Communicated by C. Carlet.
This work was supported by National Natural Science Foundation of China (Grant Nos. 61272488, 61402523, 61772547, 61802438 and 61602514).
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Whether there exist longer impossible differentials than existing ones for a block cipher, is an important problem in the provable security evaluation of a block cipher against impossible differential cryptanalysis. In this paper, we give more accurate results for this problem for the AES. After investigating the differential properties of both the S-box and the linear layer of AES, we theoretically prove that there do not exist impossible concrete differentials longer than 4 rounds for AES by proving that any concrete differential is possible for the 5-round AES, under the only assumption that the round keys are independent and uniformly random. We use a tool, called “(w, d)-Dependent Tree (DT)”, to show how any concrete differential \(\varDelta X \rightarrow \varDelta Z\) can be connected in the middle of the 5-round AES by some DTs. Our method might shed some light on bounding the length of impossible differentials with the differential properties of the S-boxes considered for some SPN block ciphers.