On the practical implementation of impossible differential cryptanalysis on reduced-round AES

Abstract

In this work, we give a practical implementation of the well known impossible differential attack on 5 round AES-128 given by Biham and Keller. The complexity of the original attack is in the order of the practical realm with time complexity 231 and data complexity 229.5. However, the primary memory required to execute the attack was 4 TB making it difficult to implement which is supported by the fact that there are no reported implementations of the attack. We propose a data-memory tradeoff for the attack which lets us reduce memory needed at the expense of increased data complexity. We have been able to implement the attack using 128.5 GB of primary memory and 232 data complexity. Though the data complexity is increased by about 4.65 times, it makes up for the fact that we decreased the memory usage by about 32 times. We also extend the implementation to 5 round AES-192/256. To the best of our knowledge, the implementations of attacks in this work are the first ones available publicly.