New Impossible Di®erential Cryptanalysis of ARIA Ruilin Li, Bing Sun, Peng Zhang and Chao Li Department of Mathematics and System Sciences, Science College, National University of Defense Technology, Changsha, 410073, P.R.China, [email protected] fhappy come,[email protected] lichao [email protected] Abstract. This paper studies the security of ARIA against impossible di®erential cryptanalysis. Firstly an algorithm is given to ¯nd many new 4-round impossible di®erentials of ARIA. Followed by such impossible di®erentials, we improve the previous impossible di®erential attack on 5/6-round ARIA. We also point out that the existence of such impossible di®erentials are due to the bad properties of the binary matrix employed in the di®usion layer. Key Words: Block Cipher, Impossible Di®erential, ARIA 1 Introduction ARIA[1] is a 128-bit block cipher designed by a group of Korean experts in 2003 which later was established as a Korean Standard by the Ministry of Commerce, Industry and Energy. ARIA supports key length of 128/192/256 bits, and the most interesting characteristic is its involution based on the special usage of neighbouring confusion layer and involutional di®usion layer[2]. The security of ARIA was initially analyzed by its designers, including dif- ferential cryptanalysis, linear cryptanalysis, truncated di®erential cryptanaly- sis, impossible di®erential cryptanalysis, higher order di®erential cryptanalysis, square attack and interpolation attack[1]. Later Alex Biryukov etc. performed an evaluation of ARIA, but they focused on truncated di®erential cryptanalysis and dedicated linear cryptanalysis[3]. Wu etc. ¯rstly found a non-trivial 4-round impossible di®erential path which led to a 6-round attack of ARIA requiring about 2121 chosen plaintexts and about 2112 encryptions[4]. Impossible di®erential cryptanalysis, independently found by Knudsen[6] and Biham[7], uses one or more di®erentials with probability 0 called impossible dif- ferential. Unlike di®erential cryptanalysis[5] which recoveries the key through the obvious advantage of a high probability di®erential characteristic, impossi- ble di®erential cryptanalysis is a sieving attack which excludes the candidate keys until only one key left using some impossible di®erential path. Since its 2 Ruilin Li, Bing Sun, Peng Zhang and Chao Li emergence, impossible di®erential cryptanalysis has been applied to attack many well-known block ciphers such as AES[9{11], recently a newly designed block ci- pher CLEFIA[12{14] and so on. Impossible di®erential is usually built in a miss-in-the-middle manner[8], i.e. given an input di®erence ®, we can go forward with probabolity 1 to some dif- ference γ, meanwhile from the output di®erence ¯, we can go backward with probability 1 to another di®erence ±, but then we get some contradictions be- tween γ and ±, thus we get an impossible di®erence ® 9 ¯. In [7], some auto- mated technique called Shrinking was introduced as an e±cient algorithm to ¯nd impossible di®erential of a new block cipher, but such method relates to the structure of the block cipher at a large extent and doesn't focus too much on the detail of components in the round function. In this paper we observe that due to some bad properties of the binary matrix used in the di®usion layer, we can ¯nd many new impossible di®erentials of ARIA, and the impossible di®erentials found in [4] are some special cases in ours. Based on such new impossible di®erentials and the Early Abort T echnique introduced in [4, 5, 15], we mount an e±cient attack on 5/6 reduced round of ARIA. Table 4 summaries our main cryptanalytic results compared with the previous impossible di®erential attack on ARIA. The rest of the paper is organized as follows. In section 2 we briefly describe the block cipher ARIA. In section 3 we give some bad properties of the di®usion layer. In section 4, we present an algorithm to ¯nd many new 4-round impossible di®erential. Section 5 is our improved attack on the 5/6-reduced round ARIA. We concludes this paper in Section 6. 2 Preliminaries 2.1 Description of ARIA ARIA is an SPN style block cipher, and the number of the rounds are 12/14/16 corresponding to key of 128/192/256 bit. In this paper the plaintext, as well as the input and output of the round function, the ciphertext are treated as 4 £ 4 matrices over GF (28)4£4 or a 16-byte vectors over GF (28)16 and we call them states. The round function of ARIA constitutes 3 basic operations: the Substitution Layer, the Di®usion Layer and the Round Key Addition. An N round ARIA ¯rstly applies a Round Key Addition, then iterates the round function N ¡ 1 times, the last round is the same but excludes the di®usion layer. The whole structure is depicted in Fig. 1 and the 3 basic operations are as follows: Round Key Addition(RKA): a 128-bit round key is simply XORed to the state. The round key is derived from the cipher key by means of the key schedule. For the detail of the key schedule, we refer to [1]. Substitution Layer(SL): a non-linear byte substitution operates on each byte of the state independently. In ARIA this is implemented by two S-boxes s1 8 and s2 de¯ned by a±ne transformations of the inverse function over GF (2 ). New Impossible Di®erential Cryptanalysis of ARIA 3 Di®usion Layer(DL): a 16£16 involution binary matrix with branch num- ber 8 was selected to improve the di®usion e®ect and increase e±ciency in both hardware and software implementations. plaintext x0 x4 x8 x12 x1 x5 x9 x13 RKA SL DL RKA x2 x6 x10 x14 x3 x7 x11 x15 SL DL RKA 4!! 4!! 4!! 4!! 4!! 4!! SL DL RKA z0 z4 z8 z12 SL RKA z1 z5 z9 z13 z2 z6 z10 z14 z3 z7 z11 z15 ciphertext Fig. 1. Overall Structure of ARIA 2.2 Notions In this paper, we will use the following notations: P or P 0 the 128-bit plaintext C or C0 the 128-bit ciphertext 8 X some 16-byte state denoted by (x0; ¢ ¢ ¢ ; x15) where xi 2 GF (2 ) ¢X the XOR (©) di®erence of X h(X) the number of non-zero byte in X I O Xi (Xi ) the input (resp. output) of round i S D Xi (Xi ) value after application of SL(resp. DL) of round i ¤ ¤ Xi;j the j-th byte of Xi , where ¤ 2 fI; O; S; Dg 4 Ruilin Li, Bing Sun, Peng Zhang and Chao Li 3 Some Observations On the Di®usion Layer of ARIA In [2], the authors presented an excellent algorithm (implementation of A can be performed e±ciently) to construct a binary matrix A satisfying the following conditions: (1) the branch number of A is 8 which is the best when A 2 GF (2)16£16; (2) A is involution, i.e. A2 = I, where I is identical transformation; (3) resistance against truncated di®erential cryptanalysis; (4) resistance against impossible di®erential cryptanalysis. Such binary matrix A was later employed as the di®usion layer in ARIA. In this section, we will use X to denote the input to the DL, and Y to denote the output of the DL. Both X and Y can be treated as 16-byte vectors, then A can be seen as a linear map from GF (28)16 to GF (28)16, we denote such transformation by Y = AX as follow. 0 1 0 1 0 1 y0 0001101011000110 x0 B C B C B C B y1 C B0010010111001001C B x1 C B C B C B C B y2 C B0100101000111001C B x2 C B C B C B C B y3 C B1000010100110110C B x3 C B C B C B C B y4 C B1010010010010011C B x4 C B C B C B C B y5 C B0101100001100011C B x5 C B C B C B C B y6 C B1010000101101100C B x6 C B C B C B C B y7 C B0101001010011100C B x7 C B C = B C £ B C B y8 C B1100100100100101C B x8 C B C B C B C B y9 C B1100011000011010C B x9 C B C B C B C By10C B0011011010000101C Bx10C B C B C B C By11C B0011100101001010C Bx11C B C B C B C By12C B0110001101011000C Bx12C B C B C B C By13C B1001001110100100C Bx13C @y14A @1001110001010010A @x14A y15 0110110010100001 x15 Let ¤i = ftj0 · t · 15;Ai;t = 1g(0 · i · 15). It is obviously that ¤i is a good description of the dependency between output yi and the input byte positions of X. After pondering such ¤i's in table 1 thoroughly, we can get the following propositions: Proposition 1. Let A be de¯ned as above, then, for any 0 · i 6= j · 15, there (i;j) 8 16 (i;j) exits E ½ GF (2 ) such that for any X 2 E , yi = 0 and yj 6= 0. Proof. From table 1, for any 0 · i 6= j · 15, ¤ij , ¤j ¡ ¤i 6= ;. Chose an arbitrary element of ¤ij, say k, then for l = 0; 1; ¢ ¢ ¢ 15, let 8 8 <>® if l = k; where 0 6= ® 2 GF (2 ) xl = 0 if l 2 ¤i [ ¤j; l 6= k :> ¯ others, where ¯ 2 GF (28) : New Impossible Di®erential Cryptanalysis of ARIA 5 Table 1. The dependency between output yi and input byte positions of X ¤0 f3,4,6,8,9,13,14g ¤8 f0,1,4,7,10,13,15g ¤1 f2,5,7,8,9,12,15g ¤9 f0,1,5,6,11,12,14g ¤2 f1,4,6,10,11,12,15g ¤10 f2,3,5,6,8,13,15g ¤3 f0,5,7,10,11,13,14g ¤11 f2,3,4,7,9,12,14g ¤4 f0,2,5,8,11,14,15g ¤12 f1,2,6,7,9,11,12g ¤5 f1,3,4,9,10,14,15g ¤13 f0,3,6,7,8,10,13g ¤6 f0,2,7,9,10,12,13g ¤14 f0,3,4,5,9,11,14g ¤7 f1,3,6,8,11,12,13g ¤15 f1,2,4,5,8,10,15g and let (i;j) Ek = fXjX = (x0; ¢ ¢ ¢ ; x15)g; S then, E(i;j) = E(i;j) satis¯es all the conditions in Proposition 1.