Abstract
We present new techniques to efficiently scan the space of high-probability differential trails in bit-oriented ciphers. Differential trails consist in sequences of state patterns that we represent as ordered lists of basic components in order to arrange them in a tree. The task of generating trails with probability above some threshold starts with the traversal of the tree. Our choice of basic components allows us to efficiently prune the tree based on the fact that we can tightly bound the probability of all descendants for any node. Then we extend the state patterns resulting from the tree traversal into longer trails using similar bounding techniques. We apply these techniques to the 4 largest Keccak-f permutations, for which we are able to scan the space of trails with weight per round of 15. This space is orders of magnitude larger than previously best result published on Keccak-f[1600] that reached 12, which in turn is orders of magnitude larger than any published results achieved with standard tools, that reached at most 9. As a result we provide new and improved bounds for the minimum weight of differential trails on 3, 4, 5 and 6 rounds. We also report on new trails that are, to the best of our knowledge, the ones with the highest known probability.
Highlights
Differential cryptanalysis (DC) exploits predictable difference propagation in iterative cryptographic primitives [BS90]
We have written new software to implement the techniques described in previous sections and the new code is available as part of the KeccakTools project [BDPV15]
We have used our code to cover the space of all 6-round trail cores up to weight T6 = 91, for the widths of Keccak-f between 200 and 1600
Summary
Differential cryptanalysis (DC) exploits predictable difference propagation in iterative cryptographic primitives [BS90]. The basic version makes use of differential trails ( called characteristics or differential paths) that consist of a sequence of differences through the rounds of the primitive. Given such a trail, one can estimate its differential probability (DP), namely, the fraction of all possible input pairs with the initial trail difference that exhibit all intermediate and final difference when going through the rounds. A trail is a sequence of round differentials and each round differential imposes a number of conditions on the pair at its input. For estimating the safety margin of a primitive, it is important to understand the distributions of trail
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
