**Improved Top-Down Techniques in Differential Cryptanalysis**

*Itai Dinur and Orr Dunkelman and Masha Gutman and Adi Shamir*

**Abstract: **The fundamental problem of differential cryptanalysis is to find the highest entries in the Difference Distribution Table (DDT) of a given mapping F over n-bit values, and in particular to find the highest diagonal entries which correspond to the best iterative characteristics of $F$. The standard bottom-up approach to this problem is to consider all the internal components of the mapping along some differential characteristic, and to multiply their transition probabilities. However, this can provide seriously distorted estimates since the various events can be dependent, and there can be a huge number of low probability characteristics contributing to the same high probability entry.

In this paper we use a top-down approach which considers the given mapping as a black box, and uses only its input/output relations in order to obtain direct experimental estimates for its DDT entries which are likely to be much more accurate. In particular, we describe three new techniques which reduce the time complexity of three crucial aspects of this problem: Finding the exact values of all the diagonal entries in the DDT for small values of n, approximating all the diagonal entries which correspond to low Hamming weight differences for large values of $n$, and finding an accurate approximation for any $DDT$ entry whose large value is obtained from many small contributions. To demonstrate the potential contribution of our new techniques, we apply them to the SIMON family of block ciphers, show experimentally that most of the previously published bottom-up estimates of the probabilities of various differentials are off by a significant factor, and describe new differential properties which can cover more rounds with roughly the same probability for several of its members. In addition, we show how to use our new techniques to attack a 1-key version of the iterated Even-Mansour scheme in the related key setting, obtaining the first generic attack on 4 rounds of this well-studied construction.

**Category / Keywords: **secret-key cryptography / differential cryptanalysis, difference distribution tables, iterative characteristics, Even-Mansour, SIMON

**Date: **received 22 Mar 2015

**Contact author: **orrd at cs haifa ac il

**Available format(s): **PDF | BibTeX Citation

**Version: **20150323:122418 (All versions of this report)

**Short URL: **ia.cr/2015/268

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]