Skip to main content
Springer Nature Link
Log in

The Construction and Application of (Related-Key) Conditional Differential Neural Distinguishers on KATAN

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13641))

Included in the following conference series:

  • 706 Accesses

Abstract

At CRYPTO 2019, Ghor applied deep learning to the cryptanalysis of block ciphers and presented neural distinguishers instead of purely differential distinguishers, which improved key recovery attacks of Speck32/64 using Bayesian optimization. In this paper, the authors attempt to improve the performance of neural distinguishers (NDs) and apply new NDs to present practical key recovery attacks on KATAN ciphers. First, with the help of MILP model, we present a (related-key) conditional differential neural distinguishers ((RK)CDNDs) of KATAN ciphers. The (RK)CDNDs use a new data format, combining with conditions and multiple differences. Compared to previous work, we greatly improve the number of rounds and the accuracy of NDs in both single-key and related-key scenarios. Moreover, a related-key conditional differential cryptanalysis framework based on deep learning is proposed with the RKCDNDs, resulting in a significant improvement from the previous. We present a practical key recovery attack on the 125-round KATAN32. The data complexity is \(2^{15.7}\) and the time complexity is \(2^{19.9}\). We also present 106-round KATAN48 and 95-round KATAN64 practical key recovery attacks. The extension of key recovery attack improves the results for two more rounds by calculating the wrong key response profile in parallel. Our work not only increases the number of attack rounds and the recoverable key bits, but also reduces the computational complexity.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Bao, Z., Guo, J., Liu, M., Ma, L., Tu, Y.: Conditional differential-neural cryptanalysis. Cryptology ePrint Archive, Paper 2021/719 (2021). https://eprint.iacr.org/2021/719

  2. Benamira, A., Gerault, D., Peyrin, T., Tan, Q.Q.: A deeper look at machine learning-based cryptanalysis. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 805–835. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_28

    Chapter  Google Scholar 

  3. Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994). https://doi.org/10.1007/BF00203965

    Article  MathSciNet  MATH  Google Scholar 

  4. Biryukov, A., De Cannière, C., Quisquater, M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_1

    Chapter  Google Scholar 

  5. Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and Others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_17

    Chapter  MATH  Google Scholar 

  6. Chen, J., Teh, J.S., Su, C., Samsudin, A., Fang, J.: Improved (related-key) attacks on round-reduced KATAN-32/48/64 based on the extended boomerang framework. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 333–346. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_21

    Chapter  Google Scholar 

  7. Chen, Y., Shen, Y., Yu, H., Yuan, S.: A new neural distinguisher considering features derived from multiple ciphertext pairs. Comput. J. (2022). https://doi.org/10.1093/comjnl/bxac019

    Article  Google Scholar 

  8. De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04138-9_20

    Chapter  MATH  Google Scholar 

  9. Gohr, A.: Improving attacks on round-reduced Speck32/64 using deep learning. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 150–179. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_6

    Chapter  Google Scholar 

  10. Gomez, A.N., Huang, S., Zhang, I., Li, B.M., Osama, M., Kaiser, L.: Unsupervised cipher cracking using discrete GANs. CoRR abs/1801.04883 (2018). http://arxiv.org/abs/1801.04883

  11. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016). https://doi.org/10.48550/arXiv.1512.03385

  12. Hinton, G.E., Osindero, S., Teh, Y.W.: A fast learning algorithm for deep belief nets. Neural Comput. 18(7), 1527–1554 (2006). https://doi.org/10.1162/neco.2006.18.7.1527

    Article  MathSciNet  MATH  Google Scholar 

  13. Hou, Z., Ren, J., Chen, S.: Improve neural distinguisher for cryptanalysis. Cryptology ePrint Archive, Paper 2021/1017 (2021). https://eprint.iacr.org/2021/1017

  14. Isobe, T., Sasaki, Yu., Chen, J.: Related-key boomerang attacks on KATAN32/48/64. In: Boyd, C., Simpson, L. (eds.) ACISP 2013. LNCS, vol. 7959, pp. 268–285. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39059-3_19

    Chapter  Google Scholar 

  15. Jakimoski, G., Desmedt, Y.: Related-key differential cryptanalysis of 192-bit key AES variants. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 208–221. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24654-1_15

    Chapter  Google Scholar 

  16. Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of Trivium and KATAN. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 200–212. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28496-0_12

    Chapter  Google Scholar 

  17. Lawrence, S., Giles, C., Tsoi, A.C., Back, A.: Face recognition: a convolutional neural-network approach. IEEE Trans. Neural Networks 8(1), 98–113 (1997). https://doi.org/10.1109/72.554195

    Article  Google Scholar 

  18. LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015). https://doi.org/10.1038/nature14539

    Article  Google Scholar 

  19. Liu, A., Wang, M., Li, Y.: Related-key conditional differential cryptanalysis of katan. J. Cryptol. Res. 2(1), 77–91 (2015). https://doi.org/10.13868/j.cnki.jcr.000062. (in Chinese)

  20. Pelikan, M., Goldberg, D.E., Cantú-Paz, E.: BOA: the Bayesian optimization algorithm. In: Proceedings of the 1st Annual Conference on Genetic and Evolutionary Computation-Volume 1, pp. 525–532 (1999)

    Google Scholar 

  21. Williams, R.J., Zipser, D.: A learning algorithm for continually running fully recurrent neural networks. Neural Comput. 1(2), 270–280 (1989). https://doi.org/10.1162/neco.1989.1.2.270

    Article  Google Scholar 

  22. Xing, Z., Zhang, W., Han, G.: Improved conditional differential analysis on NLFSR based block cipher KATAN32 with MILP. In: Wang, D., Meng, W., Han, J. (eds.) SPNCE 2020. LNICST, vol. 344, pp. 370–393. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-66922-5_26

    Chapter  Google Scholar 

Download references

Acknowledgements

State Key Laboratory of Mathematical Engineering and Advanced Computation Open Foundation (2019A08).

Author information

Authors and Affiliations

  1. Information Engineering University, Zhengzhou, China

    Dongdong Lin, Shaozhen Chen, Manman Li & Zezhou Hou

  2. State Key Laboratory of Cryptology, Beijing, China

    Shaozhen Chen, Manman Li & Zezhou Hou

Authors
  1. Dongdong Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shaozhen Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Manman Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zezhou Hou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dongdong Lin .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Alastair R. Beresford

  2. Indian Institute of Science, Bangalore, India

    Arpita Patra

  3. Cryptography Research Center, Technology Innovation Institute, Abu Dhabi, United Arab Emirates

    Emanuele Bellini

A Appendix

A Appendix

In, Sect. 3.3, we construct MILP Models for KATAN cipers. In Appendix, we present the vectors and sets of linear inequalities mentioned in page 9. When \(a_t=0\), the difference state (\(\varDelta l_t, \varDelta l_{t+5}, \varDelta l_{t+4}, \varDelta l_{t+7}, \varDelta k_{2t}\)) can take on one of \(2^5\) values. According to the equation (2), we get all 32 values of the 7-demensional vector (\(\varDelta l_t, \varDelta l_{t+5}, \varDelta l_{t+4}, \varDelta l_{t+7}, \varDelta k_{2t}, \varDelta r_{t+19}, c\)), which is shown in Table 9. We use SageMath to model vectors and obtain a set of linear inequalities. After a simple reduction, we get a set of linear inequalities (10).

Table 9. 32 vectors (\(\varDelta l_t, \varDelta l_{t+5}, \varDelta l_{t+4}, \varDelta l_{t+7}, \varDelta k_{2t}, \varDelta r_{t+19}, c\))
Full size table
$$\begin{aligned} {\left\{ \begin{array}{ll} -\varDelta l_{i+7}+c\ge 0,\\ -\varDelta l_{i+4}+c\ge 0,\\ \varDelta l_{i+4}+\varDelta l_{i+7}-c\ge 0,\\ \varDelta l_i+\varDelta l_{i+5}-\varDelta l_{i+4}-\varDelta l_{i+7}-\varDelta k_{2i}-\varDelta r_{i+19}+c+2\ge 0,\\ \varDelta l_i+\varDelta l_{i+5}+\varDelta k_{2i}-\varDelta r_{i+19}+c\ge 0,\\ \varDelta l_i+\varDelta l_{i+5}+\varDelta l_{i+7}-\varDelta k_{2i}+\varDelta r_{i+19}\ge 0,\\ -\varDelta l_i+\varDelta l_{i+5}+\varDelta k_{2i}+\varDelta r_{i+19}+c\ge 0,\\ \varDelta l_{i+5}+\varDelta l_{i+7}-\varDelta k_{2i}+\varDelta r_{i+19}-c+1\ge 0,\\ \varDelta l_i-\varDelta l_{i+5}+\varDelta k_{2i}+\varDelta r_{i+19}+c\ge 0,\\ -\varDelta l_i-\varDelta l_{i+5}+\varDelta k_{2i}-\varDelta r_{i+19}+c+2\ge 0,\\ -\varDelta l_i+\varDelta l_{i+5}+\varDelta l_{i+7}-\varDelta k_{2i}-\varDelta r_{i+19}+2\ge 0,\\ \varDelta l_i-\varDelta l_{i+5}-\varDelta k_{2i}-\varDelta r_{i+19}+c+2\ge 0,\\ -\varDelta l_i-\varDelta l_{i+5}-\varDelta k_{2i}+\varDelta r_{i+19}+c+2\ge 0,\\ \end{array}\right. } \end{aligned}$$
(10)

When \(a_t=1\), the difference state (\(\varDelta l_t, \varDelta l_{t+5}, \varDelta l_{t+4}, \varDelta l_{t+7}, \varDelta l_{t+9}, \varDelta k_{2t}\)) can take on one of \(2^6\) values. According to the Eq. (2), we get all 64 values of the 8-demensional vector (\(\varDelta l_t, \varDelta l_{t+5}, \varDelta l_{t+4}, \varDelta l_{t+7}, \varDelta l_{t+9}, \varDelta k_{2t}, \varDelta r_{t+19}, c\)), which is shown in Table 10. We use SageMath to model vectors and obtain a set of linear inequalities. After a simple reduction, we get a set of linear inequalities (11).

Table 10. 64 vectors (\(\varDelta l_t, \varDelta l_{t+5}, \varDelta l_{t+4}, \varDelta l_{t+7}, \varDelta l_{t+9}, \varDelta k_{2t}, \varDelta r_{t+19}, c\))
Full size table
$$\begin{aligned} {\left\{ \begin{array}{ll} -\varDelta l_{i+7}+c\ge 0,\\ -\varDelta l_{i+4}+c\ge 0,\\ -\varDelta l_i-\varDelta l_{i+5}-\varDelta l_{i+9}+\varDelta k_{2i}+\varDelta r_{i+19}+c+2\ge 0,\\ \varDelta l_i+\varDelta l_{i+5}-\varDelta l_{i+9}-\varDelta k_{2i}-\varDelta r_{i+19}+c+2\ge 0,\\ -2\varDelta l_i+\varDelta l_{i+5}+2\varDelta l_{i+7}-2\varDelta l_{i+9}-2\varDelta k_{2i}+\varDelta r_{i+19}-c+5\ge 0,\\ -\varDelta l_i+\varDelta l_{i+5}+\varDelta l_{i+4}+\varDelta l_{i+9}+\varDelta k_{2i}-\varDelta r_{i+19}+c\ge 0,\\ -\varDelta l_i-\varDelta l_{i+5}+\varDelta l_{i+9}-\varDelta k_{2i}+\varDelta r_{i+19}+c+2\ge 0,\\ \varDelta l_i+\varDelta l_{i+5}+\varDelta l_{i+4}+\varDelta l_{i+9}-\varDelta k_{2i}+\varDelta r_{i+19}\ge 0,\\ \varDelta l_i-\varDelta l_{i+5}-\varDelta l_{i+4}-\varDelta l_{i+7}+\varDelta l_{i+9}-\varDelta k_{2i}-\varDelta r_{i+19}+2c+2\ge 0,\\ \varDelta l_i+\varDelta l_{i+5}-\varDelta l_{i+9}+\varDelta k_{2i}+\varDelta r_{i+19}+c\ge 0,\\ \varDelta l_i-\varDelta l_{i+5}+\varDelta l_{i+9}+\varDelta k_{2i}+\varDelta r_{i+19}+c\ge 0,\\ \varDelta l_i-\varDelta l_{i+5}-\varDelta l_{i+9}-\varDelta k_{2i}+\varDelta r_{i+19}+c+2\ge 0,\\ \varDelta l_{i+4}+\varDelta l_{i+7}-c\ge 0,\\ \varDelta l_i-\varDelta l_{i+5}-\varDelta l_{i+9}+\varDelta k_{2i}-\varDelta r_{i+19}+c+2\ge 0,\\ -\varDelta l_i-\varDelta l_{i+5}-\varDelta l_{i+9}-\varDelta k_{2i}-\varDelta r_{i+19}+c+4\ge 0,\\ \end{array}\right. } \end{aligned}$$
(11)

According to the Eq. (3), the difference state (\(\varDelta r_t, \varDelta r_{t+11}, \varDelta r_{t+6}, \varDelta r_{t+8}\), \(\varDelta l_{t+10}, \varDelta r_{t+15}, \varDelta k_{2t+1}\)) can take on one of \(2^7\) values. We get all 128 values of the 9-demensional vector (\(\varDelta r_t, \varDelta r_{t+11}, \varDelta r_{t+6}, \varDelta r_{t+8}\), \(\varDelta l_{t+10}, \varDelta r_{t+15}, \varDelta k_{2t+1}, \varDelta l_{t+13}, c\)), which is shown in Table 11. We use SageMath to model vectors and obtain a set of linear inequalities. After a simple reduction, we get a set of linear inequalities (12).

Table 11. 128 vectors (\(\varDelta r_t, \varDelta r_{t+11}, \varDelta r_{t+6}, \varDelta r_{t+8}, \varDelta l_{t+10}, \varDelta r_{t+15}, \varDelta k_{2t+1}, \varDelta l_{t+13}, c\))
Full size table
$$\begin{aligned} {\left\{ \begin{array}{ll} -\varDelta r_{i+6}+c\ge 0,\\ -\varDelta r_{i+8}+c\ge 0,\\ -\varDelta r_{i+10}+c\ge 0,\\ -\varDelta r_{i+15}+c\ge 0,\\ -\varDelta r_i-\varDelta r_{i+11}-\varDelta r_{i+6}-\varDelta r_{i+8}-\varDelta r_{i+10}+\varDelta r_{i+15}+\varDelta k_{2i+1}-\varDelta l_{i+13}+3c+2\ge 0,\\ -\varDelta r_i-\varDelta r_{i+11}-\varDelta r_{i+6}+\varDelta r_{i+8}-\varDelta r_{i+10}-\varDelta r_{i+15}+\varDelta k_{2i+1}+\varDelta l_{i+13}+2c+2\ge 0,\\ \varDelta r_{i+6}+\varDelta r_{i+8}+\varDelta r_{i+10}+\varDelta r_{i+15}-c\ge 0,\\ -\varDelta r_i-\varDelta r_{i+11}+\varDelta r_{i+6}+\varDelta r_{i+8}+\varDelta r_{i+15}-\varDelta k_{2i+1}+\varDelta l_{i+13}+2\ge 0,\\ -\varDelta r_i-\varDelta r_{i+11}+\varDelta r_{i+6}-\varDelta r_{i+8}+\varDelta r_{i+10}-\varDelta r_{i+15}+\varDelta k_{2i+1}-\varDelta l_{i+13}+2c+2\ge 0,\\ \varDelta r_i-\varDelta r_{i+11}-\varDelta k_{2i+1}+\varDelta l_{i+13}+2c\ge 0,\\ -\varDelta r_i+\varDelta r_{i+11}-\varDelta r_{i+6}+\varDelta r_{i+8}-\varDelta r_{i+10}-\varDelta r_{i+15}+\varDelta k_{2i+1}-\varDelta l_{i+13}+2c+2\ge 0,\\ -\varDelta r_i+\varDelta r_{i+11}+\varDelta k_{2i+1}+\varDelta l_{i+13}+c\ge 0,\\ \varDelta r_i-\varDelta r_{i+11}+\varDelta r_{i+8}+\varDelta r_{i+10}+\varDelta r_{i+15}+\varDelta k_{2i+1}-\varDelta l_{i+13}-c+2\ge 0,\\ \varDelta r_i+\varDelta r_{i+11}-\varDelta r_{i+6}-\varDelta r_{i+8}-\varDelta r_{i+10}+\varDelta r_{i+15}+\varDelta k_{2i+1}-\varDelta l_{i+13}+3c\ge 0,\\ \varDelta r_i+\varDelta r_{i+11}+\varDelta r_{i+6}-\varDelta r_{i+8}+\varDelta r_{i+10}-\varDelta r_{i+15}+\varDelta k_{2i+1}-\varDelta l_{i+13}+2c\ge 0,\\ \varDelta r_i+\varDelta r_{i+11}+\varDelta r_{i+8}+\varDelta r_{i+10}+\varDelta r_{i+15}+\varDelta k_{2i+1}+\varDelta l_{i+13}-c\ge 0,\\ -\varDelta r_i+\varDelta r_{i+11}-\varDelta k_{2i+1}-\varDelta l_{i+13}+c\ge 0,\\ \varDelta r_i-\varDelta r_{i+11}-\varDelta r_{i+6}+\varDelta r_{i+8}+\varDelta r_{i+10}-\varDelta r_{i+15}+\varDelta k_{2i+1}+\varDelta l_{i+13}+2c\ge 0,\\ -\varDelta r_i+\varDelta r_{i+11}+\varDelta r_{i+6}+\varDelta r_{i+8}+\varDelta r_{i+10}-\varDelta k_{2i+1}+\varDelta l_{i+13}-c+2\ge 0,\\ -\varDelta r_i+\varDelta r_{i+11}+\varDelta r_{i+6}+\varDelta r_{i+8}+\varDelta r_{i+15}+\varDelta k_{2i+1}-\varDelta l_{i+13}-c+2\ge 0,\\ -\varDelta r_i-\varDelta r_{i+11}-\varDelta r_{i+6}-\varDelta r_{i+8}-\varDelta r_{i+10}-\varDelta r_{i+15}-\varDelta k_{2i+1}-\varDelta l_{i+13}+3c+4\ge 0,\\ \end{array}\right. } \end{aligned}$$
(12)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lin, D., Chen, S., Li, M., Hou, Z. (2022). The Construction and Application of (Related-Key) Conditional Differential Neural Distinguishers on KATAN. In: Beresford, A.R., Patra, A., Bellini, E. (eds) Cryptology and Network Security. CANS 2022. Lecture Notes in Computer Science, vol 13641. Springer, Cham. https://doi.org/10.1007/978-3-031-20974-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-20974-1_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-20973-4

  • Online ISBN: 978-3-031-20974-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics