Paper 2022/1034

Finding All Impossible Differentials When Considering the DDT

Kai Hu, Nanyang Technological University
Thomas Peyrin, Nanyang Technological University
Meiqin Wang, Shandong University
Abstract

Impossible differential (ID) cryptanalysis is one of the most important attacks on block ciphers. The Mixed Integer Linear Programming (MILP) model is a popular method to determine whether a specific difference pair is an ID. Unfortunately, due to the huge search space (approximately $2^{2n}$ for a cipher with a block size $n$ bits), we cannot leverage this technique to exhaust all difference pairs, which is a well-known long-standing problem. In this paper, we propose a systematic method to find all IDs for SPN block ciphers. The idea is to partition the whole difference pair space into lots of small disjoint sets, each of which has a representative difference pair. All difference pairs in one small set are possible if its representative pair is possible, and this can be conveniently checked by the MILP model. In this way, the overall search space is drastically reduced to a practical size by excluding the sets containing no IDs. We then examine the remaining difference pairs to identify all IDs (if some IDs exist). If our method cannot find any ID, the target cipher is proved free of ID distinguishers. Our method works especially well for SPN ciphers with block size 64. We apply our method to SKINNY-64 and successfully find all 432 and 12 truncated IDs (we find all IDs but all of them can be assembled into certain truncated IDs) for 11 and 12 rounds, respectively. We also prove, for the first time, that 13-round SKINNY-64 is free of ID distinguishers even when considering the differential transitions through the Difference Distribution Table (DDT). Similarly, we find all 12 truncated IDs (all IDs are assembled into 12 truncated IDs) for 13-round CRAFT and prove there is no ID for 14 rounds. For SbPN cipher GIFT-64, we prove that there is no ID for 8 rounds. For SPN ciphers with larger block sizes, we show that our idea is also useful to strengthen the current search methods. For example, if we consider the Sbox to be ideal and only consider the branch number information of the diffusion matrix, we can find all 6,750 truncated IDs for 6-round Rijndael-192 in 1 second and prove that there is no truncated ID for 7 rounds. Previously, we need to solve approximately $2^{48}$ MILP models to achieve the same goal. For GIFT-128, we exhausted all difference patterns that have an active superbox in the plaintext and ciphertext and proved there is no ID of such patterns for 8 rounds. Although we have searched for a larger or even full space for IDs, no longer ID distinguishers have been found. This implies the reasonableness of the intuition that a small number (usually one or two) of active bits/words at the beginning and end of an ID will be the longest.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. SAC 2022
Keywords
Impossible DifferentialMILPSKINNYCRAFTGIFTRijndael- 192
Contact author(s)
kai hu sdu @ gmail com
thomas peyrin @ ntu edu sg
mqwang @ sdu edu cn
History
2023-10-15: last of 2 revisions
2022-08-10: received
See all versions
Short URL
https://ia.cr/2022/1034
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1034,
      author = {Kai Hu and Thomas Peyrin and Meiqin Wang},
      title = {Finding All Impossible Differentials When Considering the DDT},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1034},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1034}},
      url = {https://eprint.iacr.org/2022/1034}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.