Algebraic Techniques in Differential Cryptanalysis Revisited [chapter]

Meiqin Wang, Yue Sun, Nicky Mouha, Bart Preneel
2011 Lecture Notes in Computer Science  
At FSE 2009, Albrecht et al. proposed a new cryptanalytic method that combines algebraic and differential cryptanalysis. They introduced three new attacks, namely Attack A, Attack B and Attack C. For Attack A, they explain that the time complexity is difficult to determine. The goal of Attacks B and C is to filter out wrong pairs and then recover the key. In this paper, we show that Attack C does not provide an advantage over differential cryptanalysis for typical block ciphers, because it
more » ... t be used to filter out any wrong pairs that satisfy the ciphertext differences. Furthermore, we explain why Attack B provides no advantage over differential cryptanalysis for PRESENT. We verify our results for PRESENT experimentally, using both PolyBoRi and Min-iSat. Our work helps to understand which equations are important in the differential-algebraic attack. Based on our findings, we present two new differential-algebraic attacks. Using the first method, our attack on 15-round PRESENT-80 requires 2 59 chosen plaintexts and has a worstcase time complexity of 2 73.79 equivalent encryptions. Our new attack on 14-round PRESENT-128 requires 2 55 chosen plaintexts and has a worstcase time complexity of 2 112.83 equivalent encryptions. Although these attacks have a higher time complexity than the differential attacks, their data complexity is lower.
doi:10.1007/978-3-642-22497-3_9 fatcat:2zo7odfg6bebrd6lcldffvj3e4