Accurate Estimate of the Advantage of Impossible Differential Attacks

• Main Author: Céline Blondeau
• Format: Article
• Language: English
• Published: Ruhr-Universität Bochum 2017-09-01
• Series: IACR Transactions on Symmetric Cryptology
• Subjects: impossible differential; data complexity; time complexity; advantage; binomial distribution; multivariate distribution; multivariate hypergeometric distribution
• Online Access: https://tosc.iacr.org/index.php/ToSC/article/view/770

Impossible differential attacks, which are taking advantage of differentials that cannot occur, are powerful attacks for block cipher primitives. The power of such attacks is often measured in terms of the advantage — number of key-bits found during the key sieving phase — which determines the time complexity of the exhaustive key search phase. The statistical model used to compute this advantage has been introduced in the seminal work about the resistance of the DEAL cipher to impossible differential attacks. This model, which has not been modified since the end of the 1990s, is implicitly based on the Poisson approximation of the binomial distribution. In this paper, we investigate this commonly used model and experimentally illustrate that random permutations do not follow it. Based on this observation, we propose more accurate estimates of the advantage of an impossible differential attack. The experiments illustrate the accuracy of the estimate derived from the multivariate hypergeometric distribution. The maximal advantage –using the full codebook– of an impossible differential attack is also derived.