Serpent: A New Block Cipher Proposal
FSE '98 Proceedings of the 5th International Workshop on Fast Software Encryption
Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
Journal of Cryptology
PRESENT: An Ultra-Lightweight Block Cipher
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
The 128-bit blockcipher CLEFIA
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Improbable differential attacks on Present using undisturbed bits
Journal of Computational and Applied Mathematics
| Hi-index | 0.00 |
Statistical attacks on block ciphers make use of a property of the cipher so that an event occurs with different probabilities depending on whether or not the correct key is used. For instance, differential cryptanalysis [3] and truncated differential cryptanalysis [5] consider characteristics or differentials which show that a particular output difference should be obtained with a relatively high probability when a particular input difference is used. Hence, when the correct key is used, the predicted differences occur more frequently. On the other hand, impossible differential cryptanalysis [2] uses an impossible differential which shows that a particular difference cannot occur for the correct key (i.e. the probability of this event is exactly zero). Therefore, if these differences are satisfied under a trial key, then it cannot be the correct one. Thus, the correct key can be obtained by eliminating all or most of the wrong keys. However, in a recent study [7] we showed that it is also possible to obtain differentials so that the predicted differences occur less frequently for the correct key. This new cryptanalytic technique is called the improbable differential cryptanalysis and the impossible differential cryptanalysis is just a special case of it. Thus, improbable differential cryptanalysis bridges the gap between differential and impossible differential cryptanalysis. Substitution layer of cryptographic algorithms mostly consists of substitution boxes (S-boxes) and in order to provide better security against known attacks, S-boxes are selected depending on their cryptographic properties like differential probability, linear bias, algebraic degree, and branch number. For instance, differential attacks highly use the differential probabilities of the S-boxes. Recently we proposed a new property of S-boxes that we call undisturbed bits [8] which can be used to obtain better truncated, impossible or improbable differentials. In this tutorial, we will start by describing differential, truncated and impossible differential cryptanalysis. We will then describe the improbable differential cryptanalysis and the expansion technique that expands impossible differentials to improbable differentials. As an example for the expansion technique, we will discuss the improbable differential attacks on CLEFIA [6] in detail. Then we will describe the concept of undistubed bits and discuss their effects on the block ciphers PRESENT [4] and Serpent [1].