Advertisement

Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis

  • Ralph Ankele
  • Stefan Kölbl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11349)

Abstract

Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT’91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics.

In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of \(2^{-56.93}\), while the best single characteristic only suggests a probability of \(2^{-72}\). Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives.

Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys.

Keywords

Symmetric-key cryptography Differential cryptanalysis Lightweight cryptography SAT/SMT solver IoT LBlock Midori Present Prince Rectangle Simon Skinny Sparx Speck Twine 

References

  1. 1.
    Abdelraheem, M.A., Ågren, M., Beelen, P., Leander, G.: On the distribution of linear biases: three instructive examples. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 50–67. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_4CrossRefGoogle Scholar
  2. 2.
    Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46706-0_27CrossRefGoogle Scholar
  3. 3.
    Ankele, R., et al.: Related-key impossible-differential attack on reduced-round Skinny. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 208–228. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-61204-1_11CrossRefGoogle Scholar
  4. 4.
    Ankele, R., List, E.: Differential cryptanalysis of round-reduced sparx-64/128. Cryptology ePrint Archive, Report 2018/332 (2018). https://eprint.iacr.org/2018/332CrossRefGoogle Scholar
  5. 5.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: Analysis of NORX: investigating differential and rotational properties. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 306–324. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16295-9_17CrossRefGoogle Scholar
  6. 6.
    Banik, S., et al.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_17CrossRefGoogle Scholar
  7. 7.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). http://eprint.iacr.org/2013/404
  8. 8.
    Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_5CrossRefGoogle Scholar
  9. 9.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-38424-3_1CrossRefGoogle Scholar
  10. 10.
    Biryukov, A., Derbez, P., Perrin, L.: Differential analysis and meet-in-the-middle attack against round-reduced TWINE. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 3–27. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_1CrossRefGoogle Scholar
  11. 11.
    Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46706-0_28CrossRefGoogle Scholar
  12. 12.
    Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 227–250. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04852-9_12CrossRefzbMATHGoogle Scholar
  13. 13.
    Blondeau, C., Nyberg, K.: Improved parameter estimates for correlation and capacity deviates in linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(2), 162–191 (2016).  https://doi.org/10.13154/tosc.v2016.i2.162-191CrossRefGoogle Scholar
  14. 14.
    Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74735-2_31CrossRefGoogle Scholar
  15. 15.
    Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications - extended abstract. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_14CrossRefGoogle Scholar
  16. 16.
    Canteaut, A.: Differential cryptanalysis of Feistel ciphers and differentially uniform mappings. In: Selected Areas on Cryptography, SAC 1997, pp. 172–184 (1997)Google Scholar
  17. 17.
    Canteaut, A., Fuhr, T., Gilbert, H., Naya-Plasencia, M., Reinhard, J.-R.: Multiple differential cryptanalysis of round-reduced PRINCE. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 591–610. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46706-0_30CrossRefGoogle Scholar
  18. 18.
    Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected differential probability of 4-round AES and AES-like ciphers. Computing 85(1), 85–104 (2009).  https://doi.org/10.1007/s00607-009-0034-yMathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45325-3_20CrossRefGoogle Scholar
  20. 20.
    Daemen, J., Rijmen, V.: Plateau characteristics. IET Inf. Secur. 1(1), 11–17 (2007)CrossRefGoogle Scholar
  21. 21.
    Davis, M., Logemann, G., Loveland, D.: A machine program for theorem-proving. Commun. ACM 5(7), 394–397 (1962).  https://doi.org/10.1145/368273.368557MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Private communicationGoogle Scholar
  23. 23.
    Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 484–513. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_18CrossRefGoogle Scholar
  24. 24.
    Dobraunig, C., Eichlseder, M., Kales, D., Mendel, F.: Practical key-recovery attack on MANTIS5. IACR Trans. Symmetric Cryptol. 2016(2), 248–260 (2016).  https://doi.org/10.13154/tosc.v2016.i2.248-260CrossRefGoogle Scholar
  25. 25.
    Eichlseder, M., Kales, D.: Clustering related-tweak characteristics: application to MANTIS-6. IACR Trans. Symmetric Cryptol. 2018(2), 111–132 (2018).  https://doi.org/10.13154/tosc.v2018.i2.111-132CrossRefGoogle Scholar
  26. 26.
    Gérault, D., Lafourcade, P.: Related-key cryptanalysis of Midori. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 287–304. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-49890-4_16CrossRefGoogle Scholar
  27. 27.
    Guo, J., Jean, J., Nikolic, I., Qiao, K., Sasaki, Y., Sim, S.M.: Invariant subspace attack against Midori64 and the resistance criteria for S-box designs. IACR Trans. Symmetric Cryptol. 2016(1), 33–56 (2016).  https://doi.org/10.13154/tosc.v2016.i1.33-56CrossRefGoogle Scholar
  28. 28.
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45608-8_15CrossRefGoogle Scholar
  29. 29.
    Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie Proposal: NOEKEON (2000). http://gro.noekeon.org/Noekeon-spec.pdf
  30. 30.
    Keliher, L., Sui, J.: Exact maximum expected differential and linear probability for two-round advanced encryption standard. IET Inf. Secur. 1(2), 53–57 (2007).  https://doi.org/10.1049/iet-ifs:20060161CrossRefGoogle Scholar
  31. 31.
    Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 161–185. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_8CrossRefGoogle Scholar
  32. 32.
    Kölbl, S., Roy, A.: A brief comparison of Simon and Simeck. In: Bogdanov, A. (ed.) LightSec 2016. LNCS, vol. 10098, pp. 69–88. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-55714-4_6CrossRefGoogle Scholar
  33. 33.
    Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991).  https://doi.org/10.1007/3-540-46416-6_2CrossRefGoogle Scholar
  34. 34.
    Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_12CrossRefGoogle Scholar
  35. 35.
    Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_15CrossRefzbMATHGoogle Scholar
  36. 36.
    Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45473-X_28CrossRefGoogle Scholar
  37. 37.
    Liu, G.Q., Jin, C.H.: Differential cryptanalysis of PRESENT-like cipher. Des. Codes Cryptogr. 76(3), 385–408 (2015).  https://doi.org/10.1007/s10623-014-9965-1MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Liu, G., Ghosh, M., Song, L.: Security analysis of SKINNY under related-tweakey settings (long paper). IACR Trans. Symmetric Cryptol. 2017(3), 37–72 (2017).  https://doi.org/10.13154/tosc.v2017.i3.37-72CrossRefGoogle Scholar
  39. 39.
    Liu, Z., Li, Y., Wang, M.: Optimal differential trails in SIMON-like ciphers. IACR Trans. Symmetric Cryptol. 2017(1), 358–379 (2017).  https://doi.org/10.13154/tosc.v2017.i1.358-379CrossRefGoogle Scholar
  40. 40.
    Mate Soos: CryptoMiniSat SAT solver (2009). https://github.com/msoos/cryptominisat/
  41. 41.
    Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: application to Salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). http://eprint.iacr.org/2013/328
  42. 42.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34704-7_5CrossRefzbMATHGoogle Scholar
  43. 43.
    Niemetz, A., Preiner, M., Biere, A.: Boolector 20 system description. J. Satisf. Boolean Model. Comput. 9, 53–58 (2014). (Published 2015)Google Scholar
  44. 44.
    Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 379–394. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-40367-0_24CrossRefGoogle Scholar
  45. 45.
    Kölbl, S.: CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives (2015). https://github.com/kste/cryptosmt
  46. 46.
    Sun, S., et al.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties. Cryptology ePrint Archive, Report 2014/747 (2014). http://eprint.iacr.org/2014/747
  47. 47.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-35999-6_22CrossRefGoogle Scholar
  48. 48.
    Tezcan, C., Okan, G.O., Şenol, A., Doğan, E., Yücebaş, F., Baykal, N.: Differential attacks on lightweight block ciphers PRESENT, PRIDE, and RECTANGLE revisited. In: Bogdanov, A. (ed.) LightSec 2016. LNCS, vol. 10098, pp. 18–32. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-55714-4_2CrossRefGoogle Scholar
  49. 49.
    Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack - practical attack on full SCREAM, iSCREAM, and Midori64. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 3–33. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53890-6_1CrossRefGoogle Scholar
  50. 50.
    Ganesh, V., Hansen, T., Soos, M., Liew, D., Govostes, R.: STP constraint solver (2007). https://github.com/stp/stp
  51. 51.
    Wang, M., Sun, Y., Tischhauser, E., Preneel, B.: A model for structure attacks, with applications to PRESENT and Serpent. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 49–68. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_4CrossRefGoogle Scholar
  52. 52.
    Wang, N., Wang, X., Jia, K.: Improved impossible differential attack on reduced-round LBlock. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 136–152. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-30840-1_9CrossRefGoogle Scholar
  53. 53.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199 (2004). http://eprint.iacr.org/2004/199
  54. 54.
    Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015).  https://doi.org/10.1007/s11432-015-5459-7CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Royal Holloway University of LondonEghamUK
  2. 2.DTU ComputeTechnical University of DenmarkKongens LyngbyDenmark
  3. 3.CybercryptHellerupDenmark

Personalised recommendations