Multiple Impossible Differential Attacks for ForkAES

Jiang, Zilong; Jin, Chenhui

doi:https://doi.org/10.1155/2022/5360032

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 5360032 | https://doi.org/10.1155/2022/5360032

Multiple Impossible Differential Attacks for ForkAES

Zilong Jiang¹and Chenhui Jin¹

Academic Editor: Jin Wook Byun

Received30 Sept 2021

Revised23 Feb 2022

Accepted25 May 2022

Published29 Jun 2022

Abstract

To yield a highly efficient authentication encryption design for very short messages, the tweakable forkcipher is proposed, which is a tweakable block cipher that uses forking construction to produce two output blocks. The designers also presented ForkAES, a forkcipher that is based on the round function of AES and the tweakable variant of KIASU. Therefore, the security of ForkAES is found on the block ciphers AES and KIASU. However, from the perspective of new forking construction, attackers may obtain some unique properties. Impossible differential attacks are widely used on block ciphers. This paper studies the security of ForkAES against multiple impossible differential cryptanalysis. Based on the property of the forking construction, two types of impossible differential distinguishers have been constructed. We first use the tweak with different truncated differences to build more attack trails. Then, we first propose the multiple impossible differential attack for ForkAES- -5-4. Thus, only a single round would remain as a security margin. Utilizing multiple attack trails, our attack scenario obtains more subkey bytes and enhances the subkey’s sieving efficiency without increasing complexity. Furthermore, we carefully consider the process of recovering the master key, which can efficiently reject wrong candidate keys. In reconstruction queries, our attack reaches the longest number of rounds for ForkAES in impossible differential analysis, with lookups, chosen ciphertexts, and memory blocks to store AES states. In encryption queries, we improve the previous attacks on ForkAES by attacking one more round (i.e., ForkAES- -5-4), with lookups, plaintexts, and memory blocks to store AES states.

1. Introduction

Many authenticated encryption (AE) schemes need to perform the initialization or finalization phase to optimize the cost of handling long messages. However, in these general schemes, initialization or finalization raises the cost of handling short messages. For example, the TLS needs to produce a message authentication code (MAC) in the initialization phase. An efficient AE scheme for very short messages is an actively discussed topic. To yield a highly efficient AE design for very short messages, Andreeva et al. [1] proposed a tweakable forkcipher [1], which utilizes the forking construction to produce two output blocks from the same input. Compared with the TLS, the expanded ciphertexts of the forkcipher can also serve as the MAC, so there is no need to perform initialization to produce the MAC. Furthermore, the forking construction shares some computations, so the forkcipher is a highly efficient AE design for very short messages. Andreeva et al. [1] also proposed a forkcipher named ForkAES. Balli and Banik [2] analysed the hardware performance of ForkAES. They achieve a hardware implementation of ForkAES without any additional storage cost if the AES circuit can also perform decryption, thereby further optimizing the storage cost.

ForkAES is based on the round function AES [3] and the tweakable variant KIASU [4]. Andreeva et al. [1] briefly considered differential attacks, related-tweakey attacks, and meet-in-the-middle attacks. For other attacks, these authors stated that “the security of our forkcipher design can be reduced to the security of the AES and KIASU ciphers for further types of attacks.” However, from the perspective of the new forking construction, attackers may obtain some unique properties. Reconstruction queries mean that attackers can choose one block ciphertext and obtain the other block ciphertext by reconstruction querying. Encryption queries mean that attackers obtain the two block ciphertexts by encryption querying the plaintext. Banik et al. [5] introduced reflection differential trails and proposed some attacks of ForkAES- -4-4 ( is any nonnegative integer). Bariant et al. [6] first presented truncated differential attacks on ForkAES- -5-5 (full ten rounds) in reconstruction queries, but the security of ForkAES in encryption queries needs to be further studied.

Impossible differential attack [7, 8] is a very powerful and important method of attacking block ciphers. For a long time, impossible differential attacks were among the most successful attacks for AES [9], KIASU [10] and Deoxys [11]. Tsunoo et al. [12] proposed the idea of multiple impossible differentials. Li et al. [13, 14] proposed the subkey early abort, and Boura et al. [15, 16] presented the state-test technique; using these techniques, these authors presented their successful attacks against classical block ciphers, such as Fox and AES.

This paper studies the security of ForkAES against multiple impossible differential cryptanalysis. Based on the property of the forking construction, two types of impossible differential distinguishers have been constructed. We first use the tweak with different truncated differences to construct more attack trails. Then, we propose the multiple impossible differential attack for ForkAES- -5-4. Utilizing multiple attack trails, our attack scenario obtains more subkey bytes and enhances the sieving efficiency of subkeys without increasing complexity. Furthermore, one of the impossible differential attacks needs to guess only five subkey bytes in paper [5], and the authors did not analyse the process of recovering the master key. Because the subkey bytes may not suffice, the cost of recovering the master key may be more than that of attacking subkey bytes. Compared with paper [5], we carefully consider the process of recovering the master key, which can reject wrong candidate keys efficiently. Compared with paper [6], we consider the attack scenario in encryption queries, which increases the understanding of ForkAES. To the best of our knowledge, we improve the previous attacks on ForkAES by attacking one more round in encryption queries. Table 1 summarizes some attacks of ForkAES.

This paper is organized as follows: in Section 2, we describe the ForkAES structure and some basic concepts. In Section 3, we construct six impossible differential distinguishers of ForkAES. In Section 4, we propose multiple impossible differential attacks on ForkAES- -5-4 and analyse our attack. Finally, Section 5 concludes this paper.

2. Preliminaries

2.1. Notations

We will introduce some basic notations used throughout this paper: : PlaintextCiphertextTweak; : the intermediate state of the bytes after SB/SR/MC/AK/AT in the i-th round; : the difference between and ; : the bytes of subkey ; : the byte of tweak ; : the difference cannot obtain the difference through round encryptions.

2.2. Brief Description of Impossible Differential Attack

To mount an impossible differential attack, the block cipher is divided into three parts: (as shown in Figure 1). First, an impossible differential distinguisher through is constructed. Then, for the extra added rounds and , the differential through and through occur with probability 1. The combination of the differential and is called an attack trail.

2.3. Brief Description of ForkAES

ForkAES--- means that the internal state is obtained after rounds from plaintext; then, and denote the number of rounds from internal state to ciphertext and from internal state to ciphertext , respectively. As shown in Figure 2, the original ForkAES is ForkAES-5-5-5. ForkAES encrypts the plaintext over the first five rounds to produce the internal state, and then the internal state is forked to produce two ciphertexts and . We denote the internal state as . The input state of the first branch is , and the output of the first branch is . Similarly, the input state of the second branch is , and the output of the first branch is .

The block size of ForkAES is 128 bits. As shown in Figure 3, the round function of ForkAES is similar to that of KIASU, which applies five operations as follows:(1)SubBytes This operation applies an 8-bit invertible S-box of AES on 16 bytes of the state.(2)ShiftRows The cyclic shift of each row is the same as AES.(3)MixColumns The multiplication of each column by the 4- × -4-cell MDS matrix of AES.(4)AddRoundTweakey This operation XORs with the round subkeys derived from the master key.(5)AddRoundTweakey This operation XORs with a tweak.

In this paper, represents the whitening key. , , , , and represent the inverse operations of , , , , and , respectively. For more details on ForkAES, we can refer to the paper [1].

3. The Impossible Differential Distinguishers of ForkAES

The longest impossible differential key-independent distinguisher of AES is four rounds [17]. Utilizing the property of forking construction, we construct six 5-round impossible differential distinguishers of ForkAES.

The input difference of distinguisher : in the round function after the subkey , the difference is after the SR operation.

The output difference of distinguisher : in the round function after the subkey , the difference is after the MC operation.

The input difference (in the first branch) is mapped to the internal state difference and then obtains the output difference (in the second branch). The specific impossible differentials of six 5-round distinguishers are shown in Table 2. We construct two types of distinguishers by utilizing the tweak with a distinct truncated difference. The first type of distinguisher uses tweak pairs with only a 1-byte nonzero difference at position (0), and the second type of distinguisher uses tweak pairs with only a 1-byte nonzero difference at position (4). Figure 4 shows the sample of the first distinguisher. As shown in Figure 4, the impossible differential has been constructed in the first branch, and the output difference propagates to the internal state difference with probability 1, so the 5-round impossible differential distinguisher of ForkAES has been constructed.

Theorem 1. As shown in Figure 4, there is a 5-round truncated impossible differential distinguisher of ForkAES:where is the nonzero difference. The input difference is , and the output difference is . This distinguisher uses the tweak pairs with only a 1-byte nonzero difference at position (0).

Proof. In the second branch, the output difference is . Through the , , and operations, the internal state difference can be obtained with probability 1.
In the first branch, the difference of 4 bytes can be any value, and the difference of the other 12 bytes of must be zero. Then, through the , , and operations, each column of difference is either fully inactive or fully active (Property 1).
From the difference , through the and operations, the rightmost column of is fully inactive, and the other three columns are fully active. Then, through the operation, the difference of the byte at position (0) can be any value. Through the operation, the rightmost column of is fully inactive, and the other three columns have at least one active byte. Through the , , and operations, the difference exists in one column with at least one inactive byte and at least one active byte, thus contradicting Property 1.

The other five impossible differential distinguishers of ForkAES could be proven similarly.

4. Multiple Impossible Differential Attacks on ForkAES- -5-4

Based on the two types of distinguishers in Section 3, we construct two attack trails with the same truncated difference of ciphertext pairs. We first propose the multiple impossible differential attack on ForkAES- -5-4. In consideration of the clear expression, we have . Our attack scenario can be applied to chosen ciphertext (reconstruction queries) and known plaintext (encryption queries).

As shown in Figure 5, we append two rounds in the first branch and four rounds in the second branch. We swap the order of the , , and operations of the third and fourth rounds in the second branch, and denotes the equivalent subkey. For the first attack trail, thirteen subkey bytes need to be guessed. For the second attack trail, thirteen subkey bytes need to be guessed. These two attack trails have common subkey bytes , which can be repeatedly sieved to improve the result.

4.1. The Attack with Reconstruction Queries

The attack procedure includes the data-collection phase, precomputation phase, and key-recovery phase. In this section, we use the sieve method based on rapid sorting [18] to choose ciphertext pairs.

4.1.1. Data-Collection Phase

We choose the ciphertext and then obtain the ciphertext by reconstruction queries.

For the first attack trail, select tweaks that take all possible values in and fix the other 7 bytes to constant values. Select ciphertexts that take all possible values in the 8 bytes at and fix the other 8 bytes to constant values. We take as a structure. By reconstruction querying, through the , , and operations, texts can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and the other 12-byte difference value is zero, and then store the ordered texts in Table .

For the second attack trail, select tweaks that take all possible values in and fix the other 7 bytes to constant values. Select the same ciphertexts in the first trail. These ciphertexts take all possible values in the 8 bytes at ), and fix the other 8 bytes to constant values. We take as a structure. By reconstruction querying, through the , , and operations, texts can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and the other 12-byte difference value is zero, and then store the ordered texts in Table .

4.1.2. Precomputation Phase

Table : let S, , and denote the S-box of ForkAES, the input difference and the output difference of the S-box, respectively. The equation has one solution on average when the values of the differences and are nonzero. We construct Table to store the calculated value of , indexed by all values of . Table : for the first branch of the first attack trail, there are input difference values of three distinguishers. Through the operation, input difference values satisfy the demand for the truncated difference . We construct Table to store difference values of . Table : for the first branch of the second attack trail, there are input difference values of three distinguishers. Through the operation, input difference values satisfy the demand for the truncated difference . We construct Table to store difference values of . Table : for the second branch of the first attack trail, there are difference values by guessing all possible values of . Through the operation, there are difference values of . We construct Table to store these difference values of . Table : for the second branch of the second attack trail, there are difference values by guessing all possible values of . Through the operation, there are difference values of . We construct Table to store these difference values of .

4.1.3. Online Phase

In Steps 1 and 2, combining a series of techniques, use the first attack trail to reject some wrong subkeys. In Steps 3 and 4, use the second attack trail to reject some wrong subkeys for the remaining subkeys, thereby enhancing the efficiency of sieving subkeys. In Step 5, by comprehensively utilizing the subkeys information, use the master key recovering technique to reject wrong candidate keys until the right master key is obtained. We take structures, and the specific procedure is as follows:(1)Use the first attack trail to calculate subkey . Access Table to obtain pairs . Through the , , , and operations, the output difference can be obtained. Then, access Table to obtain the input difference . Access Table to obtain subkeys . Store the corresponding pairs in Table indexed by subkey , so pairs remain on average.(2)For the current subkey , calculate subkey . Access Table to obtain input difference . Access Table to obtain output difference. Construct Table , which has addresses indexed by 5-byte subkeys . For each address, set the initial value to 0. Then, set the counter that corresponds to with an initial value of 0. For each pair in Table , wrong subkeys can be discarded by accessing Table . If the value at the corresponding address of discarded subkey is 0 in Table , update the value to 1 and increase the value of by 1. If , evaluate the current subkey as wrong, and discard it. Check all pairs in Table ; then, if still , the value at the addresses of subkeys is 0, and the corresponding subkeys are candidates; store these candidates in Table .(3)Use the second attack trail to calculate the remaining subkey . Access Table to obtain pairs . Through the , , , and operations, the output difference can be obtained. Then, Table is accessed to obtain the input difference . Access Table to obtain subkeys . Store the corresponding pairs in Table , and index the pairs by subkey , so pairs remain on average.(4)For the current subkey , calculate subkey . Access Table to obtain input difference . Access Table to obtain the output difference. Construct Table , which has addresses indexed by 5-byte subkeys . For each address, set the initial value to 0. Then, set the counter that corresponds to with an initial value of 0. For each pair in Table , wrong subkeys can be discarded by accessing Table . If the value at the corresponding address of discarded subkey is 0 in Table , update the value to 1 and increase the value of by 1. If , evaluate the current subkey as wrong and discard it. Check all pairs in Table . If still , the value at addresses of subkeys is 0, and the corresponding subkeys are candidates; store these candidates in Table .(5)For , use the master key recovering technique to efficiently obtain the right master key. For each candidate, guess all subkeys . Through the and operations, the subkey can be obtained. Calculate with the help of the key schedule, and if the calculated value of differs from the value of the current subkey, evaluate the current candidate as wrong and discard it. Then, calculate with the help of the key schedule, and if the calculated value of differs from the value of the current subkey, evaluate the current candidate as wrong and discard it. Attackers check the remaining candidates by brute force until the right master key is obtained.

Then, we analyse the complexity of the attack with reconstruction queries.

The data-collection phase requires comparisons and bytes of memory. The complexity of precomputation phase can be ignored compared with the data collecting phase.

The complexities of the online phase are as follows:(1)Step 1 requires memory accesses (MAs) and bytes of memory.(2)In Step 2, a wrong subkey can pass the test of one pair with probability , and all wrong subkeys cannot pass the test of pairs with probability . Therefore, the probability that all subkeys can pass the test of pairs but cannot pass the test of pairs is . Then, the mathematical expectation of d is Thus, Step 2 requires MAs. Wrong subkeys can pass the test of pairs with the probability Thus, subkeys remain, and bytes of memory are required to store subkeys .(3)Similar to Step 1, Step 3 requires MAs and bytes of memory.(4)In Step 4, some wrong subkeys have been discarded. As in Step 2, MAs are needed. Then, subkeys remain, so bytes of memory are needed.(5)In Step 5, for each candidate , guessing all subkeys to calculate subkey requires MAs. After sieving subkeys, candidates remain. Calculating requires MAs. Then, candidates remain. Then, the procedure by brute force requires encryptions.

For the attack procedure with reconstruction queries, take , and then can be obtained. The time complexity and the memory complexity are dominated by Step 2 and Steps 1 and 3, respectively. Overall, this attack scenario requires chosen ciphertexts, lookups, encryptions and AES states.

According to the above analysis, the advantages of our attack scenario are as follows:(1)The second attack trail is only applied for sieving the remaining subkeys. Because the subkeys are fewer, the time complexity of the attack scenario is not increased. Additionally, the second attack has high sieving efficiency. When , the probability that a wrong subkey can pass the test is ; that is, the second attack trail can discard more wrong subkeys without increasing the time complexity.(2)Our attack scenario calculates five more subkey bytes without increasing the time complexity. In Step 5, the efficiency of sieving candidates can be improved because attackers obtain more subkey bytes to discard wrong candidates efficiently. Thus, our attack scenario can obtain a better result.

4.2. The Attack with Encryption Queries

The procedure of an attack with encryption queries is similar to the procedure of an attack with reconstruction queries. We omit the precomputation and online phases for the sake of brevity. This section elaborates mainly on the data-collection phase.

The idea of the data-collection phase is as follows: attackers obtain known plaintexts and guess a 1-byte tweak, and corresponding ciphertexts can be obtained by encryption queries. Then, the attackers select the pairs that meet the requirements of the attack trails. Thus, the attack scenario with encryption queries can be obtained.

Data-collection phase: from known plaintexts, the ciphertext can be obtained by encryption queries.

For the first attack trail, attackers obtain known plaintexts, select tweaks that take all possible values in , and fix the other 7 bytes to constant values. Then, corresponding ciphertexts can be obtained by encryption queries. For , through the , , and operations, can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and , and the difference value of the other 20 bytes is zero; then, store the ordered texts in Table .

For the second attack trail, attackers use the same known plaintexts, select tweaks that take all possible values in , and fix the other 7 bytes to constant values. Then, corresponding ciphertexts can be obtained by encryption queries. For , through the , , and operations, can be obtained. Using the sieve method based on rapid sorting, select pairs of , where and and the other 20 bytes difference value is zero; then, store the ordered texts in Table .

Then, we analyse the complexity of the above attack with encryption queries.

The data-collection phase requires comparisons, bytes of memory and known plaintexts.

For the attack with encryption queries, take , and pairs meet the requirements of attack trails. For the attack with encryption queries, pairs meet the requirements of attack trails, so . Thus, the time complexity is dominated by the data-collection phase, and the memory complexity is dominated by Steps 1 and 3. Overall, this attack scenario requires plaintexts, lookups, encryptions and AES states.

5. Conclusion

In this paper, we first utilize the tweak with different truncated differences to construct two types of attack trails of ForkAES and then propose the multiple impossible differentials of ForkAES- -5-4. Multiple attack trails obtain more subkey bytes and improve the efficiency of sieving keys without increasing the time complexity. Furthermore, we carefully consider the procedure of recovering the master key, which can efficiently reject wrong candidates. Combined with several technologies, the complexity of our attack scenarios can be optimized. In reconstruction queries, our attack reaches the longest number of rounds for ForkAES in impossible difference analysis, with lookups, chosen ciphertexts, and memory blocks to store AES states. In encryption queries, we improve the previous attacks on ForkAES by attacking one more round, with lookups, plaintexts, and memory blocks to store AES states.

Appendix

Algorithm 1 is a general method to sieve the expected plaintext-ciphertext pairs in an impossible differential attack. Attackers need array , and each element of is plaintext-ciphertext . All plaintexts satisfy the expected differential of the attack trail. Based on the expected differential of the attack trail, the differential value of t byte is 0. Then, the corresponding value function is designed to obtain the value of t byte .

	Inputs: Array ; Value function ;
	Outputs: Sorted array indexed the value of t byte
(1)	IDQUICKSORT
(2)	ifthen
(3)	IDPARTTION
(4)	IDQUICKSORT
(5)	IDQUICKSORT
(6)	end if
(7)	IDPARTTION
(8)
(9)
(10)	for to do
(11)	ifthen
(12)
(13)	exchange
(14)	end if
(15)	end for
(16)	return

Algorithm 2 is proposed to sieve the expected ciphertext pairs of the first attack trail. There are structures , and each structure has values of ciphertexts with the same value in the eight bytes of ciphertext . Based on the ciphertext-tweak , state can be obtained through the reconstruction queries and part decryptions . Then, values of the plaintext-tweak-state are stored in the corresponding array . The function is proposed to take the value of the 12 bytes of the -th element .

	Inputs: arrays ; tweaks ; Value fuction ;
	Outputs: sorted arrays indexed the value of 12 bytes
(1)	for do
(2)	for do
(3)	for do
(4)
(5)
(6)	end for
(7)	end for
(8)	IDQUICKSORT
(9)	end for

Utilizing Algorithm 2, attackers can obtain sorted arrays . In each array, the plaintext-tweak-state pairs with the same value of the 12 bytes are selected. Then, the pairs satisfy the expected differential of the first attack trail. We use the array to represent sorted arrays in consideration of clear expression. Additionally, expected plaintext-tweak-state pairs can be obtained from array (i.e., sorted arrays ). The array can be constructed by a similar algorithm for the second attack trail.

Algorithm 3 is the pseudocode of a multiple impossible differential attack with reconstruction queries. The corresponding expected values of plaintext-tweak-state pairs can be obtained by the two arrays and . The calculated value of the S-box is stored in array . Side-by-side execution can be used when multiple S-boxes need to be accessed. The corresponding values of the expected differential are stored in arrays and . The corresponding values of the expected differential are stored in arrays and . Array (resp., ) is indexed by the value of five bytes (resp., ), and array is indexed by the value of eight bytes . All elements of arrays , , and are set to 0.

	Input: Two arrays , ; Four arrays ; Array ; Three arrays
	Outputs: Right master key
(1)	for all elements of array do
(2)
(3)	for all elements of array do
(4)
(5)
(6)
(7)	the pair of
(8)	end for
(9)	end for
(10)	for all arrays do
(11)	initialize variable
(12)	for all elements of array do
(13)	for all elements of array do
(14)
(15)
(16)
(17)
(18)
(19)	ifthen
(20)
(21)
(22)	end if
(23)	end for
(24)	ifthen
(25)
(26)	Break
(27)	end if
(28)	end for
(29)	end for
(30)	Based on array , repeat step 1–9 to obtain .
(31)	Based on array , utilize the similar step to discard wrong subkeys . Then the candidates can be obtained.
(32)	Guessing all values of , the right master key can be obtained by brute force.

Data Availability

The data are available at https://tosc.iacr.org/index.php/ToSC/search/index?query = Cryptanalysis+of+Forkciphers&dateFromYear = &dateFromMonth = &dateFromDay = &dateToYear = &dateToMonth = &dateToDay = &authors =

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

The work in this paper was supported by the Natural Science Foundation of China (grant no.: 61772547, 61902428, and 61802438).

References

E. Andreeva, V. Lallemand, A. Purnal, R. A. Reyhanitabar, and D. Vizár, “Forkcipher: a new primitive for authenticated encryption of very short messages,” in Proceedings of the 25th International Conference on the Theory and Application of Cryptology and Information Security, pp. 153–182, Kobe, Japan, December 2019.
View at: Publisher Site | Google Scholar
F. Balli and S. Banik, “Exploring lightweight efficiency of ForkAES,” in Proceedings of the, 20th International Conference on Cryptology in India, pp. 514–534, Hyderabad, India, December 2019.
View at: Publisher Site | Google Scholar
J. Daemen and V. Rijmen, The Design of Rijndael - the Advanced Encryption Standard (AES), Information Security and Cryptography, Beijing, China, 2020.
View at: Publisher Site
J. Jean, I. Nikolić, and T. Peyrin, “Tweaks and keys for block ciphers: the TWEAKEY framework,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 153–182, aiwan, China, December 2014.
View at: Publisher Site | Google Scholar
S. Banik, J. Bossert, A. Jana et al., “Cryptanalysis of forkAES,” Applied Cryptography and Network Security, vol. 11464, pp. 43–63, 2019.
View at: Publisher Site | Google Scholar
A. Bariant, N. David, and G. Leurent, “Cryptanalysis of Forkciphers,” in Proceedings of the IACR Transactions on Symmetric Cryptology, pp. 233–265, Beijing, China, March 2020.
View at: Publisher Site | Google Scholar
E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials advances in cryptology - EUROCRYPT,” in Proceedings of the 99, international conference on the theory and application of cryptographic techniques, pp. 12–23, Prague, Czech Republic, May 1999.
View at: Google Scholar
K. Aoki, T. Ichikawa, M. Kanda et al., “Camellia: a 128-bit block cipher suitable for multiple platforms - design and analysis,” in Proceedings of the Selected Areas in Cryptography, 7th Annual International Workshop, SAC 2000, pp. 39–56, Waterloo, Canada, August 2000.
View at: Google Scholar
H. Mala, M. Dakhilalian, V. Rijmen, and M. Modarres-Hashemi, “Improved impossible differential cryptanalysis of 7-round AES-128,” in Proceedings of the 11th International Conference on Cryptology in India, pp. 282–291, Hyderabad, India, December 2010.
View at: Publisher Site | Google Scholar
C. Dobraunig and E. List, “Impossible-differential and boomerang cryptanalysis of round-reduced kiasu-bc,” in Proceedings of the Topics in Cryptology-CT-RSA 2017-The Cryptographers’ Track at the RSA Conference 2017, pp. 207–222, San Francisco, CA, USA, February 2017.
View at: Google Scholar
R. Zong, X. Dong, and X. Wang, “Related-tweakey impossible differential attack on reduced-round Deoxys-BC-256,” Science China Information Sciences, vol. 62, no. 3, Article ID 32102, p. 12, 2019.
View at: Publisher Site | Google Scholar
Y. Tsunoo, E. Tsujihara, M. Shigeri, and T. T. H. Saito, “Impossible differential cryptanalysis of CLEFIA,” in Proceedings of the 15th International Workshop, FSE 2008, Lausann, pp. 398–411, Fast Software Encryption, Lausanne, Switzerland, February 2008.
View at: Publisher Site | Google Scholar
X. Li, F.-W. Fu, and X. Guang, “Multiple impossible differential cryptanalysis on reduced FOX,” IEICE - Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E98.A, no. 3, pp. 906–911, 2015.
View at: Publisher Site | Google Scholar
X. Li, C. H. Jin, and F. W. Fu, “Improved results of impossible differential cryptanalysis on reduced FOX,” The Computer Journal, vol. 59, no. 4, pp. 541–548, 2016.
View at: Publisher Site | Google Scholar
C. Boura, M. Naya-Plasencia, V. Suder, and T. R. O. C. Kaoshiung, “Scrutinizing and improving impossible differential attacks: applications to clefia, camellia, lblock and simon,” in Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security, pp. 179–199, Taiwan, China, December 2014.
View at: Google Scholar
C. Boura, V. Lallemand, M. Naya-Plasencia, and V. Suder, “Making the impossible possible,” Journal of Cryptology, vol. 31, no. 1, pp. 101–133, 2018.
View at: Publisher Site | Google Scholar
T. Cui, C. Jin, B. Zhang, and Z. G. Chen, “Searching all truncated impossible differentials in SPN,” IET Information Security, vol. 11, no. 2, pp. 89–96, 2017.
View at: Publisher Site | Google Scholar
Q. G. Zhang, “Plaintext pair sieve methods in impossible differential attack,” Computer Engineering, vol. 36, pp. 127–129, 2010.
View at: Google Scholar

Copyright

Copyright © 2022 Zilong Jiang and Chenhui Jin. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

133

Downloads

221

Citations