Abstract
In this paper, a new method for evaluating the integral property, truncated and impossible differentials for substitution-permutation network (SPN) block ciphers is proposed. The main assumption is an explicit description/expression of the internal state words in terms of the plaintext (ciphertext) words. By counting the number of times these words occur in the internal state expression, we can evaluate the resistance of a given block cipher to integral and impossible/truncated differential attacks more accurately than previous methods. More precisely, we explore the cryptographic consequences of uneven frequency of occurrences of plaintext (ciphertext) words appearing in the algebraic expression of the internal state words. This approach gives a new family of distinguishers employing different concepts such as the integral property, impossible/truncated differentials and the so-called zero-sum property. We then provide algorithms to determine the maximum number of rounds of such new types of distinguishers for SPN block ciphers. The potential and efficiency of this relatively simple method is confirmed through applications. For instance, in the case of SKINNY block cipher, several 10-round integral distinguishers, all of the 11-round impossible differentials, and a 7-round truncated differential could be determined. For the last case, using a single pair of plaintexts differing in three words so that (a = b = c) ≠ (a’ = b’ = c’), we are able to distinguish 7-round SKINNY from random permutations. More importantly, exploiting our distinguishers, we give the first practical attack on 11-round SKINNY-128-128 in the single-key setting (a theoretical attack reaches 16 rounds). Finally, using the same ideas, we provide a concise explanation on the existing distinguishers for round-reduced AES.
Highlights
Along with the development of internet of things, some new symmetric-key cryptographic schemes such as encryption algorithms, hash functions, authentication schemes and pseudorandom number generators have been proposed
Integral cryptanalysis was originally proposed by Lars Knudsen [KW02] as a dedicated attack against the Square block cipher, and is commonly known as the Square attack
We can conclude that Advanced Encryption Standard (AES) has no integral property of more than 4 rounds unless the details of the S-boxes are taken into account, because we can not extend the distinguisher in Figure 4 neither in the forward nor in the backward direction
Summary
Along with the development of internet of things, some new symmetric-key cryptographic schemes such as encryption algorithms, hash functions, authentication schemes and pseudorandom number generators have been proposed. When cryptanalysis of block ciphers is considered, the first step is to construct distinguishers of certain kind that cover as many rounds as possible. In this context, the most relevant security parameter is an exact estimate on the number of rounds for which different kind of distinguishers can be specified. - If the considered variable does not appear in the polynomial corresponding to an output word of the round function, it means that this output word does not depend on it This information is useful when building probability 1 truncated trails and impossible differentials.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
