The phantom of differential characteristics
- PDF / 455,092 Bytes
- 23 Pages / 439.37 x 666.142 pts Page_size
- 26 Downloads / 181 Views
The phantom of differential characteristics Yunwen Liu1,2 · Wenying Zhang4 · Bing Sun1 · Vincent Rijmen2,3 · Guoqiang Liu1 · Chao Li1 · Shaojing Fu5 · Meichun Cao4 Received: 30 November 2019 / Revised: 2 June 2020 / Accepted: 20 June 2020 © Springer Science+Business Media, LLC, part of Springer Nature 2020
Abstract For differential cryptanalysis under the single-key model, the key schedules hardly need to be exploited in constructing the characteristics, which is based on the hypothesis of stochastic equivalence. In this paper, we study a profound effect of the key schedules on the validity of the differential characteristics. Noticing the sensitivity in the probability of the characteristics to specific keys, we label the keys where a characteristic has nonzero probability by effective keys. We propose the concept of singular characteristics which are characteristics with no effective keys, and exploit an algorithm to sieve them out by studying the key schedule. We show by a differential characteristic of PRINCE whose expected differential probability is much larger than that of a random permutation, i.e., 2−35 vs. 2−64 . Yet, it is indeed singular which could be mis-used to mount a differential attack. Singular characteristics are found for 3-round AES and 3-round Midori-128 as well. Furthermore, taking the possible mismatches of the effective keys in a number of differential characteristics into consideration, we present singular clusters which indicates an empty intersection of the corresponding effective keys, and this is evidenced by showing two differential characteristics of the 2-round AES. We also show that characteristics are tightly linked to the key schedule, as shown in the paper, a valid characteristic in the AES-128 can be singular for the AES-192. Our results indicate a gap over the perspectives of the designers and the attackers, which warns the latter to validate the theoretically-built distinguishers. Therefore, a closer look into the characteristics is inevitable before any attack is claimed. Keywords Differential cryptanalysis · Key schedule · Effective keys · Singular characteristic · Singular cluster · AES · PRINCE Mathematics Subject Classification 94A60
Communicated by R. Steinfeld.
B B
Wenying Zhang [email protected] Bing Sun [email protected]
Extended author information available on the last page of the article
123
Y. Liu et al.
1 Introduction 1.1 Block ciphers and differential cryptanalysis Block ciphers play a fundamental role in symmetric-key cryptosystems, forming the basis of various applications such as stream ciphers, hash functions and message authenticating codes (MACs). Instead of seeking for a good permutation directly, modern block ciphers iterate a cryptographically weak function called round function many times to achieve both security and efficient implementation. Prominent examples of iterated block ciphers are the Data Encryption Standard, DES [28] and the Advanced Encryption Standard, AES [12]. Symmetric-key designs are expected to resist known cryptana
Data Loading...
