Proposing an MILP-based method for the experimental verification of difference-based trails: application to SPECK, SIMECK

Abstract

Searching for the right pairs of inputs in difference-based distinguishers is an important task for the experimental verification of the distinguishers in symmetric-key ciphers. In this paper, we develop an MILP-based approach to verify the possibility of difference-based distinguishers and extract the right pairs. We apply the proposed method to some published difference-based trails (Related-Key Differentials (RKD), Rotational-XOR (RX)) of block ciphers SIMECK, and SPECK. As a result, we show that some of the reported RX-trails of SIMECK and SPECK are incompatible, i.e. there are no right pairs that follow the expected propagation of the differences for the trail. Also, for compatible trails, the proposed approach can efficiently speed up the search process of finding the exact value of a weak key from the target weak key space. For example, in one of the reported 14-round RX trails of SPECK, the probability of a key pair to be a weak key is \(2^{-94.91}\) when the whole key space is \(2^{96}\); our method can find a key pair for it in a comparatively short time. It is worth noting that it was impossible to find this key pair using a traditional search. As another result, we apply the proposed method to SPECK block cipher, to construct longer related-key differential trails of SPECK which we could reach 15, 16, 17, and 19 rounds for SPECK32/64, SPECK48/96, SPECK64/128, and SPECK128/256, respectively. It should be compared with the best previous results which are 12, 15, 15, and 20 rounds, respectively, that both attacks work for a certain weak key class. It should be also considered as an improvement over the reported result of rotational-XOR cryptanalysis on SPECK.

Appendices

A RKD trails of SPECK variants

1.1 A.1 RKD trails of SPECK32/64

Tables 9, 10, 11, 12, 13 and 14.

Table 9 10-round related-key differential trail in SPECK32/64 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(2800,0200,0080,0001)}\)

Table 10 11-round related-key differential trail in SPECK32/64 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(0200,0080,0071,4A00)}\)

Table 11 12-round related-key differential trail in SPECK32/64 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(0080,0051,0008,1200)}\)

Table 12 13-round related-key differential trail in SPECK32/64 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=(4000,1880,0400,0009)\)

Table 13 14-round related-key differential trail in SPECK32/64 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(1480,04C0,0128,1002)}\)

Table 14 15-round related-key differential trail in SPECK32/64 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(4000,1580,0400,0009)}\)

1.2 A.2 RKD trails of SPECK48/96

Tables 15, 16, 17, 18, 19 and 20.

Table 15 11-round related-key differential trail in SPECK48/96 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(020000,004000,000882,120008)}\)

Table 16 12-round related-key differential trail in SPECK48/96 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(020000,004000,000882,120008)}\)

Table 17 13-round related-key differential trail in SPECK48/96 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(000200,0000C0,820008,081200)}\)

Table 18 14-round related-key differential trail in SPECK48/96 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(020000,004010,248801,102088)}\)

Table 19 15-round related-key differential trail in SPECK48/96 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(000010,000002,441000,}\mathtt {004090)}\)

Table 20 16-round related-key differential trail in SPECK48/96 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(000010,000020,00441000,} \mathtt {004090)}\)

1.3 A.3 RKD trails of SPECK64/128

Tables 21, 22, 23, 24 and 25.

Table 21 13-round related-key differential trail in SPECK64/128 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(00000200,00000040,}\mathtt {00820008,08001200)}\)

Table 22 14-round related-key differential trail in SPECK64/128 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(00000002,40000000,}\mathtt {08008200,00080012)}\)

Table 23 15-round related-key differential trail in SPECK64/128 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(00000002,40000000,}\mathtt {08008200,00080012)}\)

Table 24 16-round related-key differential trail in SPECK64/128 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)\) = \(\mathtt {(00000200,00000040,}\mathtt {00820008,08001200)}\)

Table 25 17-round related-key differential trail in SPECK64/128 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)\) = \(\mathtt {(00000200,00000040,00820008,}\mathtt {08001200)}\)

1.4 A.4 RKD trails of SPECK128/256

Tables 26 and 27.

Table 26 16-round related-key differential trail in SPECK128/256 with \((\varDelta l_2{,}\varDelta l_1{,}\varDelta l_0{,}\varDelta k_0)\) = \(\mathtt {(0200000000000000,0040000000000010,0008000001248000,} \mathtt {1000080000002080)}\)

Table 27 19-round related-key differential trail in SPECK128/256 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)\) = \(\mathtt {(0200000000000000,0040000000000010,0008000001248000,} \mathtt {1000080000002080)}\)

B Some of incompability RKD trails of SPECK variants

Tables 28, 29, 30 and 31.

Table 28 An incompatible differential trail for 14 rounds of SPECK32/64 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(0001,4000,0880,0025)}\)

Table 29 An incompatible differential trail for 16 rounds of SPECK48/96 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)=\mathtt {(020000,004000,000882,} \mathtt {120008)}\)

Table 30 An incompatible differential trail for 16 rounds of SPECK64/128 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)\)=\(\mathtt {(00208002,40000000,08000200,00080012)}\)

Table 31 An incompatible differential trail for 21 rounds of SPECK128/256 with \((\varDelta l_2,\varDelta l_1,\varDelta l_0,\varDelta k_0)\)= \(\mathtt {(00500040000005A4,0008000800000034,} \mathtt {4001400100010400,0240014001000024)}\)

C Manual verification of one of the incompatible RKD trails

Lemma 4

There are no right pair to satisfy the RK-difference of the sub-keys of 16 rounds of SPECK48/96 as shown in Table 29.

Proof

To find a contradiction in the key expansion datapath of the key differences of the trails in Table 29, we fixed the input differential of sub-keys in all 16 rounds. Our MILP model gives us an infeasible solution. This means that there are not any key values to satisfy the differential of round keys for 16 rounds of SPECK48/96 based on Table 29. After that, we tried to find the key values for fewer rounds by removing some last rounds. When we removed the fourteenth round, the MILP model found two key values whose differential was the differential of the key rounds for 14 rounds of SPECK48/96. So, the fourteenth round of key expansion datapath can be effective in finding a contradiction. Note that the left input differential of round 14 is the same as the left output differential of round 11 (see Fig. 5).

We denote the two n-bit vectors representing differentials at the input of modular addition in the round i where \(i=11, 14\), as \(\varDelta x^{i}=(\varDelta x_{n-1}^{i},\ldots ,\varDelta x_1^{i},\varDelta x_0^{i})\) and \(\varDelta y^{i}=(\varDelta y_{n-1}^{i},\cdots ,\varDelta y_1^{i},\varDelta y_0^{i})\) and the n-bit output differential as \(\varDelta z^{i}=(\varDelta z_{n-1}^{i},\ldots ,\varDelta z_1^{i},\varDelta z_0^{i})\) and the n-bit vectors representing carry differential as \(\varDelta c^{i}=(\varDelta c_{n-1}^{i},\ldots ,\varDelta c_1^{i},\varDelta c_0^{i})\). It should be noted that based on the third condition of Inequality (3), the differential of carry bit \(c^{i}\) can be obtained as \(\varDelta c^{i}=\varDelta x^{i} \oplus \varDelta y^{i} \oplus \varDelta z^{i}\).

Fig. 5

Part of the 16-round incompatible differential trail of SPECK48/96 based on Table 29

Therefore, the input/output differentials and the carry differentials of modular additions for the 11-th and 14-th rounds based on Fig. 5, can be written as binary notation as follows.

$$\begin{aligned}\begin{array}{*{20}{c}} {\begin{array}{*{20}{c}} {\varDelta {x^{11}} = \mathrm{{100000000000000000000000,}}}&{}{\varDelta {x^{14}} = \mathrm{{100000000000011111101100,}}} \end{array}}\\ {\begin{array}{*{20}{c}} {\varDelta {y^{11}} = \mathrm{{100000010010010010000000,}}}&{}{\varDelta {y^{14}} = \mathrm{{001000111001000110000100,}}} \end{array}}\\ {\begin{array}{*{20}{c}} {\varDelta {z^{11}} = \mathrm{{000001111110110010000000,}}}&{}{\varDelta {z^{14}} = \mathrm{{100111001000110000100000,}}} \end{array}}\\ {\begin{array}{*{20}{c}} {\varDelta {c^{11}} = \mathrm{{000001101100100000000000,}}}&{}{\varDelta {c^{14}} = \mathrm{{001111110001101001001000}}\mathrm{{.}}} \end{array}} \end{array} \end{aligned}$$

As can be seen in Fig. 5, the modular addition operations in rounds 11 and 14 satisfy the conditions of Theorem 1 and they hold with probabilities of \(2^{-9}\) and \(2^{-17}\), respectively. Assuming independency, the differential probability of these two rounds should hold with probability of \(2^{-26}\); however, we show that it is an incompatibility differential. To this end, by considering the modular addition operation for the 11-th round, we have \((\varDelta x_{13}^{11},\varDelta y_{13}^{11},\varDelta z_{13}^{11},\varDelta c_{13}^{11},\varDelta c_{14}^{11})=(0,1,1,0,1)\). It should be noted that the values that can have this differential must be selected from the set (6). According to the set (6), the following pairs have the differential \((\varDelta x_{13}^{11},\varDelta y_{13}^{11},\varDelta z_{13}^{11},\varDelta c_{13}^{11},\varDelta c_{14}^{11})=(0,1,1,0,1).\)

$$\begin{aligned} \left\{ {({x_{13}^{11}},{y_{13}^{11}},{z_{13}^{11}},{c_{13}^{11}},{c_{14}^{11}})} \right\} \in \left\{ {\left\{ {\begin{array}{*{20}{c}} {(0,0,1,1,0)}\\ {(0,1,0,1,1)} \end{array}} \right\} ,\left\{ {\begin{array}{*{20}{c}} {(1,0,1,0,0)}\\ {(1,1,0,0,1)} \end{array}} \right\} } \right\} . \end{aligned}$$

So, for each pair we get the condition

$$\begin{aligned} z_{13}^{11}={\overline{c}}_{14}^{11}, \end{aligned}$$

(14)

where \({\overline{c}}\) is the bit-wise NOT of c. Now, by considering the differential \((\varDelta x_{14}^{11},\varDelta y_{14}^{11},\varDelta z_{14}^{11},\varDelta c_{14}^{11}\), \(\varDelta c_{15}^{11})=(0,0,1,1,1),\) for the 14-th bit, the following pairs can reach to this differential.

$$\begin{aligned} ({x_{14}^{11}},{y_{14}^{11}},{z_{14}^{11}},{c_{14}^{11}},{c_{15}^{11}}) \in \left\{ {\left\{ {\begin{array}{*{20}{c}} {(0,1,1,0,0)}\\ {(0,1,0,1,1)} \end{array}} \right\} ,\left\{ {\begin{array}{*{20}{c}} {(1,0,1,0,0)}\\ {(1,0,0,1,1)} \end{array}} \right\} } \right\} . \end{aligned}$$

So, these pairs conclude the condition

$$\begin{aligned} z_{14}^{11}={\overline{c}}_{14}^{11}. \end{aligned}$$

(15)

By combining the Eqs. (14) and (8), we have

$$\begin{aligned} z_{13}^{11}=z_{14}^{11}. \end{aligned}$$

(16)

Now, in the modular addition operation for 14-th round, we have \((\varDelta x_{5}^{14},\varDelta y_{5}^{14},\varDelta z_{5}^{14},\varDelta c_{5}^{14},\varDelta c_{6}^{14})=(1,0,1,0,1).\) Thus, the following pairs will lead to the differential (1, 0, 1, 0, 1).

$$\begin{aligned} ({x_{5}^{14}},{y_{5}^{14}},{z_{5}^{14}},{c_{5}^{14}},{c_{6}^{14}}) \in \left\{ {\left\{ {\begin{array}{*{20}{c}} {(0,0,1,1,0)}\\ {(1,0,0,1,1)} \end{array}} \right\} ,\left\{ {\begin{array}{*{20}{c}} {(0,1,1,0,0)}\\ {(1,1,0,0,1)} \end{array}} \right\} } \right\} . \end{aligned}$$

Hence, for these pairs, we can get the condition

$$\begin{aligned} x_{5}^{14}=c_{6}^{14}. \end{aligned}$$

(17)

Now, by considering the differential \((\varDelta x_{6}^{14},\varDelta y_{6}^{14},\varDelta z_{6}^{14},\varDelta c_{6}^{14},\varDelta c_{7}^{14})=(1,0,0,1,0)\) for the 6-th bit, the following pairs will lead to this differential.

$$\begin{aligned} ({x_{6}^{14}},{y_{6}^{14}},{z_{6}^{14}},{c_{6}^{14}},{c_{7}^{14}}) \in \left\{ {\left\{ {\begin{array}{*{20}{c}} {(0,0,1,1,0)}\\ {(1,0,1,0,0)} \end{array}} \right\} ,\left\{ {\begin{array}{*{20}{c}} {(0,1,0,1,1)}\\ {(1,1,0,0,1)} \end{array}} \right\} } \right\} . \end{aligned}$$

Therefore, we have the condition

$$\begin{aligned} x_{6}^{14}={{\overline{c}}}_{6}^{14}. \end{aligned}$$

(18)

By combining the Eqs. (17) and (18), we have

$$\begin{aligned} x_{5}^{14}={\overline{x}}_{6}^{14}. \end{aligned}$$

(19)

Since \(x^{14} = (z^{11}\ggg 8)\) (see Fig. 5), we have \(z_{13}^{11}=x_{5}^{14}\) and \(z_{14}^{11}=x_{6}^{14}\). Hence, by considering the Eqs. (16) and (19), we reach a contradiction. \(\square \)