Skip to main content

Advertisement

Springer Nature Link
Log in

A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR. To evaluate the resistance of an ARX cipher against differential and impossible-differential cryptanalysis, the recent automated methods employ constraint satisfaction solvers to search for optimal characteristics or impossible differentials. The main difficulty in formulating this search is finding the differential models of the non-linear operations. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains \(O(\log _2(n))\) basic bit-vector constraints and describes the binary logarithm of the differential probability. We describe an SMT-based automated method that includes our model to search for differential characteristics of ARX ciphers including constant additions. We also introduce a new automated method for obtaining impossible differentials where we do not search over a small pre-defined set of differences, such as low-weight differences, but let the SMT solver search through the space of differences. Moreover, we implement both methods in our open-source tool ArxPy to find characteristics and impossible differentials of ARX ciphers with constant additions in a fully automated way. As some examples, we provide related-key impossible differentials and differential characteristics of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2, which achieve better results compared to previous works.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. https://github.com/ranea/ArxPy.

  2. It is possible to get another solution of an SMT problem by solving it again with an additional constraint that excludes the first solution. By repeating this process, one can find all the solutions.

  3. https://github.com/ranea/ArxPy.

References

  1. Aumasson J.P., Henzen L., Meier W., Phan R.C.W.: Sha-3 proposal blake. NIST (round 3) 92, 2008 (2009).

    Google Scholar 

  2. Aumasson J.P., Jovanovic P., Neves S.: Analysis of NORX: investigating differential and rotational properties. In: LATINCRYPT, volume 8895 of Lecture Notes in Computer Science. Springer, Cham (2014).

  3. Azimi S.A., Ranea A., Salmasizadeh M., Mohajeri J., Aref M.R., Rijmen V.: A bit-vector differential model for the modular addition by a constant. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 385–414. Springer, Cham (2020).

  4. Bagherzadeh E., Ahmadian Z.: Milp-based automatic differential searches for LEA and HIGHT. IACR Cryptol. 2018, 948 (2018).

    Google Scholar 

  5. Barrett C., Tinelli C.: Satisfiability modulo theories. In: Clarke E.M., Henzinger T.A., Veith H., Bloem R. (eds.) Handbook of Model Checking, pp. 305–343. Springer, Cham (2018).

    Chapter  Google Scholar 

  6. Beaulieu R., Shors D., Smith J., Treatman-Clark S., Weeks B., Wingers L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptol. 2013, 404 (2013).

    MATH  Google Scholar 

  7. Bernstein D.J.: The salsa20 family of stream ciphers. New stream cipher designs. Springer, New York (2008).

    Book  Google Scholar 

  8. Biham E., Biryukov A., Shamir A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: EUROCRYPT, volume 1592 of Lecture Notes in Computer Science. Springer (1999).

  9. Biham E., Dunkelman O., Keller N.: The rectangle attack-rectangling the serpent. In: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Advances in Cryptology - EUROCRYPT 2001, Innsbruck, Austria, May 6–10, 2001 (2001).

  10. Biham E., Shamir A.: Differential cryptanalysis of des-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991).

    Article  MathSciNet  Google Scholar 

  11. Biryukov A., Velichkov V.: Automatic search for differential trails in arx ciphers. In Cryptographers’ Track at the RSA Conference. Springer, Cham (2014)

  12. Biryukov A., Lamberger M., Mendel F., Nikolić I.: Second-order differential collisions for reduced sha-256. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer (2011)

  13. Biryukov A., Velichkov V., Le Corre Y.: Automatic search for the best trails in arx: application to block cipher speck. In: International Conference on Fast Software Encryption, pp. 289–310. Springer (2016).

  14. Cui T., Chen S., Fu K., Wang M., Jia K.: New automatic tool for finding impossible differentials and zero-correlation linear approximations. Sci. China 64(2), 129103 (2021).

    Google Scholar 

  15. Darbuka A.: Related-key attacks on block ciphers. Master’s thesis. Master’s thesis, Middle East Technical University (2009).

  16. Dinu D., Perrin L., Udovenko A., Velichkov V., Großschädl J., Biryukov A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: ASIACRYPT (1), volume 10031 of Lecture Notes in Computer Science (2016).

  17. Dinu D., Corre Y.L., Khovratovich D., Perrin L., Großschädl J., Biryukov A.: Triathlon of lightweight block ciphers for the internet of things. J. Cryptogr. Eng. 9(3), 283–302 (2019).

    Article  Google Scholar 

  18. Dunkelman O., Keller N., Kim J.: Related-key rectangle attack on the full shacal-1. In: International Workshop on Selected Areas in Cryptography. Springer (2006).

  19. FIPS. Secure hash standard. Federal Information Processing Standards Publication 180-1. (1995).

  20. FIPS. Secure hash standard. Federal Information Processing Standards Publication 180-4 (2015).

  21. Fu K., Wang M., Guo Y., Sun S., Hu L.: Milp-based automatic search algorithms for differential and linear trails for speck. In: Fast Software Encryption—23rd International Conference, FSE 2016, Bochum, Germany, March 20–23, 2016 Revised Selected Papers (2016).

  22. Ganesh V., Dill D.L.: A decision procedure for bit-vectors and arrays. In: CAV, volume 4590 of Lecture Notes in Computer Science. Springer (2007).

  23. Gario M., Micheli A.: Pysmt: a solver-agnostic library for fast prototyping of smt-based algorithms. In: SMT Workshop 2015 (2015).

  24. Gartner. Gartner identifies top 10 strategic IoT technologies and trends. https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends (2018).

  25. Gartner. Gartner survey reveals 47 percent of organizations will increase investments in IoT despite the impact of covid-19. https://www.gartner.com/en/newsroom/press-releases/2020-10-29-gartner-survey-reveals-47-percent-of-organizations-will-increase-investments-in-iot-despite-the-impact-of-covid-19- (2020).

  26. Hadarean L., Hyvarinen A., Niemetz A., Reger G.: 14th international satisfiability modulo theories competition (smt-comp 2019). https://smt-comp.github.io/2019/ (2019).

  27. Handschuh H., Knudsen L.R., Robshaw M.J.: Analysis of sha-1 in encryption mode. In: Track at the RSA Conference. Springer (2001)

  28. Handschuh H., Naccache D.: Shacal: a family of block ciphers. Submission to the NESSIE project (2002).

  29. Henry J., Warren S.: Hacker’s delight. Addison-Wesley, Boston (2003).

    Google Scholar 

  30. Hong S., Kim J., Lee S., Preneel B.: Related-key rectangle attacks on reduced versions of shacal-1 and aes-192. Springer, In International Workshop on Fast Software Encryption (2005).

  31. Hong D., Sung J., Hong S., Lim J., Lee S., Koo B.S., Lee C., Chang D., Lee J., Jeong K., Kim H.: HIGHT: A new block cipher suitable for low-resource device. In: Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10–13, 2006, Proceedings (2006).

  32. Hong D., Lee J.K., Kim D.C., Kwon D., Ryu K.H., Lee D.G.: LEA: A 128-bit block cipher for fast encryption on common processors. In: WISA, volume 8267 of Lecture Notes in Computer Science. Springer (2013).

  33. ISO/IEC 18033-3:2010. Information technology, Security techniques, Encryption algorithms, Part 3: Block ciphers. Standard, International Organization for Standardization (2010).

  34. Kelsey J., Schneier B., Wagner D.A.: Key-schedule cryptanalysis of idea, g-des, gost, safer, and triple-des. In: CRYPTO, volume 1109 of Lecture Notes in Computer Science. Springer (1996).

  35. Kelsey J., Schneier B., Wagner B.A.: Related-key cryptanalysis of 3-way, biham-des, cast, des-x, newdes, rc2, and TEA. In: ICICS, volume 1334 of Lecture Notes in Computer Science. Springer (1997).

  36. Kim J., Kim G., Hong S., Lee S., Hong D.: The related-key rectangle attack, application to shacal-1. In: Australasian Conference on Information Security and Privacy. Springer (2004).

  37. Knudsen L.: Deal-a 128-bit block cipher. Complexity 258(2), 216 (1998).

    Google Scholar 

  38. Kölbl S., Hadipour H.: Cryptosmt: An easy to use tool for cryptanalysis of symmetric primitives based on smt/sat solvers. https://github.com/kste/cryptosmt.

  39. Kölbl S., Leander G., Tiessen T., Observations on the SIMON block cipher family. In Advances in Cryptology - CRYPTO 2015–35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20,: Proceedings. Part I, 2015 (2015).

  40. Koo B., Hong D., Kwon D.: Related-key attack on the full HIGHT. In: Information Security and Cryptology - ICISC 2010 - 13th International Conference, Seoul, Korea, December 1–3, 2010, Revised Selected Papers (2010).

  41. Koo B, Roh D, Kim H, Jung Y, Lee D, Kwon, D: CHAM: A family of lightweight block ciphers for resource-constrained devices. In: Information Security and Cryptology - ICISC 2017 - 20th International Conference, Seoul, South Korea, November 29–December 1, 2017, Revised Selected Papers (2017).

  42. Kovásznai G., Fröhlich A., Biere A.: Complexity of fixed-size bit-vector logics. Theory Comput. Syst. 59(2), 323 (2016).

    Article  MathSciNet  Google Scholar 

  43. Lai X., Massey J.L.: A proposal for a new block encryption standard. In EUROCRYPT, volume 473 of Lecture Notes in Computer Science. Springer (1990).

  44. Lai X., Massey J.L., Murphy S.: Markov ciphers and differential cryptanalysis. In: EUROCRYPT, volume 547 of Lecture Notes in Computer Science. Springer (1991).

  45. Lee E., Hong D., Chang D., Hong S., Lim J.: A weak key class of XTEA for a related-key rectangle attack. In: VIETCRYPT, volume 4341 of Lecture Notes in Computer Science. Springer (2006).

  46. Lipmaa H.: On differential properties of pseudo-hadamard transform and related mappings. In: A. Menezes, P. Sarkar (eds) Progress in Cryptology - INDOCRYPT 2002, Third International Conference on Cryptology in India, Hyderabad, India, December 16–18, 2002, vol. 2551 of Lecture Notes in Computer Science. Springer (2002).

  47. Lipmaa H., Moriai S.: Efficient algorithms for computing differential properties of addition. In: Fast Software Encryption, 8th International Workshop, FSE 2001 Yokohama, Japan, April 2–4, 2001, Revised Papers (2001).

  48. Liu Y., Witte G.D., Ranea A., Ashur T.: Rotational-xor cryptanalysis of reduced-round SPECK. IACR Trans. Symmetric Cryptol. 3, 2017 (2017).

    Google Scholar 

  49. Lodi A.: Mixed integer programming computation. In: 50 Years of Integer Programming. Springer (2010).

  50. Lu J.: Cryptanalysis of reduced versions of the HIGHT block cipher from CHES 2006. In: Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29–30, 2007, Proceedings (2007).

  51. Lu J., Kim J., Keller N., Dunkelman O.: Related-key rectangle attack on 42-round shacal-2. In: International Conference on Information Security. Springer (2006).

  52. Lu J.: Related-key rectangle attack on 36 rounds of the XTEA block cipher. Int. J. Inf. Sec. 8(1), 15 (2009).

    Article  Google Scholar 

  53. Machado A.W.: Differential probability of modular addition with a constant operand. IACR Cryptol. 2001, 52 (2001).

    Google Scholar 

  54. Matsui M.: On correlation between the order of s-boxes and the strength of des. Springer, In Workshop on the Theory and Application of of Cryptographic Techniques (1994).

  55. Meurer A., Smith C.P., Paprocki M., et al.: Sympy: symbolic computing in python. PeerJ 3, e103 (2017).

    Google Scholar 

  56. Mitchell J.N.: Computer multiplication and division using binary logarithms. IRE Trans. Electron. Comput. 4, 512 (1962).

    Article  MathSciNet  Google Scholar 

  57. Mouha N., Preneel B.: Towards finding optimal differential characteristics for ARX: application to Salsa20. IACR Cryptol. 2013, 328 (2013).

    Google Scholar 

  58. Mouha N., Mennink B., Van Herrewege A., Watanabe D., Preneel B., Verbauwhede I.: Chaskey: an efficient mac algorithm for 32-bit microcontrollers. In International Conference on Selected Areas in Cryptography. Springer (2014).

  59. National Institute of Standards and Technology. Lightweight cryptography project. https://csrc.nist.gov/Projects/Lightweight-Cryptography.

  60. Needham R., Wheeler D.: Tea extensions. Technical report, Computer Laboratory, University of Cambridge (1997).

  61. NESSIE. New european schemes for signatures, integrity and encryption. https://www.cosic.esat.kuleuven.be/nessie/index.html.

  62. Niemetz A., Preiner M., Biere A.: Boolector 2.0 system description. J. Satisf. Boolean Modeling Comput. 9, 53–58 (2015).

    Article  Google Scholar 

  63. Özen O., Varıcı K., Tezcan C., Kocair C.: Lightweight block ciphers revisited: Cryptanalysis of reduced round present and height. In Australasian Conference on Information Security and Privacy. Springer (2009).

  64. Ranea A., Liu Y., Ashur T.: An easy-to-use tool for rotational-xor cryptanalysis of ARX block ciphers. Proc. Roman. Acad. Series A 18(3), 1–8 (2017).

    MathSciNet  Google Scholar 

  65. Ren J., Chen S.: Cryptanalysis of reduced-round speck. IEEE Access 7, 63045–63056 (2019).

    Article  Google Scholar 

  66. Sasaki Y., Todo Y.: New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers. In EUROCRYPT (3), volume 10212 of Lecture Notes in Computer Science (2017).

  67. Schulte-Geers E.: On ccz-equivalence of addition mod $2^n$. Designs Codes Cryptogr. 66(1–3), 111–127 (2013).

    Article  MathSciNet  Google Scholar 

  68. Song L., Huang Z., Yang Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In Information Security and Privacy - 21st Australasian Conference, ACISP: Melbourne, VIC, Australia, July 4–6, 2016, Proceedings. Part I, 2016 (2016).

  69. Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I (2014).

  70. Sun S., Gerault D., Lafourcade P., Yang Q., Todo Y., Qiao K., Hu L.: Analysis of aes, skinny, and others with constraint programming. IACR Trans. Symmetric Cryptol. 1, 2017 (2017).

    Google Scholar 

  71. Wagner DA. The boomerang attack. In Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings (1999).

  72. Wang G., Keller N., Dunkelman O.: The delicate issues of addition with respect to xor differences. In: International Workshop on Selected Areas in Cryptography. Springer (2007).

  73. Wheeler D.J., Needham R.M.: Tea, a tiny encryption algorithm. In FSE, volume 1008 of Lecture Notes in Computer Science. Springer (1994).

  74. Winternitz R.S., Hellman M.E.: Chosen-key attacks on a block cipher. Cryptologia 11(1), 1–7 (1987).

    Article  MathSciNet  Google Scholar 

  75. Yang S.P., Hu Y.P., Zhong M.F.: Related-key impossible differential attacks on 31-round shacal-2. J. Commun. 28(11A), 54–58 (2006).

    Google Scholar 

Download references

Acknowledgements

Seyyed Arash Azimi and Mohammad Reza Aref were partially supported by Iran National Science Foundation (INSF) under Contract No. 96/53979. Adrián Ranea is supported by a PhD Fellowship from the Research Foundation - Flanders (FWO).

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, Sharif University of Technology, Tehran, Iran

    Seyyed Arash Azimi & Mohammad Reza Aref

  2. imec-COSIC, KU Leuven, Leuven, Belgium

    Adrián Ranea & Vincent Rijmen

  3. Electronic Research Institute, Sharif University of Technology, Tehran, Iran

    Mahmoud Salmasizadeh & Javad Mohajeri

  4. Department of Informatics, UiB, Bergen, Norway

    Vincent Rijmen

Authors
  1. Seyyed Arash Azimi
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Adrián Ranea
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Mahmoud Salmasizadeh
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Javad Mohajeri
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Mohammad Reza Aref
    View author publications

    You can also search for this author inPubMed Google Scholar

  6. Vincent Rijmen
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Seyyed Arash Azimi.

Additional information

Communicated by J. D. Key.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Parts of this paper were presented at the Asiacrypt 2020 conference [3].

Appendix A: Characteristics

Appendix A: Characteristics

We describe the characteristics covering most rounds that we obtained in Sect. 5. For each characteristic, we provide the difference of the master key words \(\Delta _{mk}\), the difference of the plaintext words \(\Delta _{p}\) and the difference of the ciphertext words \(\Delta _{c}\). Furthermore, for each round \(i = 0, 1, \dots \) of the cipher, we provide the difference of the i-th round key words, the output difference of the i-th round function \(\Delta _{x_i}\), the (cumulative) weight of the operations that compute the i-th round key words \(w_{k_i}\) and the weight of the i-th round function \(w_{x_i}\). The differences are given in hexadecimal values.

Table 9 The 60-round strong related-key characteristic of TEA
Full size table
Table 10 The three full-round related-key characteristics with total weight 0 of TEA
Full size table
Table 11 The 18-round strong related-key characteristic of XTEA
Full size table
Table 12 The 27-round weak related-key characteristic of XTEA
Full size table
Table 13 The 15-round strong related-key characteristic of HIGHT. The round -1 corresponds to the initial key whitening
Full size table
Table 14 The 14-round weak related-key characteristic of HIGHT. The round -1 corresponds to the initial key whitening
Full size table
Table 15 The 7-round weak related-key characteristic of LEA
Full size table
Table 16 The 30-round strong related-key characteristic of SHACAL-1
Full size table
Table 17 The 25-round weak related-key characteristic of SHACAL-1
Full size table
Table 18 The 23-round strong related-key characteristic of SHACAL-2
Full size table
Table 19 The 22-round weak related-key characteristic of SHACAL-2
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Azimi, S.A., Ranea, A., Salmasizadeh, M. et al. A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis. Des. Codes Cryptogr. 90, 1797–1855 (2022). https://doi.org/10.1007/s10623-022-01074-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-022-01074-8

Keywords

Mathematics Subject Classification