Paper 2012/214

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Shengbao Wu and Mingsheng Wang

Abstract

Impossible differential cryptanalysis is a powerful technique to recover the secret key of block ciphers by exploiting the fact that in block ciphers specific input and output differences are not compatible. This paper introduces a novel tool to search truncated impossible differentials for word-oriented block ciphers with bijective Sboxes. Our tool generalizes the earlier $$-method and the UID-method. It allows to reduce the gap between the best impossible differentials found by these methods and the best known differentials found by ad hoc methods that rely on cryptanalytic insights. The time and space complexities of our tool in judging an $$-round truncated impossible differential are about $$ and $$ respectively, where $$ is the number of words in the plaintext and $$, $$ are constants depending on the machine and the block cipher. In order to demonstrate the strength of our tool, we show that it does not only allow to automatically rediscover the longest truncated impossible differentials of many word-oriented block ciphers, but also finds new results. It independently rediscovers all 72 known truncated impossible differentials on 9-round CLEFIA. In addition, finds new truncated impossible differentials for AES, ARIA, Camellia without FL and FL$$ layers, E2, LBlock, MIBS and Piccolo. Although our tool does not improve the lengths of impossible differentials for existing block ciphers, it helps to close the gap between the best known results of previous tools and those of manual cryptanalysis.

Note: This is the full version of a paper accepted for publication at Indocrypt 2012. In this version, we list the source code of our tool for finding truncated impossible differentials, and specific results obtained by our tool are also given.