Multidimensional Differential-Linear Cryptanalysis of ARIA Block Cipher Wentan Yi, Jiongjiong Ren, and Shaozhen Chen ARIA is a 128-bit block cipher that has been selected as I. Introduction a Korean encryption standard. Similar to AES, it is robust against differential cryptanalysis and linear cryptanalysis. ARIA [1] is a block cipher designed by the Korean In this study, we analyze the security of ARIA against cryptographers Kwon and others in ICISC 2003. The upgraded differential-linear cryptanalysis. We present five rounds version 1.0 of ARIA [2] was selected as a Korean standard of differential-linear distinguishers for ARIA, which block cipher by the Ministry of Commerce, Industry, and can distinguish five rounds of ARIA from random Energy [3] in 2004. ARIA has also been adopted by several permutations using only 284.8 chosen plaintexts. standard protocols such as IETF (RFC 5794 [4]), SSL/TLS Moreover, we develop differential-linear attacks based on (RFC 6209 [5]) and PKCS #11 [6]. In Korea, ARIA has been six rounds of ARIA-128 and seven rounds of ARIA-256. used widely, especially in government-to-public services. Thus, This is the first multidimensional differential-linear studies of the security of ARIA are important in various areas cryptanalysis of ARIA and it has lower data complexity of cryptanalysis and it is necessary to constantly reevaluate its than all previous results. This is a preliminary study and security using various cryptanalytic techniques. further research may obtain better results in the future. The design of ARIA is provably resistant against differential and linear attacks, but many other cryptanalysis methods have Keywords: ARIA, Block cipher, Cryptanalysis, Linear been developed to attack ARIA, such as integral attacks [7], [8], hull, Multidimensional differential-linear attack. boomerang attacks [9], meet-in-the-middle attacks [10]–[12], impossible differential attacks [13]–[15], zero-correlation linear attacks [16], and biclique attacks [17]. Li and others [7] presented integral attacks based on six-round ARIA-128 and seven-round ARIA-256. Fleischmann and others [9] reported boomerang attacks based on six rounds of ARIA-128 and seven rounds of ARIA-256 using all the plaintexts. Wu and others [13] presented a six-round impossible differential attack against ARIA, which was improved with lower attack complexities by Li and others [14]. Du and Chen [15] demonstrated an impossible differential attack on seven-round ARIA-256 with one extended round. Yi and others [16] reported some four-round zero-correlation linear Manuscript received Aug. 7, 2016; revised Oct. 11, 2016; accepted Nov. 29, 2016. approximations of ARIA and presented zero-correlation linear Wentan Yi (corresponding author, [email protected]), Jiongjiong Ren ([email protected]), and Shaozhen Chen ([email protected]) are with the attacks on six rounds of ARIA-128 and seven rounds of ARIA- State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, 256. Chen and Xu [17] presented biclique attacks on full-round China. ARIA-256 with about 2255.2 encryptions. Tang and others [10] This is an Open Access article distributed under the term of Korea Open Government employed a meet-in-the-middle attack to break seven rounds License (KOGL) Type 4: Source Indiction + Commercial Use Prohibition + Change Prohibition (http://www.kogl.or.kr/news/dataFileDown.do?dataIdx=71&dataFileIdx=2). of ARIA-192 and eight rounds of ARIA-256, which 108 Wentan Yi et al. © 2017 ETRI Journal, Volume 39, Number 1, February 2017 https://doi.org/10.4218/etrij.17.0116.0544 Table 1. Comparison of attacks on ARIA. Attack type Rounds Date Time Memory Reference Integral 6 2127.2 CPs 2124.4 Enc 2124.4 Byte [7] Integral 7 2100.6 CPs 2225.8 Enc N/A [7] Impossible differential 6 2125 CPs 2238 Enc 2121 Byte [15] Impossible differential 7 2125 CPs 2238 Enc 2125 Byte [15] Zero correlation linear 6 2123.6 KPs 2121 Enc 290.3 Byte [16] Zero correlation linear 7 2124.6 KPs 2203.5 Enc 2152 Byte [16] Meet-in-the-middle 7 2120 KPs 2185.3 Enc 2187 Byte [10] Meet-in-the-middle 7 2113 KPs 2135.1 Enc 2130 Byte [12] Boomerang 6 2128 KPs 2108 Enc 256 Byte [9] Boomerang 7 2128 KPs 2236 Enc 2184 Byte [9] Differential-linear 6 284.4 CPs 2112.8 Enc 296 Byte Section 4.1 Differential-linear 7 284.6 CPs 2215.3 Enc 2224 Byte Section 4.2 were improved by Akshima and others [11] and Bai and others differential-linear distinguishers for five-round ARIA with [12], respectively. multiple input differences and multidimensional linear output However, the security of ARIA against differential-linear masks, which can distinguish five rounds of ARIA from attack is still unclear. Differential-linear attack, which was random permutations using about 284.8 chosen plaintexts. introduced by Langford and Hellman [18], is a combination of Launching attacks on ARIA with multidimensional differential and linear attacks, where the basic idea is to split the differential-linear cryptanalysis. Five-round differential-linear cipher under consideration into two parts. A strong truncated distinguishers are given, thus we could mount a key-recovery differential exists for the first part of the cipher and a strongly attack against round-reduced ARIA using a multidimensional biased linear approximation for the second part. Subsequently, differential-linear attack. The attack on six-round ARIA requires these types of attacks were discussed and generalized by 283.1 chosen plaintexts and 2101.4 encryptions. Moreover, we Biham and others [19], Langford [20], Liu and others [21], Lu propose an attack on seven-round ARIA with a data complexity [22], and Wagner [23]. A more rigorous analysis was provided of 283.1 chosen plaintexts and time complexity of 2215.3 encryptions. recently by Blondeau and others [24] in FSE 2014, where a These are the first applications of the multidimensional multidimensional generalization was introduced, which was differential-linear attack technique. Table 1 summarizes several defined for multiple input differences and multidimensional previous types of attack and our results based on ARIA. linear output masks. The remainder of this paper is organized as follows. In This paper focuses on the multidimensional differential- Section II, we provide a brief description of ARIA and a linear attack on ARIA. Several five-round differential-linear formalized description of differential-linear cryptanalysis. In distinguishers are constructed for ARIA, and the security of six Section III, we construct several five-round differential-linear rounds of ARIA-128 and seven rounds of ARIA-256 are distinguishers for ARIA. Using these distinguishers, Section IV evaluated by multidimensional differential-linear cryptanalysis. presents the attacks on six-round ARIA-128 and seven-round Our main contributions are summarized as follows. ARIA-256. In Section V, we give our conclusions. Construction of several differential-linear distinguishers for -round ARIA. In EUROCRYPTO 2016, Sun and others II. Preliminaries [25] proved that the longest rounds was four for the impossible differentials and zero correlation linear hulls of ARIA without First, we give some notations and definitions that are used considering the S-box details. In CRYPTO 2016, Sun and throughout this study, as well as a brief description of ARIA. others [26] constructed several types of five-round zero- We then provide a formalized description of differential-linear correlation linear hulls for AES provided that the difference of cryptanalysis. two subkey bytes is known. However, this method cannot be employed to construct longer distinguishers for ARIA due to 1. Notations and Definitions the specific usage of the neighboring confusion layer and involutional diffusion layer. This paper describes several |A| denotes the number of elements in set A. Given a ETRI Journal, Volume 39, Number 1, February 2017 Wentan Yi et al. 109 https://doi.org/10.4218/etrij.17.0116.0544 n subspace U of 2 , let us denote U as the orthogonal SL1 is used in the odd rounds and SL2 is used in the even n rounds. subspace of U with respect to the inner product of 2 . We use n DL: The linear DL is a 16 × 16 involution binary matrix with the notation sp(a) to denote the vector subspace {0,a } 2 spanned by a. The plaintexts and ciphertexts are denoted by p c. branch number 8. A 128-bit internal state A is represented as a 4 × 4 byte matrix. 0001101011000110 The symbol A[i] is used to express a byte of A, where i is the 0010010111001001 0100101000111001 ordering of bytes i = 0, … , 15 and the first column includes 1000010100110110 A[0, 1, 2, 3], the second column includes A[4, 5, 6, 7], and so 1010010010010011 on. The number of rounds is denoted by N . The symbols X, Y, 0101100001100011 r i i 1010000101101100 and Zi denote the intermediate values before the substitution 0101001010011100 layer (SL), diffusion layer (DL), and AddRoundKey (AK) 1100100100100101 operations in the i-th round, respectively. The subkey of the i-th 1100011000011010 0011011010000101 round is denoted by k and the whitening key is denoted by k . i 0 0011100101001010 The symbol ui is used to represent the equivalent key with ui = 0110001101011000 1001001110100100 DL(ki) . 1001110001010010 n Given a vectorial Boolean function F on 2 , the differential 0110110010100001 is given by () with an input difference ∆ and an AK: This is an operation for XORing the state and the 128- output difference δ, and its probability is defined as bit round subkey. n PrF ()2|, | A(,) An additional whitening AK operation is performed before the first round and a DL operation is omitted in the last round. where A{|()()}. xn fx fx (,) 2 Our attacks do not utilize the key relations, so we omit the The linear approximation is given by () with an details of ARIA’s key schedule.