Impossible Differential Cryptanalysis(IDC) [4] uses impossible differential characteristics to retrieve a subkey material for the first or the last several rounds of block ciphers. Thus, the security of a block cipher against IDC can be evaluated by impossible differential characteristics. In this paper, we study impossible differential characteristics of block cipher structures whose round fun...

This paper studies the security of the block ciphers ARIA and Camellia against impossible differential cryptanalysis. Our work improves the best impossible differential cryptanalysis of ARIA and Camellia known so far. The designers of ARIA expected no impossible differentials exist for 4-round ARIA. However, we found some nontrivial 4-round impossible differentials, which may lead to a possible...

© 2014 ETRI Journal, Volume 36, Number 6, December 2014 http://dx.doi.org/10.4218/etrij.14.0113.1335 The Lai-Massey scheme, proposed by Vaudenay, is a modified structure in the International Data Encryption Algorithm cipher. A family of block ciphers, named FOX, were built on the Lai-Massey scheme. Impossible differential cryptanalysis is a powerful technique used to recover the secret key of b...

In this document we present a new way to bound the probability of occurrence of an n-round differential in the context of differential cryptanalysis. Hence this new model allows us to claim proof of resistance against impossible differential cryptanalysis, as defined by Biham and al. in 1999. This work will be described through the example of CS-Cipher, to which, assuming some non-trivial hypot...

Midori128 is a lightweight block cipher proposed at ASIACRYPT 2015 to achieve low energy consumption per bit. Currently, the best published impossible differential attack on Midori128 covers 10 rounds without the pre-whitening key. By exploiting the special structure of the S-boxes and the binary linear transformation layer in Midori128, we present impossible differential distinguishers that co...

As an ISO/IEC international standard, Camellia has been used various cryptographic applications. In this paper, we improve previous attacks on Camellia-192/256 with key-dependent layers FL/FL−1 by using the intrinsic weakness of keyed functions. Specifically, we present the first impossible differential attack on 13-round Camellia with 2121.6 chosen ciphertexts and 2189.9 13-round encryptions, ...

The generalized Feistel structure (GFS) is a generalized form of the classical Feistel cipher. A popular version of GFS, called TypeII, divides a message into k > 2 sub blocks and applies a (classical) Feistel transformation for every two sub blocks, and then performs a cyclic shift of k sub blocks. Type-II GFS has many desirable features for implementation. A drawback, however, is its low diff...

Camellia and MISTY1 are Feistel block ciphers. In this paper, we observe that, when conducting impossible differential cryptanalysis on Camellia and MISTY1, their round structures allow us to partially determine whether a candidate pair is right by guessing only a small fraction of the unknown required subkey bits of a relevant round at a time, instead of all of them. This reduces the computati...