Improved Impossible Differential Attack on 7-round Reduced ARIA-256

Abstract

ARIA is an involutory SPN block cipher. Its block size is 128-bit and the master key sizes are 128/192/256-bit, respectively. Accordingly, they are called ARIA-128/192/256. As we all know, ARIA is a Korean Standard block cipher nowadays. This paper focuses on the security of ARIA against impossible differential attack. We firstly construct a new 4-round impossible differential of ARIA. Furthermore, based on this impossible differential, a new 7-round impossible differential attack on ARIA-256 is proposed in our paper. This attack needs 2¹¹⁸ chosen plaintexts and 2²¹⁰ 7-round encryptions. Comparing with the previous best result, we improve both the data complexity and time complexity. To our knowledge, it is the best impossible differential attack on ARIA-256 so far.

1. Introduction

 ARIA [1] was published by National Security Research Institute of  Korea in 2003. One year later, it was selected as a Korean Standard block cipher. ARIA takes involution SPN structure. The block size of ARIA is 128-bit , while the master key sizes are 128/192/256-bit, respectively. We call them ARIA-128/192/256 accordingly. Moreover, the rounds of these three versions are 12/14/16, respectively. After ARIA was published, many cryptographers have analyzed ARIA from various security views, including differential cryptanalysis, linear cryptanalysis and so on [2]-[6].

 Among kinds of cryptanalytic methods, impossible differential attack (short for IDA in our paper) is a very effective attack against many byte-oriented  block ciphers [7]-[11]. It was first proposed to attack DEAL and Skipjack block ciphers by Knudsen [12] and Biham et al. [6],respectively. The main idea of this attack is exploiting an impossible differential (short for ID in our paper) to remove the wrong keys.

 For ARIA, in 2006, Wu et al. [13] first constructed some nontrivial 4-round ID of ARIA, and attacked reduced to 6 rounds of ARIA-128 with 2121 data complexity and 2112 time complexity. Later, at ISA 2008, Li et al. [14] found a new ID of ARIA-128, and they improved the complexity for 6-round attack. After that, in 2010, Li et al. [15] further improved 5/6-round IDA on ARIA-128. At the same year, at CANS 2010, Du et al. [16] first proposed 7-round IDA on ARIA-256, the attack needs 2125 data complexity and 2238 time complexity. Then, in 2012, Su [17] improved 7-round IDA with 2120 data complexity and 2219 time complexity. Very recently, Xie et al. [18] constructed a new 4-round ID and further improved 7-round IDA with only half of the previous best complexity in 2018. The summary of IDA on ARIA is shown in Table 1.

Table 1. Summary of impossible differential attack on ARIA

 In our paper, we first construct a new 4-round ID of ARIA. Then, based on this new ID of ARIA, a 7-round impossible differential attack is proposed. The data and time complexity of our attack is 2118 and 2210, respectively.  Comparing with the known IDAs on ARIA-256, our result is the best one.

 Organization. In Section 2, we first give some notations that will be used in our paper, then show a description of ARIA and the principle of IDA. After that, we construct a new 4-round ID of ARIA in Section 3. Moreover, with this ID, a 7-round attack on ARIA-256 is shown in Section 4. At the end, we conclude our paper in Section 5.

 

2. Preliminary

2.1 Notations

In this section, we define some notations described in Table 2.

Table 2. Some notations that will be used in this paper

 

2.2 Description of ARIA

The encryption process of ARIA block cipher is given in Fig. 1. Its 128-bit state is viewed as a 4×4 byte matrix described in Fig. 2. The iterative round function of ARIA is made up of three components:

Fig. 1.  Encryption process of ARIA

Fig. 2. 128-bit state of ARIA

 • SL: ARIA takes two kinds of Sboxes: S1 and S2. S1-1 and S2-1 denote the inverse of S1 and S2, respectively. Note that all of the sboxes in ARIA are 8-bit. In ARIA, SL1 /SL2 are taken in the odd/ even rounds, respectively. They are given in Fig. 3.

Fig. 3.  Two types of substitution layers in ARIA

 • DL: After working by SL, a state is updated by a 16×16 involutory binary matrix. For a 128-bit state X=(x0, x1, x2, , x13, x14, x15), where xi(i=0,1,2,  ,13,14,15) is a byte, DL is presented by Y=AX, and A is a matrix given in Fig. 4.

Fig. 4.  Matrix of DL in ARIA

 • RKA: It is updated by XORing the round key with the middle states, where the round key is obtained by the key schedule of ARIA.

 More details of ARIA that are not necessary for this paper can be referred to [1], we do not present them in our paper.

 

2.3 Principle of impossible differential attack

 Impossible differential attack can be divided into two steps. Firstly, one needs to construct an impossible differential. In this step, the most popular method to find impossible differentials is using the miss-in-the-middle technique. With this technique, the contradictions are obtained in the middle matching parts from the encryption and decryption directions. The other step is exploiting the constructed impossible differential to remove the wrong keys.

 As shown in Fig. 5, for a cipher E, the whole encryption could be divided into three parts: \(E=E_{2} \circ E_{1} \circ E_{0}\)  , where E₁ is the encryption of the impossible differential, E₀ and E₂ are some rounds encryption added to E₁ at the beginning and at the end, respectively. Firstly, we construct an impossible differential ∆α→∆β in E₁. Then, if the round keys that need to be guessed in  E₀ and E₂ are independent, we respectively guess the round keys to reduce the complexity. For example, choose a pair of plaintexts (P,P*) and the corresponding pair of ciphertexts (C,C*). We first guess the involved round keys \(K_{0}\) in E₀ for (P,P*) and calculate the output difference of E₀. If it is equal to ∆α, we put the keys \(K_{0}\) into table A. With the same way, we guess the involved round keys  in E2 for (C,C*) and calculate the output difference of E₂. If it is equal to ∆β, we put the keys \(K_{2}\) into table B. Finally, we only need to remove the candidate keys (k₀ ,k₂ ) in table A×B because the differential ∆α→∆β is impossible.

Fig. 5. Whole frame of impossible differential attack

 We denote l₀, l₂ by the bit number of guessed keys in E₀ and E₂,respectively. Moreover, if the probability that the random key can be remained through a pair of plaintexts (P,P*) is 1-2^-c, where c denotes the total bit number of the matched conditions, the probability that the random key can be remained through N pairs of plaintexts is

\(P r=\left(1-2^{-c}\right)^{N} \approx e^{-N / 2^{c}}.\)

 Then, choose different probability Pr, the complexity of the attack can be different. For example, if all wrong keys are requested to remove, N needs to satisfy the following inequation:

\(P r=\left(1-2^{-c}\right)^{N} \leq 2^{-\left(l_{0}+l_{2}\right)} \Rightarrow N \geq\left(l_{0}+l_{2}\right) \times \ln 2 \times 2^{c}.\)

 If N needs to satisfy \(P r=\left(1-2^{-c}\right)^{N} \leq 2^{-1}\) , which means only half of all wrong keys are  requested to remove at least,  N only needs to satisfy \(N \geq \ln 2 \times 2^{c}\)

 Note that all wrong keys are requested to remove in the previous best result [18]. However, we will take much appropriate Pr in this paper such that the complexity can be improved comparing with the previous one.

 

3. The 4-round impossible differential of ARIA

 We mainly construct a 4-round impossible differential of ARIA in this section.

 Proposition 1. For ARIA, the following 4-round differential is impossible:

\(\left(a_{0}, 0,0,0,0, a_{5}, 0,0,0,0,0,0,0,0,0,0\right) \rightarrow(f, f, 0,0,0,0, f, 0,0,0,0,0,0,0, f, 0)\)

where all of a₀, a₅ and f  denote non-zero byte.

Fig. 6. The 4-round impossible differential of ARIA

 Proof. It should be pointed out that the difference does not change through the RKA and RKA-1. As shown in Fig. 6, we first give the 2-round differential from the encryption direction as follows:

 Since ∆X₃I = (a0,0,0,0,0, a₅,0,0,0,0,0,0,0,0,0,0), after RKA and SL₁ of R₃, the difference is ∆X₃^S = (b₀,0,0,0,0,b5,0,0,0,0,0,0,0,0,0,0), where both b₀ and b₅ are unknown non-zero bytes. Then, after DL of R3,RKA and SL₂ of R₄, ∆X₄^S  become (0,c₁,0, c₃, c₄, 0, c₆,0, c₈, c₉, c₁₀,0,0, c₁₃, c₁₄, c₁₅). Moreover, after DL of R₄, the difference is ∆X₄^O  =(d₀,d₁, d₂, ,d₁₄,d₁₅), where

\(d_{11}=d_{14}=c_{3} \oplus c_{4} \oplus c_{5} \oplus c_{14}.\)

Thus, the difference ∆X₃I  evolves into ∆X₄^O with probability 1,  and the 11-th byte and 14-th byte values of ∆X₄^o are the same.

 From the decryption direction, we show the 2-round differential propagation (R5 and R6). Given that ∆X₆^O=( f,f,0,0,0,0,f,0,0,0,0,0,0,0,f,0), we get that ∆X₅^S =(0,0,0,0,0,0,f,0,0,0,f,f,0,0,0,f) through DL^-1of R₆. Moreover, after SL₂^-1 and RKA^-1 of R₆, the difference is ∆X₆^I = (0,0,0,0,0,0,e₆,0,0,0,e₁₀,e₁₁,0,0,0,e₁₅), where all of e₆,e₁₀,e₁₁,e₁₅ are unknown non-zero bytes. Moreover, after DL^-1,SL1^-1,RKA^-1 of R₅, the difference is ∆X₅^I=(d₀*, d₁*, d₂*, , d₁₄*, d₁₅*) where

\(d_{11}^{*}=0, d_{14}^{*}=\Delta S L^{-1}\left(e_{11}\right)\)

 Given that e₁₁=∆SL^-1(f)≠0, d₁₄*=∆SL^-1(e₁₁)≠0, thus, we have d₁₁*≠d₁₄*, which contradicts d₁₁= d₁₄ in the former 2-round differential. So, this 4-round impossible differential is constructed.

 

4. The 7-round impossible differential attack on ARIA-256

 In this section, with the above impossible differential, we propose the 7-round impossible differential attack on ARIA-256  whose data/time complexity is 2¹¹⁸/2²¹⁰. Comparing with the previous known results, the better threshold value of Pr will be taken and our attack can get better results.

 The 7-round impossible differential attack on ARIA-256 is described in Fig. 7. Before giving the procedure of this attack, we first present the following proposition which will be used to calculate the complexity.

 Proposition 2. In Fig. 7, when the following four equations hold,

 \(\left\{\begin{array}{l}c_{1}=c_{4} ;\\c_{3}=c_{6} ;\\c_{9}=c_{12}; \\c_{2} \oplus c_{7} \oplus c_{8} \oplus c_{10} \oplus c_{13} \oplus c_{15}=0,\end{array}\right.\)

the probability that making ∆X₁^S  become ∆X₁^O  whose 10 byte differences (0,2,3,4,5,7,9,11,12,14) are zero is 2^-32.

Fig. 7. The 7-round impossible differential attack on ARIA-256

 Proof . We define a state structure that the (0,2,3,4,5,7,9,11,12,14)-byte differences are zero, the other 8 byte differences are nonzero. Then, one structure has 2⁴⁸ states. In Fig. 7, after DL^-1 of R₁, we can get that \(c_{1}=b_{8} \oplus b_{15}, c_{4}=b_{8} \oplus b_{15} . \mathrm{So}, c_{1}=c_{4}\) with the probability 1 no matter what b₈ and b₁₅ are. With the same method, we have

\(\left\{\begin{array}{l}c_{3}=c_{6}=b_{10} \oplus b_{13}; \\c_{9}=c_{12}=b_{1} \oplus b_{6}.\end{array}\right.\)

Since

\(\left\{\begin{array}{l}c_{2}=b_{1} \oplus b_{6} \oplus b_{10} \oplus b_{15};\\c_{7}=b_{1} \oplus b_{6} \oplus b_{8} \oplus b_{13}; \\c_{8}=b_{1} \oplus b_{10} \oplus b_{13} \oplus b_{15} ;\\c_{10}=b_{6} \oplus b_{8} \oplus b_{13} \oplus b_{15}; \\c_{13}=b_{6} \oplus b_{8} \oplus b_{10} \oplus b_{13}; \\c_{15}=b_{1} \oplus b_{8} \oplus b_{10} \oplus b_{15},\end{array}\right.\)

 we have \(c_{2} \oplus c_{7} \oplus c_{8} \oplus c_{10} \oplus c_{13} \oplus c_{15}=0\). Thus, all of the four equations hold with probability 1. However, one of them holds with the probability 2-8 randomly. Therefore, the number of ∆X₁^S  is \(2^{112} \times\left(2^{-8}\right)^{4}=2^{80}\) . Given that DL is the linear transformation and the number of ∆X1O is 248, the probability that making ∆X1S  become ∆X₁^O in Fig. 7 is 2⁴⁸/2⁸⁰=2^-32.

 Note that the probability that ∆X₁^O  satisfies 10 byte differences (0,2,3,4,5,7,9,11,12,14) are zero randomly is (2^-8)¹⁰=2^-80<2-³².

 Our key recovery procedure for 7-round ARIA-256 is given below.

 Step 1: Choose structures of 2¹¹² plaintexts that they are different at the 14 bytes (0,1,2,3,4,5,6,7,8,9,10,12,13,15), and taking all values in the above 14 bytes. Thus, every structure can proposes 2¹¹²×2¹¹²×1/2 = 2²²³ pairs of plaintexts.

 Step 2: Take 2ⁿ structures (2ⁿ⁺¹¹² plaintexts and 2ⁿ⁺²²³ pairs of plaintexts). We only retain the pairs that the corresponding ciphertext pairs are zero difference at the 12 bytes (2,3,4,5,7,8,9,10,11,12,13,15). So, about 2ⁿ⁺²²³ ×2^-8×12=2ⁿ⁺¹²⁷ pairs can be remained.

 Since the guessed round keys in the encryption and decryption can be viewed independently, we will get the candidate round keys that belong to table A and table B, respectively.

 Step 3: Guess the 112-bit value of K₁.

 Step 3.1: For every remaining plaintext pair (P,P*), guess the candidates of (K_1,1,K_1,4), calculate SL₁(P \(\oplus\)K₁)   SL₁(P*\(\oplus\) K₁), and check if the values of two bytes (1,4)  are same. If yes, remain the plaintext pair. Consider that the probability is 2_-8, 2ⁿ⁺¹²⁷×2^-8 = 2ⁿ⁺¹¹⁹ pairs can be remained.

 Step 3.2: Similarly, for every remaining pair (P,P*), guess the candidates of (K_1,3,K_1,6), calculate SL₁(P\(\oplus\) K₁)   SL₁(P*\(\oplus\) K₁), and check if the values of two bytes (3,6)  are same. If yes, remain the plaintext pair. Consider that the probability is 2^-8, 2ⁿ⁺¹¹⁹×2^-8 = 2ⁿ⁺¹¹¹ pairs can be remained.

 Step 3.3: Guess the candidates of (K_1,9,K_1,12), calculate SL₁(P \(\oplus\)K₁) \(\oplus\)  SL1(P*\(\oplus\) K₁), and check if the values of two bytes (9,12)  are same. If yes, remain the plaintext pair. Consider that the probability is 2^-8, 2ⁿ⁺¹¹¹×2^-8 = 2ⁿ⁺¹⁰³ pairs can be remained.

 Step 3.4: Guess the candidates of (K_1,2,K_1,7,K_1,8,K_1,10,K_1,13,K_1,15), calculate SL1(P\(\oplus\) K₁)   SL₁(P* \(\oplus\)K₁), and check if the XOR sum of the six bytes (2,7,8,10,13,15) is zero. If yes, remain the plaintext pair. Consider that the probability is 2^-8, 2ⁿ⁺¹⁰³×2^-8 = 2ⁿ⁺⁹⁵ pairs can be remained.

Step 3.5: Guess the candidates of (K1,0,K1,5), calculate the two bytes (0,5) of SL₁(P \(\oplus\)K^₁)   SL₁(P*\(\oplus\) K₁).

 Step 3.6: For the remaining pairs, calculate ∆X₁^O and check if all of the 10 bytes (0,2,3,4,5,7,9,11,12,14) are zero. If yes, remain the pairs. According to proposition 2, the probability is 2^-32, 2ⁿ⁺⁹5×2^-32 = 2ⁿ⁺⁶³ pairs can be remained.

 Step 4: For every remaining pair (P,P*), guess the candidates of (K_2,1,K_2,6,K_2,8,K_2,10,K_2,13,K_2,15), calculate SL2(P\(\oplus\) K2)   SL2(P*\(\oplus\) K2), and check if the values of six bytes (1,6,8,10,13,15)  are same. If yes, remain the plaintext pair. Consider that the probability is 2^-8×5, 2ⁿ⁺⁶³×2^-8×5=2ⁿ⁺²³ pairs can be remained.

 Step 5: In the decryption direction, for every remaining pair (C,C*) after step 2, guess the candidates of (K_8,0,K_8,1,K_8,6,K_8,14), calculate SL1(C\(\oplus\) K8)   SL1(C* \(\oplus\)K8), and check if the values of four bytes (0,1,6,14)  are same. If yes, remain the plaintext pair. Consider that the probability is 2^-8×3, 2ⁿ⁺¹²⁷×2^-8×3=2ⁿ⁺¹⁰³ pairs can be remained.

 Complexity analysis:  The data complexity is 2ⁿ⁺¹¹² chosen plaintexts. We mainly calculate the time complexity presented in Table 3. Note that one round encryption of ARIA is made up of SL, DL, and RKA (DL is omitted in the last round), every encryption of SL, DL, and RKA is equal to 1/3 one round encryption.

 • Step 3.1 needs guess 2¹⁶ candidate keys and only 2 sboxes (total 16 sboxes in SL) are involved. Then, its time complexity is 2ⁿ⁺¹²⁷×2¹⁶×2×2/16×2/3=1/3×2ⁿ⁺¹⁴²one round encryption.

 • Step 3.2 needs guess 2¹⁶ candidate keys and only 2 sboxes are involved. Then, its time complexity is 2¹⁶×2ⁿ⁺¹¹⁹×2¹⁶×2×2/16×2/3=1/3×2ⁿ⁺¹⁵⁰ one round encryption.

 • Step 3.3 needs guess 2¹⁶ candidate keys and only 2 sboxes are involved. Then, its time complexity is 2³²×2ⁿ⁺¹¹¹×2¹⁶×2×2/16×2/3 =1/3×2ⁿ⁺¹⁵⁸one round encryption.

 • Step 3.4 needs guess 2⁴⁸ candidate keys and only 6 sboxes are involved. Then, its time complexity is 2⁴⁸×2ⁿ⁺¹⁰³×2⁴⁸×2×6/16×2/3 =2ⁿ⁺¹⁹⁸one round encryption.

 • Step 3.5 needs guess 2¹⁶ candidate keys and only 6 sboxes are involved. Then, its time complexity is 2⁹⁶×2ⁿ⁺⁹⁵×2¹⁶×2×2/16×2/3=1/3×2ⁿ⁺²⁰⁶ one round encryption.

 • Step 3.6 does not need guess any candidate keys and calculate DL encryption of R1. Then, its time complexity is 2¹¹²×2ⁿ⁺⁹⁵×2×1/3= 1/3×2ⁿ⁺²⁰⁸one round encryption.

 • Step 4 needs guess 2⁴⁸ candidate keys. Note that the early-abort technique [19] is applied in this step. It can be used to reduce the time complexity. Firstly, check whether the two bytes (1,6) of ∆X₂^S are the same, If yes, go on checking the two bytes (6,8) of ∆X₂^S ,and so on. Then, its time complexity is

\(2^{112} \times\left(2^{n+63} \times 2^{16}+2^{n+55} \times 2^{24}+2^{n+47} \times 2^{32}+2^{n+39} \times 2^{40}+2^{n+31} \times 2^{48}\right) \times 2 \times 6 / 16 \times 2 / 3=5 \times 2^{n+190}\)

 one round encryption.

 • Step 5 needs guess 2³² candidate keys. The early-abort technique is also applied in this step. Then, its time complexity is

\(\left(2^{n+127} \times 2^{16}+2^{n+119} \times 2^{24}+2^{n+111} \times 2^{32}\right) \times 2 \times 4 / 16=3 \times 2^{n+142}\)

one round encryption.

Table 3.  Complexity analysis of 7-round impossible differential attack

 Ngk: Number of guessed round key; 

 Nmc: Number of the matched condition;

 TC: Time Complexity.

 Combining with the above steps, the time complexity of our attack is

\(1 / 3 \times 2^{n+142}+1 / 3 \times 2^{n+150}+1 / 3 \times 2^{n+158}+2^{n+198}+1 / 3 \times 2^{n+206}+1 / 3 \times 2^{n+208}+5 \times 2^{n+190}+3 \times 2^{n+142} \approx5 / 12 \times 2^{n+208}\)(one round encryption).

 It is about 1/7×5/12×2ⁿ⁺²⁰⁸≈2^n+201.61 7-round encryption of ARIA-256.

 Note that the total number of the matched condition is (8+8+8+8+32+40+24)=128 bits, it means that the probability which the random key can be remained through a pair of plaintexts (P,P*) is 1-2^-128. For the whole 256-bit master key, there exist 192-bit key in our attack. Moreover, for the 192-bit key, we can reduce it from 2¹⁹² candidates to

\(\left(2^{192}-1\right) \times\left(1-2^{-128}\right)^{2^{n+127}} \approx 2^{192} \times e^{-2^{n-1}} \approx 2^{192-1.44 \times 2^{n-1}}\)

 Considering  the candidate keys which are remained after our attack and 256-192=64 bit keys which are not involved in our attack, the time complexity for recovering the whole 256-bit master key is

\(2^{n+201.61}+2^{192-1.44 \times 2^{n-1}} \times 2^{64}=2^{n+201.61}+2^{256-1.44 \times 2^{n-1}}\) (7-round encryption).

 Note that the best result of ARIA-256 known so far is given in [18] which the time

complexity is 2²¹⁸ 7-round encryptions, thus we need

\(2^{n+201.61}+2^{256-1.44 \times 2^{n-1}}<2^{218}.\)

When we take n=6, the total time complexity for recovering the 256-bit master key is

\(2^{6+201.61}+2^{256-1.44 \times 2^{6-1}} \approx 2^{207.61}+2^{210} \approx 2^{210}\) (7-round encryption).

Meanwhile, for the data complexity, 2n+112=26+112=2118 chosen plaintexts are needed for our attack, it is only half of the data complexity presented in [18].

 

4. Conclusion

 With the new 4-round impossible differential constructed in this paper, we gave the 7-round impossible differential attack on ARIA-256. Different from the previous impossible differential attacks on ARIA-256, we carefully chose the threshold value of the probability that the random key can be remained through some pairs of plaintexts. By this method, the complexity of our attack can be improved than the previous known results. Specifically, the data complexity is 2118 which is only half of the known best one, while the time complexity is 2210 which is reduced by 28 times compared with the known best one.