Impossible Differential Cryptanalysis Of Several Block Ciphers

A block cipher,which operates on fixed-length message blocks with a sym-metric key,is easy to implement and operates as an important component of many cryptographic protocols.Cryptanalysis of block ciphers is of significant importance to find their features and ensure their reasonable application.As.an important variant of differential cryptanalysis and proposed by Knudsen and Biham independently,impossible differential cryptanalysis evaluates the securi-ty of block ciphers according to differentials of probability 0 while the classical differential cryptanalysis with differentials of high probability.Using impossible differential cryptanalysis as the main technique in this study,we give analysis results of four block ciphers.The first attack on Simpira v2,a cryptographic permutation accepted by Asiacrypt 2016,is a classical application of the impossible differential attack,which turns out to be the first analysis result of Simpira v2.In the second part,we consider the impossible differential attack under the related-key setting and propose a method that can derive longer related-key impossible differential from single-key impossible differentials.We apply this method to evaluate QARMA-64,Deoxys-BC-256 and Joltik-BC-128.These two studies are both published on Science China Information Sciences.· Single-Key Impossible Differential Cryptanalysis of Simpira v2In 2001,Rijndael was selected as the Advanced Encryption Standard by NIST.The introduction of AES instructions by Intel(subsequently by AMD,and re-cently ARM)has changed the playing field for symmetric-key cryptography on modern processors,which lead to a significant reduction of the encryption over-heads.The feature that AES only accepts the 128-bit input makes it unable to satisfy the demands of some application environments.To solve this problem,AES-GCM mode becomes popular.An advantage of AES-GCM is that the mes-sage blocks can be processed independently for encryption.This allows pipelining of the AES round instructions,so that the observed performance is dominated by the throughput,but not by their latency.This performance gain by collecting multiple independent encryption tasks and pipelining their execution,is impor-tant for the design rationale of Simpira.Simpira uses the AES round function as the only building block.It supports inputs of 128 × b bits,denoted by Simpira-b,where b is a positive integer.For b= 1,Simpira corresponds to 12-round AES with fixed round keys;whereas for b ? 2,Simpira is a Generalized Feistel Structure(GFS)with an F-function that consists of two rounds of AES.Its design goal is to achieve high through-put on virtually all modern 64-bit processors,that nowadays already have native instructions for AES.The cryptanalysis results of two-round AES can also help to better evaluate the security of F-function.One application of Simpira recom-mended by its designers is as a permutation in the Even-Mansour construction for constructing a block cipher without round keys,whose input size is 128 × b bits.In this study,we analysis the security of Simpira-4,in which the input size is 128 x 4 and give the first 9-round impossible differential of Simpira-4.To deter-mine some efficient key recovery attacks on its block cipher mode(Even-Mansour construction with Simpira-4),we used some 6/7-round shrunken impossible dif-ferentials.Based on eight 6-round impossible differentials,we propose a series of 7-round key recovery attacks on the block cipher mode;each 6-round impossible differential helps recover 32 bits of the master key(512 bits),and in total,half of the master key bits are recovered.The attacks require 257 chosen plaintexts and 257 7-round encryptions.Furthermore,based on ten 7-round impossible differen-tials,we added one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode;this helps recover the full key space(512 bits)with a data complexity of 2170 chosen plaiutexts and a time complexity of 2170 8-round encryptions.All results are on Simpira v2,the formal version of Simpira published in ASI-ACRYPT 2016.· Related-Key Impossible Differential CryptanalysisIn the related-key setting,an adversary can observe and even control the re-lationship between different keys.This cryptanalysis method can be used with any other cryptanalysis methods.The theoretical break of AES-192 and AES-256 can be seen as the success of the combination of related-key cryptanalysis and boomerang cryptanalysis.Before the proposition of the TWEAKEY framework,the related-key model is more like an idealized model.In 2014,the TWEAKEY framework with goal to unify the design of tweakable block ciphers resistant to related-key attacks was proposed.To achieve high computation efficiency,tweakable block cipher designers often employ simple tweakey schedules.This makes the control of relationship between different tweaks or different keys easier.In this paper,we make a successful attempt to invent a tool by studying the re-lations between the single-key and the related-tweak/key impossible differentials.Combined with some interesting MILP modeling strategies,we could efficientlyderive longer related-tweak/key impossible differentials from single-key ones.As a proof of work,we apply the new tool to QARMA-64,Deoxys-BC-256 and Joltik-BC-128.For QARMA-64,a tweakable block cipher accepted by FSE 2017,we seek out a 7-round related-tweak impossible distinguisher and mount an 11-round key-recovery attack,which attacks one more round than the best previous result.For Deoxys-BC-256,a finalist of the CAESAR competition,we mount a key-recovery attack on 10(out of 14)rounds of Deoxys-BC-256.Compared to previous results that are valid only when the key size>204 and the tweak size<52,our method can attack 10-round Deoxys-BC-256 as long as the key size>174 and the tweak size<82.For the popular setting in which the key size is 192 bits,we can attack one round more than previous works.For Joltik-BC-128,the internal tweakable block cipher of an authenticated encryption candidate of the 2nd round CAESAR competition Joltik,we find a 6-round related-tweakey impossible differential distinguisher and analyze the security of 10-round Joltik-BC-128.