Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Paper 2023/316

New Methods for Bounding the Length of Impossible Differentials of SPN Block Ciphers

Senpeng Wang, State Key Laboratory of Cryptology, PLA SSF Information Engineering University
Dengguo Feng, State Key Laboratory of Cryptology
Bin Hu, PLA SSF Information Engineering University
Jie Guan, PLA SSF Information Engineering University
Ting Cui, PLA SSF Information Engineering University
Tairong Shi, PLA SSF Information Engineering University
Kai Zhang, PLA SSF Information Engineering University
Abstract

How to evaluate the security of Substitution-Permutation Network (SPN) block ciphers against impossible differential (ID) cryptanalysis is a valuable problem. In this paper, a series of methods for bounding the length of IDs of SPN block ciphers are proposed. Firstly, we propose the definitions of minimal representative set and partition table. Therefore, an improved partition-first implementation strategy for bounding the length of IDs is given. Secondly, we introduce a new definition of ladder and propose the ladder-first implementation strategy for bounding the length of IDs. In order to be able to apply ladder-first implementation strategy in practice, the methods for determining ladders and integrating a ladder into searching models are given. Thirdly, a heuristic algorithm called dynamic-ladder-partition implementation strategy is proposed. According to our experimental results, dynamic-ladder-partition implementation strategy is more suitable for SPN ciphers whose number of elements in partition tables is little. Fourthly, rotation-equivalence ID sets of ciphers are explored to reduce the number of models that need to be considered. As applications, we show that 9-round PRESENT, 5-round AES, 6-round Rijndael-160, 7-round Rijndael-192, 7-round Rijndael-224 and 7-round Rijndael-256 do not have any ID under the sole assumption that the round keys are uniformly random. What's more, we obtain that 8-round GIFT-64, 12-round GIFT-128 and 14-round SKINNY-128 do not have any ID under the assumptions that GIFT and SKINNY are Markov ciphers and the round keys are uniformly random. Our methods fill crucial gaps on bounding the length of IDs with the differential properties of S-boxes considered. They enhance our confidence in the security and are valuable, especially for designers.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. IEEE Transactions on Information Theory
DOI
10.1109/TIT.2024.3473940
Keywords
Impossible differentialPRESENTGIFTMidori64RijndaelAES
Contact author(s)
wsp2110 @ 126 com
History
2025-02-21: revised
2023-03-03: received
See all versions
Short URL
https://ia.cr/2023/316
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/316,
      author = {Senpeng Wang and Dengguo Feng and Bin Hu and Jie Guan and Ting Cui and Tairong Shi and Kai Zhang},
      title = {New Methods for Bounding the Length of Impossible Differentials of {SPN} Block Ciphers},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/316},
      year = {2023},
      doi = {10.1109/TIT.2024.3473940},
      url = {https://eprint.iacr.org/2023/316}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.