Abstract
Impossible differential attacks, which are taking advantage of differentials that cannot occur, are powerful attacks for block cipher primitives. The power of such attacks is often measured in terms of the advantage — number of key-bits found during the key sieving phase — which determines the time complexity of the exhaustive key search phase. The statistical model used to compute this advantage has been introduced in the seminal work about the resistance of the DEAL cipher to impossible differential attacks. This model, which has not been modified since the end of the 1990s, is implicitly based on the Poisson approximation of the binomial distribution. In this paper, we investigate this commonly used model and experimentally illustrate that random permutations do not follow it. Based on this observation, we propose more accurate estimates of the advantage of an impossible differential attack. The experiments illustrate the accuracy of the estimate derived from the multivariate hypergeometric distribution. The maximal advantage –using the full codebook– of an impossible differential attack is also derived.
Highlights
Impossible differential cryptanalysis has been introduced in the late 90’s [Knu98] when analyzing the security of a new design, the DEAL cipher
In the impossible differential attack on 23-rounds of LBlock [BNS14a] the time complexity is not dominated by the exhaustive key search and the results presented in Table 3 do not influence the total time complexity of the attack
We provided a better estimate of the advantage of an impossible differential attack
Summary
Impossible differential cryptanalysis has been introduced in the late 90’s [Knu98] when analyzing the security of a new design, the DEAL cipher. The idea behind this attack is to take advantage of differentials which never appear for a given permutation. In the seminal papers [Knu[98], BBS99a], an estimate of the data complexity of this attack, generalization of differential cryptanalysis, is presented. They provide a generic method to estimate the time complexity of the key sieving phase. The limit of this generic approach, which is accurate for many impossible differential attacks, is discussed in [DF16]. The concept of multiple impossible differential attacks is introduced in [BNS14a, BLNPS17]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
