Multiple Impossible Differentials Cryptanalysis on 7-Round ARIA-192

This paper studies the security of 7-round ARIA-192 against multiple impossible differentials cryptanalysis. We propose six special 4-round impossible differentials which have the same input difference and different output difference with the maximum number of nonzero common bytes. Based on these differentials, we construct six attack trails including the maximum number of common subkey bytes. Under such circumstances, we utilize an efficient sieving process to improve the efficiency of eliminating common subkeys; therefore, both data and time complexities are reduced. Furthermore, we also present an efficient algorithm to recover the master key via guess-and-determine technique. Taking advantage of the above advances, we have obtained the best result so far for impossible differential cryptanalysis of ARIA-192, with time, data, and memory complexities being 7-round ARIA encryptions, chosen plaintexts, and bytes, respectively.


Introduction
Impossible differential attack [1] is a significant method in cryptanalysis for block ciphers.Researchers will first build one or more differentials whose probabilities are zero.Then based on these differentials, they will construct attack trails and obtain the correct subkeys by rejecting all the wrong subkeys.The second phase is called the subkey sieving phase.Actually, the subkey sieving phase is highly technical: in 2008, Lu et al. [2] introduced the early abort technique.They guessed a small quantity of subkeys and selected the useful pairs which can produce the expected difference so as to reduce time complexity.At ASIACRYPT 2014, Boura et al. [3] presented the state-test technique to reduce time complexity by decreasing the quantity of subkey bits during an attack.Li et al. [4] presented the new early abort technique which does not need to check all the remaining pairs, therefore reducing time complexity.As a powerful form of cryptanalysis, impossible differential attack is extensively used to analyze many block ciphers, such as ARIA [5] and AES [6].
In 2008, multiple impossible differentials cryptanalysis was proposed by Tsunoo et al. [7], and Lu et al. also presented the idea that multiple variants of the attack trail can be applied using the same data set [8].After that, Boura et al. [3] and Li et al. [4,9] also used multiple impossible differentials to attack CLEFIA, Camellia, FOX, and so on and got good results.They aimed at recovering more subkey bits and increasing the probability of the remaining pairs, thus reducing data complexity.For example, Li et al. [9] presented multiple impossible differentials attacks on FOX with better results than other cryptanalysis of FOX known so far.They constructed four impossible differentials to recover four parts of subkeys.Note that these four differentials play the same role, and the order of differentials to be used does not affect the result.
ARIA, a 128-bit substitution-permutation network block cipher, was proposed as Korean standard block cipher algorithm in 2004.After analyzing its security against liner, differential, impossible differential, and square attacks, the designers declared that ARIA has a better resistance against the above cryptanalysis than AES.Wu et al. [10] constructed a 4round impossible differential and presented a 6-round attack on ARIA.The cryptanalytic result was further enhanced by Li et al. [11] and Shenhua and Chunyan [12], respectively.Then Du and Chen [13] proposed a 7-round impossible differential attack on ARIA-256.Xie and Chen [14] presented a 7-round impossible differential attack on ARIA-192 (however, we find a flaw in the steps of its cryptanalysis).Despite all these contributions, the previous studies neither recover the actual master key of ARIA nor have a research on the security against multiple impossible differentials cryptanalysis.
At EUROCRYPT 2016, Sun et al. proved that if the details of the -boxes are not considered, the length of the impossible differential of ARIA could not be improved [15], so we would like to improve the sieving process to obtain better results.Different from preceding studies, our multiple impossible differentials cryptanalysis is expected to reduce the retention rate of wrong subkeys in subkey sieving phase, thus reducing data complexity and time complexity.We also optimize the order of attack trails (i.e., the attack trails with the maximum number of common bytes are priority).If we conclude that a current common subkey is wrong, it is unnecessary for this common subkey to be sieved by other attack trails; therefore, the efficiency of eliminating common subkeys can be improved.Based on this efficient sieving process, we propose the first multiple impossible differentials attack on 7-round ARIA-192, which improves impossible differential attack in two dimensions (i.e., data and time complexities).Table 1 is the comparison of cryptanalytic results on ARIA.
The remainder of the paper is organized as follows.Section 2 briefly describes the ARIA cipher and provides the notations adopted in this paper.Section 3 constructs the 4round multiple impossible differentials.Section 4 presents our impossible differential attacks on 7-round ARIA-192 combined with various techniques.Section 5 concludes this paper.

Description of ARIA.
The block cipher ARIA is a 128bit SPN model and the numbers of the round are 12/14/16 corresponding to the keys of 128/192/256 bits, respectively.The plaintext, the ciphertext, and the internal state of ARIA are treated as a 4 × 4 matrix, as shown in Figure 1.
Three operations are applied in every round as follows.
(1) Round Key Addition (AK).This operation includes an XOR with the round subkeys which are derived from the master key.
(2) Substitution Layer (SL).This operation, based on four types of 8-bit -boxes  1 ,  2 ,  −1 1 , and  −1 2 , has two types of substitution layers SL 1 and SL 2 .SL 1 is for the odd rounds, and SL 2 is for the even rounds.The specific layers are as follows.
The key schedule algorithm can be divided into two parts, that is, Initialization and Round Key Generation.This section focuses on the description of ARIA-192.For more details, please refer to [5].
(1) Initialization.The master key is 192 bits in size which is loaded to 256 bits (KL, KR), and the remaining 64-bit space on KR is filled with zero.
Then, four 128-bit values of ( 0 ,  1 ,  2 ,  3 ) are generated from (KL, KR) as follows: where   is the even round function and   is the odd round function.Three 128-bit values of (CK 1 , CK 2 , CK 3 ) are constants.

Four-Round Impossible Differentials of ARIA
We find six 4-round impossible differentials of ARIA with the same input difference.As shown in Figure 2, two bytes of the input difference are nonzero, and the others are zero.Four bytes of the output difference are nonzero and equal, and the others are zero.The other five differentials have the same input difference and different output difference with the maximum number of nonzero common bytes.The positions of nonzero difference are shown in Table 2.
Taking the first differential as an example, we describe its property as follows.

A Multiple Impossible Differentials Attack on 7-Round ARIA-192
As shown in Figure 3, two rounds at the top and one round at the bottom are added to the 4-round differentials.We first propose the multiple impossible differentials attack on 7-round ARIA-192 combined with a series of techniques.

Properties of Diffusion Layer.
In this section, we first analyze the flaw in [14] and then describe the two linear properties used in this paper.
See Appendix for the proof of these two properties.

An Efficient Sieving Process.
In this section, we introduce an efficient sieving process.For simplicity, we abbreviate the notation in Table 3.
The idea of the efficient sieving process is summarized as below.We would like to construct some special attack trails with the maximum number of common bytes.Then the common subkeys can be repeatedly sieved by multiple attack trails.If we conclude that the current common subkey is wrong, it is unnecessary for this common subkey to be sieved by other attack trails, therefore reducing the retention rate in sieving subkeys and improving the result.
First, we find some impossible differentials which have the same input difference and different output difference with the maximum number of nonzero common bytes.In this paper, only 2-byte extra nonzero output differences are needed, and then five extra differentials can be constructed.
Second, we optimize the order of attack trails to be used (i.e., the attack trails with the maximum number of common bytes are priority).In this paper, although each attack trail discards possible values of 24 subkey bytes, the first two attack trails have 23 common subkey bytes, and only 26 subkey bytes need to be sieved in our attack scenario, which concludes six attack trails.Then these common subkeys can be sieved multiple times and the wrong subkeys will be rejected as soon as possible, therefore reducing the complexity.
In Section 4.3, we use the efficient sieving process to reduce data complexity and time complexity from steps (12) to (16) in online phase.In Section 4.6, we analyze the complexity when attackers only use one of these attack trails with the same techniques.The comparison of the two complexities indicates that this efficient sieving process is practical.In this section, the procedure will be divided into two phases.

The Procedure of 7-Round Attack on
Precomputation Phase.Let  denote one of four types of 8bit -boxes and Δ in and Δ out denote the input and output difference of -boxes.When Δ in and Δ out are nonzero bytes, the equation () ⊕ ( ⊕ Δ in ) = Δ out has one solution on average.
Online Phase.The online phase can be summarized in the following steps.Through the quick sort method [20], steps (1) and (2) select useful plaintext pairs whose ciphertext pairs meet the requirements of the structure.By using Properties 2 and 3, steps (3)- (11) select the plaintext pairs which can obtain the input difference of the distinguisher.According to six special impossible differential attack trails, steps (12)-( 16) reject wrong subkeys through the efficient sieving process.Taking advantage of master key recovery algorithm, step (17) rejects wrong subkeys and recovers the master key of ARIA-192.
The specific steps are as follows: (1) Select 2 112 plaintexts which are fixed in 2 bytes (0, 10), and take all the values in other 14 bytes.These 2 112 plaintexts are called a structure.We take 2  structures and obtain 2 +112 × (2 +112 − 1)/2 ≈ 2 +223 plaintext pairs.(2) By the quick sort method [20], we can choose the pairs whose ciphertext pairs have zero difference in   0 ,   1 are 14-byte whitening keys and 6-byte subkeys in the first round during an attack, respectively;  () 7 are 4-byte subkeys which need to be guessed in the 7-th round when using the -th distinguisher.
(14.1)The procedure of choosing the expected pairs of Ω 3 is similar to step (13.1).

Complexity Analysis. The complexity in Precomputation
Phase can be neglected compared with the complexity in online phase.The complexities of steps (2)-( 10) are shown in Table 4.
Step (12) The time complexity of step (13) has the same value as step (12).
Each wrong subkey is rejected by 2 +23 pairs with a probability of .
The complexity of step (17) is detailed in Section 4.5

The Procedure of Recovering the Master Key for ARIA-192.
In 2015, Akshima et al. [19] presented the master key recovery attacks on ARIA for the first time.Through the guess-anddetermine technique, we present an efficient algorithm to recover the master key.Taking step (1) of the master key recovery algorithm as an example, if we guess 2 128 values of  0 as proposed in [19], the time complexity is equal to 2 128 × (1/7) = 2 125.2 7-round ARIA encryptions.Based on guess-and-determine technique, the time complexity can be reduced to 2 76.5 7-round ARIA encryptions in this paper.For better understanding, we first describe the idea of master key recovery algorithm, and then the specific steps are specified.
The details of step (1) are as follows.
By attacking as many common subkey bytes as possible when using different attack trails, the efficient sieving process can improve the efficiency of sieving wrong subkey, so it helps to reduce the retention rate of wrong subkeys to 2 −17.5×6 = 2 −105 .Furthermore, based on one of these attack trails, we analyze the complexity with the same attack scenario, which need to take  = 7.1, and the time, data, and memory complexities are 2 191.3 , 2 119.1 , and 2 189.8 , respectively.The comparison of the two complexities is shown in Table 5.
It is known from the comparison that the efficient sieving process can increase the efficiency of sieving subkeys, so the results are improved to an extent.

Conclusion
In this paper, we utilize an efficient sieving process, which can be applied to multiple impossible differentials attack.The efficient sieving process can reduce the retention rate of wrong subkeys; thus, both data complexity and time complexity can be reduced.Taking advantage of a series of techniques, we present multiple impossible differentials cryptanalysis on 7-round ARIA-192 and recover the master key, with the best result so far for impossible differential cryptanalysis of ARIA-192.

Figure 1 :
Figure 1: Sixteen cells with every byte numbered.

Figure 2
Figure2underlines this contradiction, and the other five impossible differentials can also be proven in a similar way.

𝑒 1 𝑑 3
) are satisfied simultaneously.Proof of Property 3. Based on the condition that 6-byte difference satisfies  0 =  1 =  7 =  10 =  11 =  12 =  ̸ = 0 and the others are zero, we know from the definition of DL that  0 = 0 reach that 2-byte difference  7 =  13 ̸ = 0 and the others are zero.To prove the property in the opposite direction, based on the condition that  7 =  13 ̸ = 0 and the others are zero, we know from the definition of DL −1 that  0 =   1 =   2 = 0 we can reach that 6-byte difference  0 =  1 =  7 =  10 =  11 =  12 ̸ = 0 and the others are zero.To sum up, the necessary and sufficient condition that 6byte difference satisfies equation  0 =  1 =  7 =  10 =  11 =  12 =  ̸ = 0 and the others are zero is that 2-byte difference satisfied equation  7 =  13 ̸ = 0 and the others are zero.

Table 1 :
The comparison of cryptanalytic attacks on ARIA.
mk: recover the actual master key; -: not given in the related paper.

Table 4 :
The complexity of online phase.