 2byte values of , so the input difference of the differential cannot be obtained and the attack does not work. Sectionâ€‰â€‰4 of [14] presented another attack scenario attacking 14byte , but the time complexity exceeded 7round ARIA encryptions. To sum up, the attack scenario of ARIA192 in [14] does not work. This paper corrects this flaw. Moreover, we present the multiple impossible differentials attack on 7round ARIA192.
We provide Properties 2 and 3 of Diffusion Layer. By using Property 2, if the input difference before in the first round satisfies eight difference equations of Property 2, we conclude that 10byte difference are zero. Similarly, by using Property 3, if the 6byte difference satisfies and the others are zero, we conclude that 2byte difference and the others are zero. We describe these two properties as follows.
Property 2. Let and denote the input difference and output difference of the Diffusion Layer in the first round. Then if and only if the following eight equations are satisfied simultaneously.
Property 3. Let and denote the input difference and output difference of the Diffusion Layer in the second round. Sixbyte difference satisfies and the others are zero; we can reach that 2byte difference satisfies and the others are zero.
See Appendix for the proof of these two properties.
4.2. An Efficient Sieving Process
In this section, we introduce an efficient sieving process. For simplicity, we abbreviate the notation in Table 3.
 
, are 14byte whitening keys and 6byte subkeys in the first round during an attack, respectively; are 4byte subkeys which need to be guessed in the 7th round when using the th distinguisher. 
The idea of the efficient sieving process is summarized as below. We would like to construct some special attack trails with the maximum number of common bytes. Then the common subkeys can be repeatedly sieved by multiple attack trails. If we conclude that the current common subkey is wrong, it is unnecessary for this common subkey to be sieved by other attack trails, therefore reducing the retention rate in sieving subkeys and improving the result.
First, we find some impossible differentials which have the same input difference and different output difference with the maximum number of nonzero common bytes. In this paper, only 2byte extra nonzero output differences are needed, and then five extra differentials can be constructed.
Second, we optimize the order of attack trails to be used (i.e., the attack trails with the maximum number of common bytes are priority). In this paper, although each attack trail discards possible values of 24 subkey bytes, the first two attack trails have 23 common subkey bytes, and only 26 subkey bytes need to be sieved in our attack scenario, which concludes six attack trails. Then these common subkeys can be sieved multiple times and the wrong subkeys will be rejected as soon as possible, therefore reducing the complexity.
In Section 4.3, we use the efficient sieving process to reduce data complexity and time complexity from steps to in online phase. In Section 4.6, we analyze the complexity when attackers only use one of these attack trails with the same techniques. The comparison of the two complexities indicates that this efficient sieving process is practical.
4.3. The Procedure of 7Round Attack on ARIA192
In this section, the procedure will be divided into two phases.
Precomputation Phase. Let denote one of four types of 8bit boxes and and denote the input and output difference of boxes. When and are nonzero bytes, the equation has one solution on average.
According to four types of boxes , , , and , we construct four tables , respectively. Then store the calculated in indexed by possible values of .
Online Phase. The online phase can be summarized in the following steps. Through the quick sort method [20], steps and select useful plaintext pairs whose ciphertext pairs meet the requirements of the structure. By using Properties 2 and 3, steps select the plaintext pairs which can obtain the input difference of the distinguisher. According to six special impossible differential attack trails, steps reject wrong subkeys through the efficient sieving process. Taking advantage of master key recovery algorithm, step rejects wrong subkeys and recovers the master key of ARIA192.
The specific steps are as follows:(1)Select plaintexts which are fixed in 2 bytes , and take all the values in other 14 bytes. These plaintexts are called a structure. We take structures and obtain plaintext pairs.(2)By the quick sort method [20], we can choose the pairs whose ciphertext pairs have zero difference in all but the 4 bytes at . Then pairs remain in structures. Store the remaining plaintext pairs at 14 bytes and the corresponding ciphertext pairs at 4 bytes in table , which are indexed by the serial number of plaintext pairs (hereafter referred to as SN).(3)Guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (16). We store remaining and its SN in table indexed by .(4)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies the equation (17). We store remaining and its SN in table indexed by .(5)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies the equation (18). We store remaining and its SN in table indexed by .(6)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (19). We store remaining and its SN in table indexed by .(7)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (20). We store remaining and its SN in table indexed by .(8)For current , guess and partially encrypt plaintext pairs in , and then select plaintext pairs whose difference satisfies (21). We store remaining and its SN in table indexed by .(9)For current , we have known , and then can be obtained from (22). The value of can be obtained by accessing the row in table . Compute , and can be obtained. Store remaining and its SN in table indexed by .(10)For current , we have known , and then can be obtained from (23). The value of can be obtained by accessing the row in table . Compute , and can be obtained. Store remaining and its SN in table indexed by .(11)For current , can be obtained by computing . We choose the pairs whose 6byte difference is all nonzero. Guess and then obtain 6byte difference . For each of these 6byte differences, 6byte values of can be obtained by accessing the row in corresponding table . Compute and obtain . We store SN in table indexed by possible values of .(12)For current , guess 1byte nonzero difference and then obtain 4byte difference . From the cipher pairs, we can obtain . For each of these 4byte differences, 4byte values of can be obtained by accessing the row in corresponding table . Compute and obtain . We store candidate subkeys in table indexed by . For each , if all are discarded, we conclude that the current cannot be right, so it is discarded.(13)For current and the remaining subkeys in table , we use the second attack trail to sieve wrong subkeys and perform the following substeps.(13.1)For each plaintext pairs in , use the current to select useful pairs whose differences are zero in all but 2 bytes at after 2 rounds of ARIA encryptions (i.e., the input difference of distinguishers). Compute to satisfy (16)â€“(23) step by step. Then compute and choose the pairs which satisfy Property 3. The quantity of the remaining pairs is .(13.2)The procedure of sieving wrong subkeys is similar to step . For each , if all are wrong, the current cannot be right and is thus discarded. Otherwise, access the list with index in table . If is also a candidate subkey in , we store candidate subkeys in table .(14)For current and the remaining subkeys in table , we use the third attack trail to sieve wrong subkeys.(14.1)The procedure of choosing the expected pairs of is similar to step (13.1).(14.2)For each in table , if a decrypts a ciphertext pairs to the impossible differential, then this corresponding subkey is wrong and is thus discarded. If all the remaining subkeys in table are wrong, the current subkey is wrong, and then return to step and check the next . Otherwise, store the remaining subkeys in table .(15)For current and the remaining subkeys in table , we use the fourth attack trail to sieve wrong subkeys.(15.1)The procedure of choosing expect pairs of is similar to step (13.1).(15.2)For each in table , we need to guess onebyte subkey . The procedure of sieving subkeys is similar to step . If all subkeys in are wrong, then return to step and check the next , or store the remaining subkeys in table .(16)For current and the remaining subkeys in table , we use the fifth and the sixth attack trails to sieve wrong subkeys.(16.1)The procedure of choosing the expected pairs of is similar to step (13.1).(16.2)For each in table , the procedure of sieving wrong subkeys is similar to step . If all subkeys in are wrong, return to step and check the next , or store the remaining subkeys in table .(17)Taking advantage of master key recovery algorithm, if the candidate subkey passes the check of the algorithm, we conclude that this subkey is right and recover the master key, or return to step and check the next .
4.4. Complexity Analysis
The complexity in Precomputation Phase can be neglected compared with the complexity in online phase. The complexities of steps are shown in Table 4.

In step , the time complexity is 7round ARIA encryptions, and the memory demands bytes.
Step needs 7round ARIA encryptions.
The time complexity of step has the same value as step .
Each wrong subkey is rejected by pairs with a probability of . Step just needs to cheek subkeys in table . Taking advantage of new early abort [9], the probability that a wrong subkey can pass tests of pairs while rejecting tests of pairs is , and the mathematical expectation is . Thus, the time complexity of step is 7round ARIA encryptions.
Step just needs to check the remaining subkeys of , so the time complexity is 7round ARIA encryptions.
Step just needs to check the remaining subkeys of , so the time complexity is and 7round ARIA encryptions, respectively.
The complexity of step is detailed in Section 4.5
4.5. The Procedure of Recovering the Master Key for ARIA192
In 2015, Akshima et al. [19] presented the master key recovery attacks on ARIA for the first time. Through the guessanddetermine technique, we present an efficient algorithm to recover the master key. Taking step of the master key recovery algorithm as an example, if we guess values of as proposed in [19], the time complexity is equal to 7round ARIA encryptions. Based on guessanddetermine technique, the time complexity can be reduced to 7round ARIA encryptions in this paper. For better understanding, we first describe the idea of master key recovery algorithm, and then the specific steps are specified.(1)Attack possible values for :(a)By