Bitwise Higher Order Differential Cryptanalysis Bo Zhu, Kefei Chen, and Xuejia Lai Department of Computer Science and Engineering, Shanghai Jiao Tong University, China {zhubo03,kfchen,laix}@sjtu.edu.cn Abstract. This paper attempts to utilize the ideas of higher order differ- ential cryptanalysis to investigate Boolean algebra based block ciphers. The theoretical foundation is built for later research, and two kinds of distinguishing attacks are proposed. The prerequisites of the attacks are also presented and proved, and an efficient algorithm is introduced to search these prerequisites. Furthermore, our analysis result shows that 5 rounds of the block cipher PRESENT can be distinguished by using only 512 chosen plaintexts. Keywords: Boolean function, higher order differential cryptanalysis. 1 Introduction Block ciphers play a very important role in almost every aspect of cryptography, including Trusted Computing. In association with the Davies-Meyer construc- tion [1], block ciphers can be used to build the underlying one-way compression functions for hash functions and HMAC [2], which are the very foundations for ensuring the data integrity and the authenticity of Trusted Computing. In the industrial world, a novel technology called BitLocker [3], which is an application of Trusted Computing, is designed to protect user data by using the block cipher Rijndael, a.k.a. AES [4]. Moreover, in the next generation of TPM, symmetric algorithms are considered to replace certain asymmetric cryptographic means in order to speed up the process of loading key hierarchies [5]. At CHES’07, the block cipher PRESENT [6] was proposed to gain efficiency for hardware implementation, which is preferable in resource-restrained environ- ments, e.g., TPM chips. PRESENT adopts the designs of small-sized S-boxes and bit-pattern permutation layers, both of which can easily be represented as Boolean functions. And a more compact block cipher scheme presented at CHES’09, the KATAN and KTANTAN block cipher family [7], is built entirely upon Boolean functions. Taking these into consideration, it is much more im- portant for cryptographers to pay attention to the analysis of Boolean algebra based block ciphers. Differential cryptanalysis, a.k.a. differential attack, was proposed by Biham and Shamir [8] in 1990 as a powerful tool to recover the secret keys of block ciphers by using chosen-plaintext technique. After that, differential cryptanaly- sis was also used to investigate stream ciphers and hash functions. Nowadays, L. Chen and M. Yung (Eds.): INTRUST 2009, LNCS 6163, pp. 250–262, 2010. c  Springer-Verlag Berlin Heidelberg 2010