The phantom of differential characteristics

For differential cryptanalysis under the single-key model, the key schedules hardly need to be exploited in constructing the characteristics, which is based on the hypothesis of stochastic equivalence. In this paper, we study a profound effect of the key schedules on the validity of the differential...

Full description

Saved in:
Bibliographic Details
Published inDesigns, codes, and cryptography Vol. 88; no. 11; pp. 2289 - 2311
Main Authors Liu, Yunwen, Zhang, Wenying, Sun, Bing, Rijmen, Vincent, Liu, Guoqiang, Li, Chao, Fu, Shaojing, Cao, Meichun
Format Journal Article
LanguageEnglish
Published New York Springer US 01.11.2020
Springer Nature B.V
Subjects
Algorithms
Coding and Information Theory
Computer Science
Cryptography
Cryptology
Discrete Mathematics in Computer Science
Permutations
Schedules
PRINCE
Differential cryptanalysis
Singular cluster
Singular characteristic
Key schedule
94A60
Effective keys
AES
Online AccessGet full text

Cover

More Information
Summary:For differential cryptanalysis under the single-key model, the key schedules hardly need to be exploited in constructing the characteristics, which is based on the hypothesis of stochastic equivalence. In this paper, we study a profound effect of the key schedules on the validity of the differential characteristics. Noticing the sensitivity in the probability of the characteristics to specific keys, we label the keys where a characteristic has nonzero probability by effective keys . We propose the concept of singular characteristics which are characteristics with no effective keys, and exploit an algorithm to sieve them out by studying the key schedule. We show by a differential characteristic of PRINCE whose expected differential probability is much larger than that of a random permutation, i.e., 2 - 35 vs. 2 - 64 . Yet, it is indeed singular which could be mis-used to mount a differential attack. Singular characteristics are found for 3-round AES and 3-round Midori-128 as well. Furthermore, taking the possible mismatches of the effective keys in a number of differential characteristics into consideration, we present singular clusters which indicates an empty intersection of the corresponding effective keys, and this is evidenced by showing two differential characteristics of the 2-round AES. We also show that characteristics are tightly linked to the key schedule, as shown in the paper, a valid characteristic in the AES-128 can be singular for the AES-192. Our results indicate a gap over the perspectives of the designers and the attackers, which warns the latter to validate the theoretically-built distinguishers. Therefore, a closer look into the characteristics is inevitable before any attack is claimed.
ISSN:0925-1022
1573-7586
DOI:10.1007/s10623-020-00782-3