1.1  Related Works

The idea of \(\mathcal{DS} \text{-}\)MITM attack started with the square property, which was first introduced in a proposal for SQUARE [7], the forerunner of AES. In the proposal of SQUARE, the designers presented attacks up to 6-round using the square property. In [15], Gilbert and Minier proposed a 4-round distinguisher by extending the square property and an attack on 7-round AES-192 and AES-256. Demirci and Selçuk extended the distinguisher to 5-round and presented an attack on 8-round AES-256 [12].

The cost of \(\mathcal{DS} \text{-}\)MITM attack proposed by Demirci and Selçuk is dominated by the memory complexity. Dunkelman et al. proposed a differential enumeration technique that can significantly reduce memory complexity [8]. They also found that memory complexity could be further reduced by storing precomputed data as a multiset rather than a sequence. Derbez et al. improved the attack by finding that the distinguisher proposed by Dunkelman et al. can be described using fewer parameters [6]. Li and Jin presented the 6-round distinguisher on AES-256 and the attack on 10-round AES-256 [18].

Many studies have applied the \(\mathcal{DS} \text{-}\)MITM attack technique to cryptographic primitives other than AES. It has been applied to several block ciphers, such as ARIA [1], PRINCE [10], TWINE [2], CLEFIA [19], Camellia [9], and Midori64 [20], and some Feistel constructions [13], [14]. There are also studies on the automatic search of distinguishers for use in \(\mathcal{DS} \text{-}\)MITM attacks [4], [5], [21]. Most recently, the quantum version of \(\mathcal{DS} \text{-}\)MITM attack has been studied [3], [16], and according to [3], \(\mathcal{DS} \text{-}\)MITM attack is the best cryptanalysis technique on AES using quantum computers.

1.2  Our Contributions

In this paper, our focus centers on the false-positive probability of the \(\mathcal{DS} \text{-}\)MITM attack when precomputed tables are configured with multisets. Our most significant contribution is a new methodology for determining an accurate value of the false-positive probability. Additionally, we present optimization methods that leverage the accurate false-positive probability values and apply these optimization methods to previous attacks on AES and ARIA, achieving modest improvements in complexity. More details about our contributions are as follows.

(2) Optimization method for \(\mathcal{DS}\text{-}\)MITM attack and its application to previous attacks on AES and ARIA.

We introduce methods to optimize the attacks by modifying the format of the precomputed data. Specifically, we can either reduce the number of elements or truncate their ranges. Subsequently, we delve into the effects of these format modifications on memory, time, and data complexity. In this context, obtaining an accurate false-positive probability becomes crucial. By comparing the complexities associated with each format, we can determine the optimal format for the precomputed data and thereby optimize the attacks.

Applying our optimization methods to the previous \(\mathcal{DS} \text{-}\)MITM attacks on 7-round AES-128/192/256 [6], 7-round ARIA-192/256, and 8-round ARIA- 256 [1], we identify the optimal format for each attack and achieve modest improvements in complexity. As a result, we enhance the time complexity or memory complexity of the attacks by factors ranging from \(2^{0.13}\) to \(2^3\). A comparison of the previous attacks and our optimized attacks is summarized in Table 1.

Table 1  Comparison of previous attacks with our optimized attacks.

1.3  Paper Outline

Section 2 provides preliminaries necessary for understanding this paper. We introduce the notations and symbols used throughout this work, and we briefly describe AES and ARIA. In Sect. 3, we present a generalized framework for the \(\mathcal{DS} \text{-}\)MITM attack. Section 4 presents a method for accurately calculating the false-positive probability of the \(\mathcal{DS} \text{-}\)MITM attack. In Sect. 5, we present optimization methods that require an accurate false-positive probability and apply these methods to previous works on AES and ARIA. We improve the previous \(\mathcal{DS} \text{-}\)MITM attacks on 7-round AES-128/192/256, 7-round ARIA-192/256, and 8-round ARIA-256. Finally, Sect. 6 concludes the paper.

2.1  Notations

Definition 1 (\(\delta \text{-}\)Set, [7]). A \(\delta \text{-} set\) for a byte-oriented cipher is a set of \(2^8\) states that are all different in 1 byte and are all equal in the remaining bytes.

Definition 2 (\(b \text{-} \delta \text{-}\)Set, [13]). A \(b \text{-} \delta \text{-} set\) is a set of \(2^{b}\) states that are all different in \(b\) bits (active bits) and are all equal in the remaining bits (inactive bits).

A \(b\)-\(\delta\)-set generalizes the concept of a \(\delta\)-set, with a \(\delta\)-set being equivalent to an \(8\)-\(\delta\)-set. Since this study encompasses ciphers beyond the byte-oriented type, the \(b\)-\(\delta\)-set notation is mainly utilized for explanation throughout the paper.

Definition 3 (Sequence). A \(sequence\) is a finite ordered list of elements. Sequence \(s\) is called \((u,v)\text{-} sequence\) if \(s\) has \(u\) elements and all elements are non-negative integers less than \(2^v\).

Definition 4 (Multiset). A \(multiset\) is a modification of the concept of a set that allows for multiple instances for each of its elements. Multiset \(m\) is called \((u,v)\text{-} multiset\) if \(m\) has \(u\) elements and all elements are non-negative integers less than \(2^v\).

We utilize parentheses to represent sequences, e.g., a \((u,v) \text{-} sequence\) is denoted as \((e_1, e_2, \ldots, e_u)\), with each \(e_i\) being a non-negative integer less than \(2^v\). In the case of multisets, square brackets are used, e.g., a \((u,v) \text{-} multiset\) is represented as \([e_1, e_2, \ldots, e_u]\), where each \(e_i\) is a non-negative integer less than \(2^v\).

Definition 5 (Set of Sequences and Multisets). Let \(\mathcal{S}_{u,v}\) be a set of all possible \((u,v)\text{-}\)\(sequence\) and \(\mathcal{M}_{u,v}\) be a set of all possible \((u,v)\text{-}multiset\).

The size of \(\mathcal{S}_{u,v}\) is \(2^{uv}\), while the size of \(\mathcal{M}_{u,v}\) is \(\binom{u+2^v-1}{u}\). Since \(|\mathcal{M}_{u,v}| < |\mathcal{S}_{u,v}|\), \((u,v)\text{-} multiset\) require fewer bits for representation than a \((u,v) \text{-} sequence\).

Definition 6. Let \(\theta_{u,v}\) be a function that maps a sequence to a multiset defined by

Definition 7 (Tables Based on Sequences and Multisets). \(\mathcal{T}^{(u,v) \text{-} seq}\) is referred to as a (precomputed) table based on \((u,v)\text{-} sequences\) if

Similarly, \(\mathcal{T}^{(u,v) \text{-} mul}\) is a (precomputed) table based on \((u,v)\text{-} multisets\) if

2.2  Brief Description of AES

AES has been the most widely used block cipher since it was selected as an encryption standard at an open competition organized by NIST in 2000 [11]. It adopts a substitution-permutation network (SPN) structure, and its round function consists of four operations: \(\mathsf{SubBytes\,\,(SB)}\), \(\mathsf{ShiftRows\,\,(SR)}\), \(\mathsf{MixColumns\,\,(MC)}\), and \(\mathsf{AddRoundKey\,\,(ARK)}\). AES has three modes: AES-128, AES-192, and AES-256. The number of rounds of each mode is 10, 12, and 14, and the key size is 128, 192, and 256-bit. The \(\mathsf{MixColumns}\) operation in the last round is omitted. The 128-bit internal state \(X\) is treated as a \(4 \times 4\) byte matrix, where each byte represents a value in \(GF(2^8)\):

We denote \(i \text{-}\)th byte of internal state \(X\) as \(X[i] = a_i\). A concise overview of the four operations is provided below. For more comprehensive information, please refer to [11].

2.3  Brief Description of ARIA

ARIA is a block cipher proposed in ICISC 2003 by Kwon et al. and has been the Korean encryption standard since 2004 [17]. It adopts an SPN structure and its round function consists of three operations: \(\mathsf{Substitution\,\,Layer\,\,(SL)}\), \(\mathsf{Diffusion\,\,Layer\,\,(DL)}\), and \(\mathsf{AddRoundKey\,\,(ARK)}\). ARIA has three modes: ARIA-128, ARIA-192, and ARIA-256. The number of rounds of each mode is 10, 12, and 14, and the key size is 128, 192, and 256-bit. The \(\mathsf{Diffusion\,\,Layer}\) operation of the last round is omitted. The 128-bit internal state is treated as a \(16 \times 1\) byte matrix, where each byte represents a value in \(GF(2^8)\):³

A concise overview of the three operations is provided below. For more comprehensive information, please refer to [17].

(1) Offline Phase.

In the offline phase, we precompute all possible \(N\) sequences, transform them into multisets, and store the resulting multisets in table \(\mathcal{T}\). We denote the memory required to store a single multiset as \(D\)-bit. Then, the memory complexity of the offline phase becomes \((N \cdot D)\text{-}\)bit. The time complexity of the offline phase is \(N \cdot 2^b \cdot T_{\mathsf{dist}}\), with \(T_{\mathsf{dist}}\) denoting the cost of finding one element in each multiset.

(2) Online Phase.

The online phase is divided into three steps, and each step is as follows:

Step 1. In the first step, we find message pairs that conform to the given plaintext and ciphertext differential (\(pos_p\) and \(pos_c\)). We prepare a structure of \(2^{\alpha _p}\) plaintexts, where the bits of \(pos_p\) take all possible values, and the remaining bits are equal. In one structure, we can find \(2^{\alpha _p}(2^{\alpha _p}-1)/2 \approx 2^{2 \alpha _p -1}\) plaintext pairs. The probability that the corresponding ciphertext pair has active bits only at \(pos_c\) is \(2^{-n+\alpha _c}\). Therefore, to obtain one pair that has active bits only at \(pos_p\) and \(pos_c\), \(2^{n-2\alpha _p-\alpha _c +1}\) structures are required on average. Considering the forward propagation from \(pos_p\) to \(pos_{st}\) and backward propagation from \(pos_c\) to \(pos_{ed}\), to obtain a pair that conforms to the entire \(R\text{-}\)round differential trail, \(2^{n-2\alpha _p-\alpha _c+1}\cdot {(p_f p_b)}^{-1}\) structures are required on average. Therefore, \(2^{n-\alpha _p-\alpha _c+1}\cdot {(p_f p_b)}^{-1}\) chosen-plaintexts and \(2^{n-\alpha _p-\alpha _c+1}\cdot {(p_f p_b)}^{-1}\) encryptions are required in the first step.

Step 2. After the first step, we have \({(p_f p_b)}^{-1}\) right pairs that conform to \(pos_p\) and \(pos_c\). In the second step, from these pairs, we identify a pair that conforms to the entire \(R\text{-}\)round differential trail by utilizing the precomputed table \(\mathcal{T}\). Let the number of suggestions for the partial key of \(E_1\) be \(2^{k_1}\). We generate a set of plaintexts for every possible pair and the key suggestion that forms a \(b \text{-} \delta \text{-}\)set after \(r_1\) rounds. We obtain a set of corresponding ciphertexts, partially decrypt them using the partial key for \(E_3\), and derive a multiset from the partially decrypted ciphertexts⁴. Let the number of suggestions for the partial key of \(E_3\) be \(2^{k_3}\). We then check whether this multiset is listed in \(\mathcal{T}\). If it is not listed, we discard this possibility, thereby progressively reducing the key space. The time complexity of step 2 is \((p_fp_b)^{-1} \cdot 2^{k_1 + k_3} \cdot \left(2^b \cdot T_{\mathsf{multi}}\right)\), where \(T_{\mathsf{multi}}\) represents the cost of calculating one element in the multiset, given the message pair and the partial keys for \(E_1\) and \(E_3\).

We construct \((p_fp_b)^{-1} \cdot 2^{k_1 + k_3}\) multisets in step 2. Let the false-positive probability, \(P_{F.P.}\), be a probability that a multiset constructed from the wrong pair or wrong partial key is in \(\mathcal{T}\)⁵. All the wrong multisets are expected to be filtered out if \((p_f p_b)^{-1} \cdot 2^{k_1 + k_3} \cdot P_{F.P.}<1\). Otherwise, \(1+(p_f p_b)^{-1} \cdot 2^{k_1 + k_3} \cdot P_{F.P.}\) multisets are expected to survive. This implies that \(1+(p_f p_b)^{-1} \cdot 2^{k_1 + k_3} \cdot P_{F.P.}\) suggestions for partial keys of \(E_1\) and \(E_3\) survive after step 2.

Step 3. In the final step, we recover the master key from the reduced key space. This step’s generalization is challenging due to its reliance on difficult-to-generalize processes, such as key schedules. Let \(T_{\mathsf{rem}}\) denote the cost of recovering the master key when the partial keys of \(E_1\) and \(E_3\) are uniquely determined in step 2. Since we anticipate that \(1+(p_f p_b)^{-1} \cdot 2^{k_1 + k_3} \cdot P_{F.P.}\) suggestions for the partial key will survive, the time complexity of step 3 becomes \((1+(p_f p_b)^{-1} \cdot 2^{k_1 + k_3} \cdot P_{F.P.}) \cdot T_{\mathsf{rem}}\).

Consequently, the overall complexity of our framework for \(\mathcal{DS} \text{-}\)MITM attacks is as follows:

4.1  Toy Experiments

To validate the accuracy of our approach, we conducted toy experiments, comparing the false-positive probability based on Definition 8 with the probability obtained through our methodology. These experiments were performed within a small-scale environment, where the false-positive probability based on Definition 8 can be calculated within a reasonable computational complexity.

We carried out experiments involving the random sampling of \(2^{20}\) sequences that could serve as the outputs of the distinguisher presented in [6] and [1]. Subsequently, we transformed sequences to multisets and then computed the false-positive probabilities as defined in Definition 8. Further, we employed our proposed methodology to estimate the false-positive probability. The estimation (\(Approx[1]\)) was obtained by multiplying the values in Table 4 by a factor of \(2^{20}\).

First, we introduce the distinguisher for 4-round AES in [6] as Proposition 2, which will be used for our toy experiments.

Proposition 2. ([6]) Suppose a pair of states \((\mathcal{P}, \mathcal{P'})\) conforms to the truncated differential trail shown in Fig. 3. Let \(\left\{ \mathcal{P}^{0}, \mathcal{P}^{1}, \ldots \mathcal{P}^{255} \right\}\) is a \(8 \text{-} \delta\text{-} set\) where \(\mathcal{P}_0 = \mathcal{P}\), and \(\left\{ \mathcal{C}^{0}, \mathcal{C}^{1}, \ldots \mathcal{C}^{255} \right\}\) is a set of states where \(\mathcal{C}_i\) is a state of \(\mathcal{P}_i\) after four full AES rounds of encryption. Then the sequence \(\left( \Delta \mathcal{C}^{0}[0], \Delta \mathcal{C}^{1}[0], \ldots \Delta \mathcal{C}^{255}[0] \right)\) (or the multiset \(\left[ \Delta \mathcal{C}^{0}[0], \Delta \mathcal{C}^{1}[0], \ldots \Delta \mathcal{C}^{255}[0] \right]\)) can only take \(2^{80}\) values, where \(\Delta \mathcal{C}^{i} = \mathcal{C}^{i} \oplus \mathcal{C}^{0}\).

Fig. 3  Truncated differential trails of 4-round \(\texttt{AES}\) corresponding to Proposition 2.

To provide a concise proof of Proposition 2 and to describe the sampling process, we define some notations. We consider a 4-round AES and we denote the intermediate states prior to \(\mathsf{SubByte}\), \(\mathsf{ShiftRow}\), \(\mathsf{MixColumn}\), and \(\mathsf{AddroundKey}\) operations of round \(i\) associated with \(\mathcal{P}\) as \(x_i\), \(y_i\), \(z_i\), and \(w_i\), respectively. Additionally, we denote the states related to \(\mathcal{P}'\) as \({x'_i}\), \({y'_i}\), \({z'_i}\), and \({w'_i}\). Similarly, the intermediate states corresponding to \(\mathcal{P}^j\) are represented as \(X_i^j\), \(Y_i^j\), \(Z_i^j\), and \(W_i^j\). A visual representation of these notations is provided in Fig. 3.

We briefly provide the proof of Proposition 2, which is required to explain the sampling process. For a more detailed proof, we refer the reader to [6], [8], [12]. The works in [8], [12] demonstrated that the sequence \(\left( \Delta \mathcal{C}^{0}[0], \Delta \mathcal{C}^{1}[0], \ldots \Delta \mathcal{C}^{255}[0] \right)\) is determined by the 24 bytes \(x_2[0,1,2,3]\), \(x_3[0 \text{-} 15]\), and \(x_4[0,5,10,15]\). Additionally, [6] established that if \((\mathcal{P}, \mathcal{P}')\) conforms to the truncated differential trail shown in Fig. 3, then these 24 bytes are constrained by the 10 bytes \(\Delta z_1[0]\), \(x_2[0,1,2,3]\), \(\Delta w_4[0]\), and \(z_4[0,1,2,3]\). As a result, the sequence \(\left( \Delta \mathcal{C}^{0}[0], \Delta \mathcal{C}^{1}[0], \ldots \Delta \mathcal{C}^{255}[0] \right)\) can assume \(2^{80}\) values.

Our sampling process consists of two phases. In the initial phase, we randomly assign values to 10 specific bytes: \(\Delta z_1[0]\), \(x_2[0,1,2,3]\), \(\Delta w_4[0]\), and \(z_4[0,1,2,3]\). Subsequently, we derive the corresponding values for 24 bytes: \(x_2[0,1,2,3]\), \(x_3[0 \text{-} 15]\), and \(x_4[0,5,10,15]\). In the second phase, we utilize the computed values from the first phase to derive \(\left( \Delta \mathcal{C}^{0}[0], \Delta \mathcal{C}^{1}[0], \ldots \Delta \mathcal{C}^{255}[0] \right)\). We repeat the two phases until we have gathered \(2^{20}\) sequences. More details about the two phases are as follows:

(2) Second Phase.

Note that \(X^0_2[0 \text{-} 3] = x_2[0 \text{-} 3]\), \(X^0_3[0 \text{-} 15] = x_3[0 \text{-} 15]\), and \(X^0_4[0,5,10,15] = x_4[0,5,10,15]\).

1. For \(i=0,1,\ldots,255\), do the followings:

   1. Assign \(i\) to \(\Delta Z_1^i[0]\) and calculate \(\Delta X^i_2[0 \text{-} 3]\) from \(\Delta Z^i_1[0]\).

   2. Calculate \(X^i_2[0 \text{-} 3]\) from \(X^0_2[0 \text{-} 3]\) and \(\Delta X^i_2[0 \text{-} 3]\). Then, compute \(Z_2^i[0,7,10,13]\) using \(X^i_2[0 \text{-} 3]\).

   3. Calculate \(\Delta Z_2^i[0,7,10,13]\) from \(Z_2^0[0,7,10,13]\) and \(Z_2^i[0,7,10,13]\). Then, compute \(\Delta X_3^i[0 \text{-} 15]\) using \(\Delta Z_2^i[0,7,10,13]\).

   4. Calculate \(X^i_3[0 \text{-} 15]\) from \(X^0_3[0 \text{-} 15]\) and \(\Delta X^i_3[0 \text{-} 15]\). Then compute \(Z_3^i[0 \text{-} 15]\) using \(X_3^i [0 \text{-} 15]\).

   5. Calculate \(\Delta Z_3^i [0 \text{-} 15]\) from \(Z_3^0 [0 \text{-} 15]\) and \(Z_3^i [0 \text{-} 15]\). Then compute \(\Delta X_4^i [0,5,10,15]\) using \(\Delta Z_3^i [0 \text{-} 15]\).

   6. Calculate \(X^i_4 [0,5,10,15]\) from \(X^0_4 [0,5,10,15]\) and \(\Delta X^i_4 [0,5,10,15]\). Then, compute \(Z_4^i [0 \text{-} 3]\) using \(X^i_4 [0,5,10,15]\).

   7. Calculate \(\Delta Z_4^i [0 \text{-} 3]\) from \(Z^0_4 [0,1,2,3]\) and \(\Delta Z_4^i [0 \text{-} 3]\). Then, compute \(\mathcal{C}^i[0]\) using \(\Delta Z_4^i [0 \text{-} 3]\).

2. Store a sequence \(\left( \mathcal{C}^{0}[0], \mathcal{C}^{1}[0], \ldots, \mathcal{C}^{255}[0] \right)\) to \(\mathcal{T}_{\texttt{AES}}^{(256,8) \text{-} seq}\).

After sampling \(2^{20}\) sequences, we perform an exhaustive calculation of the false-positive probability, as defined in Definition 8. For different values of \(u\) and \(v\), we transform \(2^{20}\) sequences into \((u,v) \text{-} multisets\) and aggregate the number of \((u,v) \text{-} sequences\) associated with each multiset. We then divide the aggregated value by \(|S_{u,v}|\). Specifically:

1. Initialize \(P_{\mathsf{fp}}^{\mathcal{T}_{\texttt{AES}}^{(u,v) \text{-} mul}}\) with \(0\).

2. For all \((256,8) \text{-}\)sequence \(s \in \mathcal{T}_{\texttt{AES}}^{(256,8) \text{-} seq}\), do the followings:

   1. Suppose \(s=(a_0, a_1, \ldots, a_{255})\). We transform \(s\) into a \((u,v) \text{-} multiset\) \(m\) by adjusting the number of elements and truncating their ranges:

      \[\begin{equation*} m = [a_0 \textrm{ mod } 2^v, a_1 \textrm{ mod } 2^v, \ldots, a_{u-1} \textrm{ mod } 2^v]. \tag{8} \end{equation*}\]

      Additionally, we define \(b_i\) as the count of occurrences of \(i\) among the elements of \(m\), where \(0 \leq i < 2^v\).

   2. Add the number of \((u,v) \text{-} sequences\) that are associated with \(m\) to \(P_{\mathsf{fp}}^{\mathcal{T}_{\texttt{AES}}^{(u,v) \text{-} mul}}\):

      \[P_{\mathsf{fp}}^{\mathcal{T}_{\texttt{AES}}^{(u,v) \text{-} mul}} \leftarrow P_{\mathsf{fp}}^{\mathcal{T}_{\texttt{AES}}^{(u,v) \text{-} mul}} + \frac{u!}{{b_0}!{b_1}!\cdots {b_{2^v-1}}!}.\]

3. Divide \(P_{\mathsf{fp}}^{\mathcal{T}_{\texttt{AES}}^{(u,v) \text{-} mul}}\) by \(|\mathcal{S}_{u,v}|\):

   \[P_{\mathsf{fp}}^{\mathcal{T}_{\texttt{AES}}^{(u,v) \text{-} mul}} \leftarrow \frac{P_{\mathsf{fp}}^{\mathcal{T}_{\texttt{AES}}^{(u,v) \text{-} mul}}}{|\mathcal{S}_{u,v}|}.\]

Similarly, we sampled and calculated the false-positive probability for the case of ARIA [1]. The corresponding distinguisher is described as Proposition 4, and the truncated differential trail is illustrated in Fig. A\(\cdot\)3. The results of our toy experiments are summarized in Table 5. Notably, the differences between \(P_{\mathsf{fp}}^{\mathcal{T}^{(u,v) \text{-} mul}_{\texttt{AES}}}\), \(P_{\mathsf{fp}}^{\mathcal{T}^{(u,v) \text{-} mul}_{\texttt{ARIA}}}\), and \(Approx[1]\) are negligible. This provides compelling evidence that validates the accuracy of our method in estimating the false-positive probability.

Table 5  Toy experiment results.

The codes for our methodology and toy experiments, as well as more detailed results, can be found at https://github.com/DongjaeLee-Dd2dD2/Accurate-FPP-DSMITM.

4.2  Analyzing Flaws in Previous False-Positive Probability Estimates

First, we provide an overview of [8]’s approach to estimating false-positive probability. The authors assumed that the multisets follow the Poisson distribution. Based on this assumption, they suggested that the most probable form of \((256,8)\text{-} multiset\) is as follows: among values ranging from \(0\) to \(255\), 94 values do not appear, 94 appear once, 47 appear twice, 16 appear three times, 4 appear four times, and 1 is expected to appear five times in the multiset. In other words, the multisets \([a_0, a_1, \ldots, a_{255}]\) that satisfy the following six properties are the most probable.

[8] then estimated the false-positive probability based on the assumption that all multisets, including both those stored in the pre-computed table and those obtained from the wrong key guess, follow this form. The total number of multisets following this form is calculated as

Consequently, [8] estimated the false-positive probability as \(N \cdot 2^{-467.6}\), where \(N\) is the size of the pre-computed table. Subsequently, [6] and [1] followed a similar methodology in estimating false-positive probability.

However, assuming that all multisets have the same form, although it is the most probable, is excessive and results in minor flaws in the probabilities derived from this assumption. According to our methodology, the accurate false-positive probability when constructing the pre-computed table with \((256,8)\text{-} multiset\) is \(N \cdot 2^{-458.6}\)⁷. This implies a discrepancy of \(2^9\) between the probabilities presented in the previous works and the correct false-positive probabilities. The accurate values are \(2^9\) times greater than the suggested probabilities.

Specifically, [6] and [1] presented false-positive probabilities of \(2^{-387.6}\), \(2^{-339.6}\), and \(2^{-331.6}\) for the parameter sets \((N,u,v) = (2^{80},256,8), (2^{128},256,8)\), and \((2^{136},256,8)\), respectively. In contrast, our methodology yields the correct false-positive probabilities for the same parameter sets, namely \(2^{-378.60}\), \(2^{-330.60}\), and \(2^{-322.60}\)⁸. The comparison of false-positive probabilities between our methodology and previous works is summarized in Table 6.

Table 6  Comparison of false-positive probabilities between our methodology and previous works.

5.1  Applications

We apply our optimization methods to previous works on AES and ARIA, resulting in modest improvements to the \(\mathcal{DS}\text{-}\)MITM attack on 7-round AES-128/192/256 [6], 7-round ARIA-192/256, and 8-round ARIA-256 [1]. The parameters for each attack are summarized in Table 7. Except for \(T_{\mathsf{dist}}\) for \(\mathcal{A}_1\) and \(\mathcal{A}2\), the remaining parameters can be readily obtained from the previous works. Specifically, the parameters for AES are available in [6], and those for ARIA can be found in [1]. The value of \(T_{\mathsf{dist}}\) for \(\mathcal{A}_1\) and \(\mathcal{A}_2\) can be calculated by considering the number of S-boxes. While more advanced attacks have been proposed for AES (such as the attacks on 8- and 9-round AES in [3], [6]), we do not address these attacks in our study because our optimization methods offer no further room for improvement.

Table 7  Parameters of the attacks.