Abstract
Searching for the right pairs of inputs in difference-based distinguishers is an important task for the experimental verification of the distinguishers in symmetric-key ciphers. In this paper, we develop an MILP-based approach to verify the possibility of difference-based distinguishers and extract the right pairs. We apply the proposed method to some published difference-based trails (Related-Key Differentials (RKD), Rotational-XOR (RX)) of block ciphers SIMECK, and SPECK. As a result, we show that some of the reported RX-trails of SIMECK and SPECK are incompatible, i.e. there are no right pairs that follow the expected propagation of the differences for the trail. Also, for compatible trails, the proposed approach can efficiently speed up the search process of finding the exact value of a weak key from the target weak key space. For example, in one of the reported 14-round RX trails of SPECK, the probability of a key pair to be a weak key is \(2^{-94.91}\) when the whole key space is \(2^{96}\); our method can find a key pair for it in a comparatively short time. It is worth noting that it was impossible to find this key pair using a traditional search. As another result, we apply the proposed method to SPECK block cipher, to construct longer related-key differential trails of SPECK which we could reach 15, 16, 17, and 19 rounds for SPECK32/64, SPECK48/96, SPECK64/128, and SPECK128/256, respectively. It should be compared with the best previous results which are 12, 15, 15, and 20 rounds, respectively, that both attacks work for a certain weak key class. It should be also considered as an improvement over the reported result of rotational-XOR cryptanalysis on SPECK.
Similar content being viewed by others
Notes
References
Abdelkhalek A., Sasaki Y., Todo Y., Tolba M., Youssef A.M.: Milp modeling for (large) s-boxes to optimize probability of differential characteristics. IACR Trans. Symmetric Cryptol. 2017(4), 99–129 (2017).
Abed F., List E., Lucks S., Wenzel J.: Differential cryptanalysis of round-reduced Simon and Speck. In: International Workshop on Fast Software Encryption, pp. 525–545. Springer (2014).
Ashur T., Liu Y.: Rotational cryptanalysis in the presence of constants. In: IACR Transactions on Symmetric Cryptology, pp. 57–70 (2016).
Aumasson J.-P., Henzen L., Meier W., Phan R.C.-W.: Sha-3 proposal blake. Submission to NIST, 92 (2008).
Beaulieu R., Treatman-Clark S., Shors D., Weeks, B., Smith, J., Wingers, L.: The SIMON and SPECK lightweight block ciphers. In 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6. IEEE (2015).
Bernstein, D. J.: The Salsa20 family of stream ciphers. In New stream cipher designs, pages 84–97. Springer, (2008).
Bernstein, D. J., Kölbl, S., Lucks, S., Massolino, P. M. C., Mendel, F., Nawaz, K., Schneider, T., Schwabe, P., Standaert, F.-X., Todo, Y. et al.: Gimli: a cross-platform permutation. In International Conference on Cryptographic Hardware and Embedded Systems, pages 299–320. Springer, (2017).
Biham E., Shamir A.: Differential cryptanalysis of des-like cryptosystems. Journal of CRYPTOLOGY 4(1), 3–72 (1991).
Biryukov, A., Lamberger, M., Mendel, F., Nikolić, I.: Second-order differential collisions for reduced sha-256. In International Conference on the Theory and Application of Cryptology and Information Security, pages 270–287. Springer, (2011).
Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In International Workshop on Fast Software Encryption, pages 546–570. Springer, (2014).
Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In Cryptographers’ Track at the RSA Conference, pages 227–250. Springer, (2014).
Courtois, N. T., Bard, G. V.: Algebraic cryptanalysis of the data encryption standard. In IMA International Conference on Cryptography and Coding, pages 152–169. Springer, (2007).
Cui T., Jia K., Fu K., Chen S., Wang M.: New Automatic Search Tool for Impossible Differentials and Zero-Correlation Linear Approximations. IACR Cryptology ePrint Archive 2016, 689 (2016).
Dinur, I.: Improved differential cryptanalysis of round-reduced speck. In International Workshop on Selected Areas in Cryptography, pages 147–164. Springer, (2014).
ElSheikh, M., Abdelkhalek, A., Youssef, A. M.: On MILP-Based Automatic Search for Differential Trails Through Modular Additions with Application to Bel-T. In Progress in Cryptology-AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Rabat, Morocco, July 9-11, 2019, Proceedings, pages 273–296, (2019).
Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein hash function family. Submission to NIST (round 3), 7(7.5):3, (2010).
Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-based automatic search algorithms for differential and linear trails for speck. In International Conference on Fast Software Encryption, pages 268–288. Springer, (2016).
Gérault, D., Lafourcade, P., Minier, M., Solnon, C.: Computing aes related-key differential characteristics with constraint programming. Artificial Intelligence, page 103183, (2019).
Gerault, D., Minier, M., Solnon, C.: Constraint programming models for chosen key differential cryptanalysis. In International Conference on Principles and Practice of Constraint Programming, pages 584–601. Springer, (2016).
Gurobi Optimization, L.: Gurobi optimizer reference manual, (2019).
Hadipour, H., Sadeghi, S., Niknam, M. M., Song, L., Bagheri, N.: Comprehensive security analysis of craft. IACR Transactions on Symmetric Cryptology, pages 290–317, (2019).
Hong, D., Lee, J.-K., Kim, D.-C., Kwon, D., Ryu, K. H., Lee, D.-G.: LEA: A 128-bit block cipher for fast encryption on common processors. In International Workshop on Information Security Applications, pages 3–27. Springer, (2013).
Hong, D., Sung, J., Hong, S., Lim, J., Lee, S., Koo, B.-S., Lee, C., Chang, D., Lee, J., Jeong, K. et al.: HIGHT: A new block cipher suitable for low-resource device. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 46–59. Springer, (2006).
Huang, M., Wang, L.: Automatic tool for searching for differential characteristics in arx ciphers and applications. In International Conference on Cryptology in India, pages 115–138. Springer, (2019).
Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In International Workshop on Fast Software Encryption, pages 333–346. Springer, (2010).
Khovratovich, D., Nikolić, I., Pieprzyk, J., Sokołowski, P., Steinfeld, R.: Rotational cryptanalysis of ARX revisited. In International Workshop on Fast Software Encryption, pages 519–536. Springer, (2015).
Knudsen, L. R., Rijmen, V., Rivest, R. L., Robshaw, M. J.: On the design and security of RC2. In International Workshop on Fast Software Encryption, pages 206–221. Springer, (1998).
Kölbl, S.: Cryptosmt: An easy to use tool for cryptanalysis of symmetric primitives (2015).
Leurent, G.: Analysis of differential attacks in arx constructions. In International Conference on the Theory and Application of Cryptology and Information Security, pages 226–243. Springer, (2012).
Leurent, G., Roy, A.: Boomerang attacks on hash function using auxiliary differentials. In Cryptographers’ Track at the RSA Conference, pages 215–230. Springer, (2012).
Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In International Workshop on Fast Software Encryption, pages 336–350. Springer, (2001).
Liu, F., Isobe, T., Meier, W.: Automatic verification of differential characteristics: Application to reduced gimli. IACR-CRYPTO-2020, (2020). https://eprint.iacr.org/2020/591.
Liu, Y., De Witte, G., Ranea, A., Ashur, T.: Rotational-XOR cryptanalysis of reduced-round SPECK. IACR Transactions on Symmetric Cryptology, pages 24–36, (2017).
Liu, Y., Wang, Q., Rijmen, V.: Automatic search of linear trails in arx with applications to speck and chaskey. In International Conference on Applied Cryptography and Network Security, pages 485–499. Springer, (2016).
Lu, J., Liu, Y., Ashur, T., Sun, B., Li, C.: Rotational-xor cryptanalysis of simon-like block ciphers. Information Security and Privacy-2020th Australasian Conference, ACIS, (2020).
Mendel, F., Nad, T., Schläffer, M.: Finding sha-2 characteristics: searching through a minefield of contradictions. In International Conference on the Theory and Application of Cryptology and Information Security, pages 288–307. Springer, (2011).
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In International Conference on Information Security and Cryptology, pages 57–76. Springer, (2011).
Sadeghi S., Bagheri N.: Security analysis of SIMECK block cipher against related-key impossible differential. Information Processing Letters 147, 14–21 (2019).
Sadeghi S., Mohammadi T., Bagheri N.: Cryptanalysis of Reduced round SKINNY Block Cipher. IACR Trans. Symmetric Cryptol. 2018(3), 124–162 (2018).
Sasaki, Y.: Boomerang distinguishers on md4-family: First practical results on full 5-pass haval. In International Workshop on Selected Areas in Cryptography, pages 1–18. Springer, (2011).
Sasaki, Y., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 185–215. Springer, (2017).
Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In Australasian Conference on Information Security and Privacy, pages 379–394. Springer, (2016).
Stein, W. et al.: Sage: Open source mathematical software. 7 December 2009, (2008).
Sun, S., Gerault, D., Lafourcade, P., Yang, Q., Todo, Y., Qiao, K., Hu, L.: Analysis of aes, skinny, and others with constraint programming. IACR transactions on symmetric cryptology, pages 281–306, (2017).
Sun S., Hu L., Wang M., Wang P., Qiao K., Ma X., Shi D., Song L., Fu K.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties. Cryptology ePrint Archive, Report 747, 2014 (2014).
S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. Song. Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES (L) and other bit-oriented block ciphers. In International Conference on the Theory and Application of Cryptology and Information Security, pages 158–178. Springer, 2014.
Wang, G., Keller, N., Dunkelman, O.: The delicate issues of addition with respect to xor differences. In International Workshop on Selected Areas in Cryptography, pages 212–231. Springer, (2007).
Wu S., Wang M.: Security evaluation against differential cryptanalysis for block cipher structures. IACR Cryptology ePrint Archive 2011, 551 (2011).
Xin, W., Liu, Y., Sun, B., Li, C.: Improved cryptanalysis on siphash. In International Conference on Cryptology and Network Security, pages 61–79. Springer, (2019).
Yang, G., Zhu, B., Suder, V., Aagaard, M. D., Gong, G.: The simeck family of lightweight block ciphers. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 307–329. Springer, (2015).
Yao, Y., Zhang, B., Wu, W.: Automatic search for linear trails of the SPECK family. In International Conference on Information Security, pages 158–176. Springer, (2015).
Zhou, C., Zhang, W., Ding, T., Xiang, Z.: Improving the milp-based security evaluation algorithm against differential/linear cryptanalysis using a divide-and-conquer approach. IACR Transactions on Symmetric Cryptology, pages 438–469, (2019).
Acknowledgements
Nasour Bagheri was supported in part by the Iran National Science Foundation (INSF) under contract No. 98010674.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by R. Steinfeld.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
A RKD trails of SPECK variants
1.1 A.1 RKD trails of SPECK32/64
Tables 9, 10, 11, 12, 13 and 14.
1.2 A.2 RKD trails of SPECK48/96
Tables 15, 16, 17, 18, 19 and 20.
1.3 A.3 RKD trails of SPECK64/128
1.4 A.4 RKD trails of SPECK128/256
B Some of incompability RKD trails of SPECK variants
C Manual verification of one of the incompatible RKD trails
Lemma 4
There are no right pair to satisfy the RK-difference of the sub-keys of 16 rounds of SPECK48/96 as shown in Table 29.
Proof
To find a contradiction in the key expansion datapath of the key differences of the trails in Table 29, we fixed the input differential of sub-keys in all 16 rounds. Our MILP model gives us an infeasible solution. This means that there are not any key values to satisfy the differential of round keys for 16 rounds of SPECK48/96 based on Table 29. After that, we tried to find the key values for fewer rounds by removing some last rounds. When we removed the fourteenth round, the MILP model found two key values whose differential was the differential of the key rounds for 14 rounds of SPECK48/96. So, the fourteenth round of key expansion datapath can be effective in finding a contradiction. Note that the left input differential of round 14 is the same as the left output differential of round 11 (see Fig. 5).
We denote the two n-bit vectors representing differentials at the input of modular addition in the round i where \(i=11, 14\), as \(\varDelta x^{i}=(\varDelta x_{n-1}^{i},\ldots ,\varDelta x_1^{i},\varDelta x_0^{i})\) and \(\varDelta y^{i}=(\varDelta y_{n-1}^{i},\cdots ,\varDelta y_1^{i},\varDelta y_0^{i})\) and the n-bit output differential as \(\varDelta z^{i}=(\varDelta z_{n-1}^{i},\ldots ,\varDelta z_1^{i},\varDelta z_0^{i})\) and the n-bit vectors representing carry differential as \(\varDelta c^{i}=(\varDelta c_{n-1}^{i},\ldots ,\varDelta c_1^{i},\varDelta c_0^{i})\). It should be noted that based on the third condition of Inequality (3), the differential of carry bit \(c^{i}\) can be obtained as \(\varDelta c^{i}=\varDelta x^{i} \oplus \varDelta y^{i} \oplus \varDelta z^{i}\).
Therefore, the input/output differentials and the carry differentials of modular additions for the 11-th and 14-th rounds based on Fig. 5, can be written as binary notation as follows.
As can be seen in Fig. 5, the modular addition operations in rounds 11 and 14 satisfy the conditions of Theorem 1 and they hold with probabilities of \(2^{-9}\) and \(2^{-17}\), respectively. Assuming independency, the differential probability of these two rounds should hold with probability of \(2^{-26}\); however, we show that it is an incompatibility differential. To this end, by considering the modular addition operation for the 11-th round, we have \((\varDelta x_{13}^{11},\varDelta y_{13}^{11},\varDelta z_{13}^{11},\varDelta c_{13}^{11},\varDelta c_{14}^{11})=(0,1,1,0,1)\). It should be noted that the values that can have this differential must be selected from the set (6). According to the set (6), the following pairs have the differential \((\varDelta x_{13}^{11},\varDelta y_{13}^{11},\varDelta z_{13}^{11},\varDelta c_{13}^{11},\varDelta c_{14}^{11})=(0,1,1,0,1).\)
So, for each pair we get the condition
where \({\overline{c}}\) is the bit-wise NOT of c. Now, by considering the differential \((\varDelta x_{14}^{11},\varDelta y_{14}^{11},\varDelta z_{14}^{11},\varDelta c_{14}^{11}\), \(\varDelta c_{15}^{11})=(0,0,1,1,1),\) for the 14-th bit, the following pairs can reach to this differential.
So, these pairs conclude the condition
By combining the Eqs. (14) and (8), we have
Now, in the modular addition operation for 14-th round, we have \((\varDelta x_{5}^{14},\varDelta y_{5}^{14},\varDelta z_{5}^{14},\varDelta c_{5}^{14},\varDelta c_{6}^{14})=(1,0,1,0,1).\) Thus, the following pairs will lead to the differential (1, 0, 1, 0, 1).
Hence, for these pairs, we can get the condition
Now, by considering the differential \((\varDelta x_{6}^{14},\varDelta y_{6}^{14},\varDelta z_{6}^{14},\varDelta c_{6}^{14},\varDelta c_{7}^{14})=(1,0,0,1,0)\) for the 6-th bit, the following pairs will lead to this differential.
Therefore, we have the condition
By combining the Eqs. (17) and (18), we have
Since \(x^{14} = (z^{11}\ggg 8)\) (see Fig. 5), we have \(z_{13}^{11}=x_{5}^{14}\) and \(z_{14}^{11}=x_{6}^{14}\). Hence, by considering the Eqs. (16) and (19), we reach a contradiction. \(\square \)
Rights and permissions
About this article
Cite this article
Sadeghi, S., Rijmen, V. & Bagheri, N. Proposing an MILP-based method for the experimental verification of difference-based trails: application to SPECK, SIMECK. Des. Codes Cryptogr. 89, 2113–2155 (2021). https://doi.org/10.1007/s10623-021-00904-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-021-00904-5