Multiple Impossible Differential Attacks for ForkAES

Abstract

To yield a highly efficient authentication encryption design for very short messages, the tweakable forkcipher is proposed, which is a tweakable block cipher that uses forking construction to produce two output blocks. The designers also presented ForkAES, a forkcipher that is based on the round function of AES and the tweakable variant of KIASU. Therefore, the security of ForkAES is found on the block ciphers AES and KIASU. However, from the perspective of new forking construction, attackers may obtain some unique properties. Impossible differential attacks are widely used on block ciphers. This paper studies the security of ForkAES against multiple impossible differential cryptanalysis. Based on the property of the forking construction, two types of impossible differential distinguishers have been constructed. We first use the tweak with different truncated differences to build more attack trails. Then, we first propose the multiple impossible differential attack for ForkAES- <math xmlns="http://www.w3.org/1998/Math/MathML" id="M1"> <mi>∗</mi> </math> -5-4. Thus, only a single round would remain as a security margin. Utilizing multiple attack trails, our attack scenario obtains more subkey bytes and enhances the subkey’s sieving efficiency without increasing complexity. Furthermore, we carefully consider the process of recovering the master key, which can efficiently reject wrong candidate keys. In reconstruction queries, our attack reaches the longest number of rounds for ForkAES in impossible differential analysis, with <math xmlns="http://www.w3.org/1998/Math/MathML" id="M2"> <msup> <mrow> <mn>2</mn> </mrow> <mrow> <mn>100.8</mn> </mrow> </msup> </math> lookups, <math xmlns="http://www.w3.org/1998/Math/MathML" id="M3"> <msup> <mrow> <mn>2</mn> </mrow> <mrow> <mn>85.8</mn> </mrow> </msup> </math> chosen ciphertexts, and <math xmlns="http://www.w3.org/1998/Math/MathML" id="M4"> <msup> <mrow> <mn>2</mn> </mrow> <mrow> <mn>92.7</mn> </mrow> </msup> </math> memory blocks to store AES states. In encryption queries, we improve the previous attacks on ForkAES by attacking one more round (i.e., ForkAES- <math xmlns="http://www.w3.org/1998/Math/MathML" id="M5"> <mi>∗</mi> </math> -5-4), with <math xmlns="http://www.w3.org/1998/Math/MathML" id="M6"> <msup> <mrow> <mn>2</mn> </mrow> <mrow> <mn>118.2</mn> </mrow> </msup> </math> lookups, <math xmlns="http://www.w3.org/1998/Math/MathML" id="M7"> <msup> <mrow> <mn>2</mn> </mrow> <mrow> <mn>111.4</mn> </mrow> </msup> </math> plaintexts, and <math xmlns="http://www.w3.org/1998/Math/MathML" id="M8"> <msup> <mrow> <mn>2</mn> </mrow> <mrow> <mn>92.7</mn> </mrow> </msup> </math> memory blocks to store AES states.