Integral Cryptanalysis of ARIA

This paper studies the security of the block cipher ARIA against integral attack. The designers believe that determining whether any given byte position is balanced or not after 3 rounds of encryption is riot possible. However, by determining the times that each element of the output of the second round appears is an even integer, we find some 3-round integral distinguishers of ARIA in this paper, which may lead to possible attacks on 4, 5 and 6-round ARIA. Both the data and time complexities of 4-round attack are 2(25); the data and time complexities of 5-round attack are 2(27.2) and 2(76.7), respectively; the data and time complexities of 6-round attack are 2(124.4) and 2(172.4), respectively. Moreover, the 4 and 5-round attacks have the lowest data and time complexities compared to existing attacks on ARIA. Our results also show that the choice of S-box and different order of S-boxes do have influence on integral attacks.