Improbable differential attacks on Present using undisturbed bits

1 Statistical attacks on block ciphers make use of a property of the cipher so that an incident occurs with different probabilities depending on whether the correct key is used or not. For instance, differential cryptanalysis [1] considers characteristics or differentials which show that a particular output difference should be obtained with a relatively high probability when a particular input difference is used. Hence, when the correct key is used, the predicted differences occur more frequently. In a classical differential characteristic the differences are fully specified and in a truncated differential [2] only parts of the differences are specified. On the other hand, impossible differential cryptanalysis [3] uses an impossible differential which shows that a particular difference cannot occur for the correct key (i.e. probability of this event is exactly zero). Therefore, if these differences are satisfied under a trial key, then it cannot be the correct one. Thus, the correct key can be obtained by eliminating all or most of the wrong keys. However, a recent study by Tezcan [4] showed that it is possible to obtain differentials so that the predicted differences occur less frequently for the correct key. This new cryptanalytic technique is called the improbable differential attack and the impossible differential attack is just a special case of it. Thus, improbable differential cryptanalysis bridges the gap between differential and impossible differential cryptanalysis. Moreover, impossible differential attacks may be improved by expanding them to improbable differential attacks by using the expansion method provided in [4]. The power of this method was shown in [4] by converting the 12-round impossible differential attack on CLEFIA [5], which is a block cipher developed by SONY Corporation, to 13-round improbable differential attack. This was the best known attack on CLEFIA. However, the resistance of other block ciphers against this technique has not been tested yet.