Abstract
To yield a highly efficient authentication encryption design for very short messages, the tweakable forkcipher is proposed, which is a tweakable block cipher that uses forking construction to produce two output blocks. The designers also presented ForkAES, a forkcipher that is based on the round function of AES and the tweakable variant of KIASU. Therefore, the security of ForkAES is found on the block ciphers AES and KIASU. However, from the perspective of new forking construction, attackers may obtain some unique properties. Impossible differential attacks are widely used on block ciphers. This paper studies the security of ForkAES against multiple impossible differential cryptanalysis. Based on the property of the forking construction, two types of impossible differential distinguishers have been constructed. We first use the tweak with different truncated differences to build more attack trails. Then, we first propose the multiple impossible differential attack for ForkAES 54. Thus, only a single round would remain as a security margin. Utilizing multiple attack trails, our attack scenario obtains more subkey bytes and enhances the subkey’s sieving efficiency without increasing complexity. Furthermore, we carefully consider the process of recovering the master key, which can efficiently reject wrong candidate keys. In reconstruction queries, our attack reaches the longest number of rounds for ForkAES in impossible differential analysis, with lookups, chosen ciphertexts, and memory blocks to store AES states. In encryption queries, we improve the previous attacks on ForkAES by attacking one more round (i.e., ForkAES 54), with lookups, plaintexts, and memory blocks to store AES states.
1. Introduction
Many authenticated encryption (AE) schemes need to perform the initialization or finalization phase to optimize the cost of handling long messages. However, in these general schemes, initialization or finalization raises the cost of handling short messages. For example, the TLS needs to produce a message authentication code (MAC) in the initialization phase. An efficient AE scheme for very short messages is an actively discussed topic. To yield a highly efficient AE design for very short messages, Andreeva et al. [1] proposed a tweakable forkcipher [1], which utilizes the forking construction to produce two output blocks from the same input. Compared with the TLS, the expanded ciphertexts of the forkcipher can also serve as the MAC, so there is no need to perform initialization to produce the MAC. Furthermore, the forking construction shares some computations, so the forkcipher is a highly efficient AE design for very short messages. Andreeva et al. [1] also proposed a forkcipher named ForkAES. Balli and Banik [2] analysed the hardware performance of ForkAES. They achieve a hardware implementation of ForkAES without any additional storage cost if the AES circuit can also perform decryption, thereby further optimizing the storage cost.
ForkAES is based on the round function AES [3] and the tweakable variant KIASU [4]. Andreeva et al. [1] briefly considered differential attacks, relatedtweakey attacks, and meetinthemiddle attacks. For other attacks, these authors stated that “the security of our forkcipher design can be reduced to the security of the AES and KIASU ciphers for further types of attacks.” However, from the perspective of the new forking construction, attackers may obtain some unique properties. Reconstruction queries mean that attackers can choose one block ciphertext and obtain the other block ciphertext by reconstruction querying. Encryption queries mean that attackers obtain the two block ciphertexts by encryption querying the plaintext. Banik et al. [5] introduced reflection differential trails and proposed some attacks of ForkAES 44 ( is any nonnegative integer). Bariant et al. [6] first presented truncated differential attacks on ForkAES 55 (full ten rounds) in reconstruction queries, but the security of ForkAES in encryption queries needs to be further studied.
Impossible differential attack [7, 8] is a very powerful and important method of attacking block ciphers. For a long time, impossible differential attacks were among the most successful attacks for AES [9], KIASU [10] and Deoxys [11]. Tsunoo et al. [12] proposed the idea of multiple impossible differentials. Li et al. [13, 14] proposed the subkey early abort, and Boura et al. [15, 16] presented the statetest technique; using these techniques, these authors presented their successful attacks against classical block ciphers, such as Fox and AES.
This paper studies the security of ForkAES against multiple impossible differential cryptanalysis. Based on the property of the forking construction, two types of impossible differential distinguishers have been constructed. We first use the tweak with different truncated differences to construct more attack trails. Then, we propose the multiple impossible differential attack for ForkAES 54. Utilizing multiple attack trails, our attack scenario obtains more subkey bytes and enhances the sieving efficiency of subkeys without increasing complexity. Furthermore, one of the impossible differential attacks needs to guess only five subkey bytes in paper [5], and the authors did not analyse the process of recovering the master key. Because the subkey bytes may not suffice, the cost of recovering the master key may be more than that of attacking subkey bytes. Compared with paper [5], we carefully consider the process of recovering the master key, which can reject wrong candidate keys efficiently. Compared with paper [6], we consider the attack scenario in encryption queries, which increases the understanding of ForkAES. To the best of our knowledge, we improve the previous attacks on ForkAES by attacking one more round in encryption queries. Table 1 summarizes some attacks of ForkAES.
This paper is organized as follows: in Section 2, we describe the ForkAES structure and some basic concepts. In Section 3, we construct six impossible differential distinguishers of ForkAES. In Section 4, we propose multiple impossible differential attacks on ForkAES 54 and analyse our attack. Finally, Section 5 concludes this paper.
2. Preliminaries
2.1. Notations
We will introduce some basic notations used throughout this paper: : PlaintextCiphertextTweak; : the intermediate state of the bytes after SB/SR/MC/AK/AT in the ith round; : the difference between and ; : the bytes of subkey ; : the byte of tweak ; : the difference cannot obtain the difference through round encryptions.
2.2. Brief Description of Impossible Differential Attack
To mount an impossible differential attack, the block cipher is divided into three parts: (as shown in Figure 1). First, an impossible differential distinguisher through is constructed. Then, for the extra added rounds and , the differential through and through occur with probability 1. The combination of the differential and is called an attack trail.
2.3. Brief Description of ForkAES
ForkAES means that the internal state is obtained after rounds from plaintext; then, and denote the number of rounds from internal state to ciphertext and from internal state to ciphertext , respectively. As shown in Figure 2, the original ForkAES is ForkAES555. ForkAES encrypts the plaintext over the first five rounds to produce the internal state, and then the internal state is forked to produce two ciphertexts and . We denote the internal state as . The input state of the first branch is , and the output of the first branch is . Similarly, the input state of the second branch is , and the output of the first branch is .
The block size of ForkAES is 128 bits. As shown in Figure 3, the round function of ForkAES is similar to that of KIASU, which applies five operations as follows:(1)SubBytes This operation applies an 8bit invertible Sbox of AES on 16 bytes of the state.(2)ShiftRows The cyclic shift of each row is the same as AES.(3)MixColumns The multiplication of each column by the 4 × 4cell MDS matrix of AES.(4)AddRoundTweakey This operation XORs with the round subkeys derived from the master key.(5)AddRoundTweakey This operation XORs with a tweak.
In this paper, represents the whitening key. , , , , and represent the inverse operations of , , , , and , respectively. For more details on ForkAES, we can refer to the paper [1].
3. The Impossible Differential Distinguishers of ForkAES
The longest impossible differential keyindependent distinguisher of AES is four rounds [17]. Utilizing the property of forking construction, we construct six 5round impossible differential distinguishers of ForkAES.
The input difference of distinguisher : in the round function after the subkey , the difference is after the SR operation.
The output difference of distinguisher : in the round function after the subkey , the difference is after the MC operation.
The input difference (in the first branch) is mapped to the internal state difference and then obtains the output difference (in the second branch). The specific impossible differentials of six 5round distinguishers are shown in Table 2. We construct two types of distinguishers by utilizing the tweak with a distinct truncated difference. The first type of distinguisher uses tweak pairs with only a 1byte nonzero difference at position (0), and the second type of distinguisher uses tweak pairs with only a 1byte nonzero difference at position (4). Figure 4 shows the sample of the first distinguisher. As shown in Figure 4, the impossible differential has been constructed in the first branch, and the output difference propagates to the internal state difference with probability 1, so the 5round impossible differential distinguisher of ForkAES has been constructed.
Theorem 1. As shown in Figure 4, there is a 5round truncated impossible differential distinguisher of ForkAES:where is the nonzero difference. The input difference is , and the output difference is . This distinguisher uses the tweak pairs with only a 1byte nonzero difference at position (0).
Proof. In the second branch, the output difference is . Through the , , and operations, the internal state difference can be obtained with probability 1.
In the first branch, the difference of 4 bytes can be any value, and the difference of the other 12 bytes of must be zero. Then, through the , , and operations, each column of difference is either fully inactive or fully active (Property 1).
From the difference , through the and operations, the rightmost column of is fully inactive, and the other three columns are fully active. Then, through the operation, the difference of the byte at position (0) can be any value. Through the operation, the rightmost column of is fully inactive, and the other three columns have at least one active byte. Through the , , and operations, the difference exists in one column with at least one inactive byte and at least one active byte, thus contradicting Property 1.
The other five impossible differential distinguishers of ForkAES could be proven similarly.
4. Multiple Impossible Differential Attacks on ForkAES 54
Based on the two types of distinguishers in Section 3, we construct two attack trails with the same truncated difference of ciphertext pairs. We first propose the multiple impossible differential attack on ForkAES 54. In consideration of the clear expression, we have . Our attack scenario can be applied to chosen ciphertext (reconstruction queries) and known plaintext (encryption queries).
As shown in Figure 5, we append two rounds in the first branch and four rounds in the second branch. We swap the order of the , , and operations of the third and fourth rounds in the second branch, and denotes the equivalent subkey. For the first attack trail, thirteen subkey bytes need to be guessed. For the second attack trail, thirteen subkey bytes need to be guessed. These two attack trails have common subkey bytes , which can be repeatedly sieved to improve the result.
4.1. The Attack with Reconstruction Queries
The attack procedure includes the datacollection phase, precomputation phase, and keyrecovery phase. In this section, we use the sieve method based on rapid sorting [18] to choose ciphertext pairs.
4.1.1. DataCollection Phase
We choose the ciphertext and then obtain the ciphertext by reconstruction queries.
For the first attack trail, select tweaks that take all possible values in and fix the other 7 bytes to constant values. Select ciphertexts that take all possible values in the 8 bytes at and fix the other 8 bytes to constant values. We take as a structure. By reconstruction querying, through the , , and operations, texts can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and the other 12byte difference value is zero, and then store the ordered texts in Table .
For the second attack trail, select tweaks that take all possible values in and fix the other 7 bytes to constant values. Select the same ciphertexts in the first trail. These ciphertexts take all possible values in the 8 bytes at ), and fix the other 8 bytes to constant values. We take as a structure. By reconstruction querying, through the , , and operations, texts can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and the other 12byte difference value is zero, and then store the ordered texts in Table .
4.1.2. Precomputation Phase
Table : let S, , and denote the Sbox of ForkAES, the input difference and the output difference of the Sbox, respectively. The equation has one solution on average when the values of the differences and are nonzero. We construct Table to store the calculated value of , indexed by all values of . Table : for the first branch of the first attack trail, there are input difference values of three distinguishers. Through the operation, input difference values satisfy the demand for the truncated difference . We construct Table to store difference values of . Table : for the first branch of the second attack trail, there are input difference values of three distinguishers. Through the operation, input difference values satisfy the demand for the truncated difference . We construct Table to store difference values of . Table : for the second branch of the first attack trail, there are difference values by guessing all possible values of . Through the operation, there are difference values of . We construct Table to store these difference values of . Table : for the second branch of the second attack trail, there are difference values by guessing all possible values of . Through the operation, there are difference values of . We construct Table to store these difference values of .
4.1.3. Online Phase
In Steps 1 and 2, combining a series of techniques, use the first attack trail to reject some wrong subkeys. In Steps 3 and 4, use the second attack trail to reject some wrong subkeys for the remaining subkeys, thereby enhancing the efficiency of sieving subkeys. In Step 5, by comprehensively utilizing the subkeys information, use the master key recovering technique to reject wrong candidate keys until the right master key is obtained. We take structures, and the specific procedure is as follows:(1)Use the first attack trail to calculate subkey . Access Table to obtain pairs . Through the , , , and operations, the output difference can be obtained. Then, access Table to obtain the input difference . Access Table to obtain subkeys . Store the corresponding pairs in Table indexed by subkey , so pairs remain on average.(2)For the current subkey , calculate subkey . Access Table to obtain input difference . Access Table to obtain output difference. Construct Table , which has addresses indexed by 5byte subkeys . For each address, set the initial value to 0. Then, set the counter that corresponds to with an initial value of 0. For each pair in Table , wrong subkeys can be discarded by accessing Table . If the value at the corresponding address of discarded subkey is 0 in Table , update the value to 1 and increase the value of by 1. If , evaluate the current subkey as wrong, and discard it. Check all pairs in Table ; then, if still , the value at the addresses of subkeys is 0, and the corresponding subkeys are candidates; store these candidates in Table .(3)Use the second attack trail to calculate the remaining subkey . Access Table to obtain pairs . Through the , , , and operations, the output difference can be obtained. Then, Table is accessed to obtain the input difference . Access Table to obtain subkeys . Store the corresponding pairs in Table , and index the pairs by subkey , so pairs remain on average.(4)For the current subkey , calculate subkey . Access Table to obtain input difference . Access Table to obtain the output difference. Construct Table , which has addresses indexed by 5byte subkeys . For each address, set the initial value to 0. Then, set the counter that corresponds to with an initial value of 0. For each pair in Table , wrong subkeys can be discarded by accessing Table . If the value at the corresponding address of discarded subkey is 0 in Table , update the value to 1 and increase the value of by 1. If , evaluate the current subkey as wrong and discard it. Check all pairs in Table . If still , the value at addresses of subkeys is 0, and the corresponding subkeys are candidates; store these candidates in Table .(5)For , use the master key recovering technique to efficiently obtain the right master key. For each candidate, guess all subkeys . Through the and operations, the subkey can be obtained. Calculate with the help of the key schedule, and if the calculated value of differs from the value of the current subkey, evaluate the current candidate as wrong and discard it. Then, calculate with the help of the key schedule, and if the calculated value of differs from the value of the current subkey, evaluate the current candidate as wrong and discard it. Attackers check the remaining candidates by brute force until the right master key is obtained.
Then, we analyse the complexity of the attack with reconstruction queries.
The datacollection phase requires comparisons and bytes of memory. The complexity of precomputation phase can be ignored compared with the data collecting phase.
The complexities of the online phase are as follows:(1)Step 1 requires memory accesses (MAs) and bytes of memory.(2)In Step 2, a wrong subkey can pass the test of one pair with probability , and all wrong subkeys cannot pass the test of pairs with probability . Therefore, the probability that all subkeys can pass the test of pairs but cannot pass the test of pairs is . Then, the mathematical expectation of d is Thus, Step 2 requires MAs. Wrong subkeys can pass the test of pairs with the probability Thus, subkeys remain, and bytes of memory are required to store subkeys .(3)Similar to Step 1, Step 3 requires MAs and bytes of memory.(4)In Step 4, some wrong subkeys have been discarded. As in Step 2, MAs are needed. Then, subkeys remain, so bytes of memory are needed.(5)In Step 5, for each candidate , guessing all subkeys to calculate subkey requires MAs. After sieving subkeys, candidates remain. Calculating requires MAs. Then, candidates remain. Then, the procedure by brute force requires encryptions.
For the attack procedure with reconstruction queries, take , and then can be obtained. The time complexity and the memory complexity are dominated by Step 2 and Steps 1 and 3, respectively. Overall, this attack scenario requires chosen ciphertexts, lookups, encryptions and AES states.
According to the above analysis, the advantages of our attack scenario are as follows:(1)The second attack trail is only applied for sieving the remaining subkeys. Because the subkeys are fewer, the time complexity of the attack scenario is not increased. Additionally, the second attack has high sieving efficiency. When , the probability that a wrong subkey can pass the test is ; that is, the second attack trail can discard more wrong subkeys without increasing the time complexity.(2)Our attack scenario calculates five more subkey bytes without increasing the time complexity. In Step 5, the efficiency of sieving candidates can be improved because attackers obtain more subkey bytes to discard wrong candidates efficiently. Thus, our attack scenario can obtain a better result.
4.2. The Attack with Encryption Queries
The procedure of an attack with encryption queries is similar to the procedure of an attack with reconstruction queries. We omit the precomputation and online phases for the sake of brevity. This section elaborates mainly on the datacollection phase.
The idea of the datacollection phase is as follows: attackers obtain known plaintexts and guess a 1byte tweak, and corresponding ciphertexts can be obtained by encryption queries. Then, the attackers select the pairs that meet the requirements of the attack trails. Thus, the attack scenario with encryption queries can be obtained.
Datacollection phase: from known plaintexts, the ciphertext can be obtained by encryption queries.
For the first attack trail, attackers obtain known plaintexts, select tweaks that take all possible values in , and fix the other 7 bytes to constant values. Then, corresponding ciphertexts can be obtained by encryption queries. For , through the , , and operations, can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and , and the difference value of the other 20 bytes is zero; then, store the ordered texts in Table .
For the second attack trail, attackers use the same known plaintexts, select tweaks that take all possible values in , and fix the other 7 bytes to constant values. Then, corresponding ciphertexts can be obtained by encryption queries. For , through the , , and operations, can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and and the other 20 bytes difference value is zero; then, store the ordered texts in Table .
Then, we analyse the complexity of the above attack with encryption queries.
The datacollection phase requires comparisons, bytes of memory and known plaintexts.
For the attack with encryption queries, take , and pairs meet the requirements of attack trails. For the attack with encryption queries, pairs meet the requirements of attack trails, so . Thus, the time complexity is dominated by the datacollection phase, and the memory complexity is dominated by Steps 1 and 3. Overall, this attack scenario requires plaintexts, lookups, encryptions and AES states.
5. Conclusion
In this paper, we first utilize the tweak with different truncated differences to construct two types of attack trails of ForkAES and then propose the multiple impossible differentials of ForkAES 54. Multiple attack trails obtain more subkey bytes and improve the efficiency of sieving keys without increasing the time complexity. Furthermore, we carefully consider the procedure of recovering the master key, which can efficiently reject wrong candidates. Combined with several technologies, the complexity of our attack scenarios can be optimized. In reconstruction queries, our attack reaches the longest number of rounds for ForkAES in impossible difference analysis, with lookups, chosen ciphertexts, and memory blocks to store AES states. In encryption queries, we improve the previous attacks on ForkAES by attacking one more round, with lookups, plaintexts, and memory blocks to store AES states.
Appendix
Algorithm 1 is a general method to sieve the expected plaintextciphertext pairs in an impossible differential attack. Attackers need array , and each element of is plaintextciphertext . All plaintexts satisfy the expected differential of the attack trail. Based on the expected differential of the attack trail, the differential value of t byte is 0. Then, the corresponding value function is designed to obtain the value of t byte .

Algorithm 2 is proposed to sieve the expected ciphertext pairs of the first attack trail. There are structures , and each structure has values of ciphertexts with the same value in the eight bytes of ciphertext . Based on the ciphertexttweak , state can be obtained through the reconstruction queries and part decryptions . Then, values of the plaintexttweakstate are stored in the corresponding array . The function is proposed to take the value of the 12 bytes of the th element .

Utilizing Algorithm 2, attackers can obtain sorted arrays . In each array, the plaintexttweakstate pairs with the same value of the 12 bytes are selected. Then, the pairs satisfy the expected differential of the first attack trail. We use the array to represent sorted arrays in consideration of clear expression. Additionally, expected plaintexttweakstate pairs can be obtained from array (i.e., sorted arrays ). The array can be constructed by a similar algorithm for the second attack trail.
Algorithm 3 is the pseudocode of a multiple impossible differential attack with reconstruction queries. The corresponding expected values of plaintexttweakstate pairs can be obtained by the two arrays and . The calculated value of the Sbox is stored in array . Sidebyside execution can be used when multiple Sboxes need to be accessed. The corresponding values of the expected differential are stored in arrays and . The corresponding values of the expected differential are stored in arrays and . Array (resp., ) is indexed by the value of five bytes (resp., ), and array is indexed by the value of eight bytes . All elements of arrays , , and are set to 0.

Data Availability
The data are available at https://tosc.iacr.org/index.php/ToSC/search/index?query = Cryptanalysis+of+Forkciphers&dateFromYear = &dateFromMonth = &dateFromDay = &dateToYear = &dateToMonth = &dateToDay = &authors =
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
The work in this paper was supported by the Natural Science Foundation of China (grant no.: 61772547, 61902428, and 61802438).