New Methods for Bounding the Length of Impossible Differentials of SPN Block Ciphers

IF 2.2 3区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Information Theory Pub Date : 2024-10-07 DOI:10.1109/TIT.2024.3473940

Senpeng Wang;Dengguo Feng;Tairong Shi;Bin Hu;Jie Guan;Kai Zhang;Ting Cui

{"title":"New Methods for Bounding the Length of Impossible Differentials of SPN Block Ciphers","authors":"Senpeng Wang;Dengguo Feng;Tairong Shi;Bin Hu;Jie Guan;Kai Zhang;Ting Cui","doi":"10.1109/TIT.2024.3473940","DOIUrl":null,"url":null,"abstract":"How to evaluate the security of Substitution-Permutation Network (SPN) block ciphers against impossible differential (ID) cryptanalysis is a valuable problem. In this paper, a series of methods for bounding the length of IDs of SPN block ciphers are proposed. Firstly, we propose the definitions of minimal representative set and partition table. Therefore, an improved partition-first implementation strategy for bounding the length of IDs is given. Secondly, we introduce a new definition of ladder and propose the ladder-first implementation strategy for bounding the length of IDs. In order to be able to apply ladder-first implementation strategy in practice, the methods for determining ladders and integrating a ladder into searching models are given. Thirdly, a heuristic algorithm called dynamic-ladder-partition implementation strategy is proposed. According to our experimental results, dynamic-ladder-partition implementation strategy is more suitable for SPN ciphers whose number of elements in partition tables is little. Fourthly, rotation-equivalence ID sets of ciphers are explored to reduce the number of models that need to be considered. As applications, we show that 9-round PRESENT, 5-round AES, 6-round Rijndael-160, 7-round Rijndael-192, 7-round Rijndael-224 and 7-round Rijndael-256 do not have any ID under the sole assumption that the round keys are uniformly random. What’s more, we obtain that 8-round GIFT-64, 12-round GIFT-128 and 14-round SKINNY-128 do not have any ID under the assumptions that GIFT and SKINNY are Markov ciphers and the round keys are uniformly random. Our methods fill crucial gaps on bounding the length of IDs with the differential properties of S-boxes considered. They enhance our confidence in the security and are valuable, especially for designers.","PeriodicalId":13494,"journal":{"name":"IEEE Transactions on Information Theory","volume":"70 12","pages":"9165-9178"},"PeriodicalIF":2.2000,"publicationDate":"2024-10-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Information Theory","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10706887/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

How to evaluate the security of Substitution-Permutation Network (SPN) block ciphers against impossible differential (ID) cryptanalysis is a valuable problem. In this paper, a series of methods for bounding the length of IDs of SPN block ciphers are proposed. Firstly, we propose the definitions of minimal representative set and partition table. Therefore, an improved partition-first implementation strategy for bounding the length of IDs is given. Secondly, we introduce a new definition of ladder and propose the ladder-first implementation strategy for bounding the length of IDs. In order to be able to apply ladder-first implementation strategy in practice, the methods for determining ladders and integrating a ladder into searching models are given. Thirdly, a heuristic algorithm called dynamic-ladder-partition implementation strategy is proposed. According to our experimental results, dynamic-ladder-partition implementation strategy is more suitable for SPN ciphers whose number of elements in partition tables is little. Fourthly, rotation-equivalence ID sets of ciphers are explored to reduce the number of models that need to be considered. As applications, we show that 9-round PRESENT, 5-round AES, 6-round Rijndael-160, 7-round Rijndael-192, 7-round Rijndael-224 and 7-round Rijndael-256 do not have any ID under the sole assumption that the round keys are uniformly random. What’s more, we obtain that 8-round GIFT-64, 12-round GIFT-128 and 14-round SKINNY-128 do not have any ID under the assumptions that GIFT and SKINNY are Markov ciphers and the round keys are uniformly random. Our methods fill crucial gaps on bounding the length of IDs with the differential properties of S-boxes considered. They enhance our confidence in the security and are valuable, especially for designers.

查看原文本刊更多论文

限定 SPN 区块密码不可能差分长度的新方法

如何评估置换-置换网络（SPN）块密码器在不可能差分（ID）密码分析中的安全性是一个有价值的问题。本文提出了一系列约束 SPN 区块密码 ID 长度的方法。首先，我们提出了最小代表集和分区表的定义。因此，本文给出了一种改进的 "分区优先"（partition-first）实施策略，用于约束 ID 的长度。其次，我们引入了梯形图的新定义，并提出了用于约束 ID 长度的梯形图优先实施策略。为了能够在实践中应用梯形优先实施策略，给出了确定梯形和将梯形集成到搜索模型中的方法。第三，提出了一种启发式算法，即动态梯形分区实施策略。根据我们的实验结果，动态梯形分区实现策略更适用于分区表元素数量较少的 SPN 密码。第四，探索了密码的旋转等价 ID 集，以减少需要考虑的模型数量。作为应用，我们证明了 9 轮 PRESENT、5 轮 AES、6 轮 Rijndael-160、7 轮 Rijndael-192、7 轮 Rijndael-224 和 7 轮 Rijndael-256 在轮密钥均匀随机的唯一假设下没有任何 ID。此外，在假设 GIFT 和 SKINNY 是马尔可夫密码且圆密钥是均匀随机的前提下，我们还发现 8 轮 GIFT-64、12 轮 GIFT-128 和 14 轮 SKINNY-128 没有任何 ID。我们的方法填补了利用所考虑的 S 盒的差分特性限定 ID 长度的关键空白。这些方法增强了我们对安全性的信心，特别是对设计者来说很有价值。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Information Theory 工程技术-工程：电子与电气

CiteScore

5.70

自引率

20.00%

发文量

514

审稿时长

12 months

期刊介绍： The IEEE Transactions on Information Theory is a journal that publishes theoretical and experimental papers concerned with the transmission, processing, and utilization of information. The boundaries of acceptable subject matter are intentionally not sharply delimited. Rather, it is hoped that as the focus of research activity changes, a flexible policy will permit this Transactions to follow suit. Current appropriate topics are best reflected by recent Tables of Contents; they are summarized in the titles of editorial areas that appear on the inside front cover.