Abstract
Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT’91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics.
In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active Sboxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8round differential distinguisher for Skinny64 with a probability of \(2^{56.93}\), while the best single characteristic only suggests a probability of \(2^{72}\). Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives.
Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck64 follows a bimodal distribution, and the distribution of Midori64 suggests a large class of weak keys.
R. Ankele—This research was partially supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. H2020MSCAITN2014643161 ECRYPTNET.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
 Symmetrickey cryptography
 Differential cryptanalysis
 Lightweight cryptography
 SAT/SMT solver
 IoT
 LBlock
 Midori
 Present
 Prince
 Rectangle
 Simon
 Skinny
 Sparx
 Speck
 Twine
1 Introduction
Differential cryptanalysis, first published by Biham and Shamir [9] to analyse the DES, has become one of the prime attack vectors which any modern symmetrickey primitive has to be resistant against. The idea behind differential cryptanalysis is to find a correlation between the difference of a pair of plaintexts and ciphertexts which holds with high probability. The challenge for an cryptanalyst consists of finding such a correlation or to show that no such correlation exists. A popular approach is to design a cipher in such a way that one can find a bound on the best differential characteristics, either directly e.g., the widetrail strategy deployed in AES or using methods based on Matsui’s algorithm, MILP or SAT.
A differential characteristic specifies all the intermediate differences after each round of the primitive. However, when constructing a differential distinguisher one only cares about the input and output difference. It is often assumed that a single characteristic dominates the probability of such a differential, however this is not true in general and leads to imprecise estimates of the probability in many cases [10, 24].
In the work by Lai, Massey and Murphy [33] they showed that if an iterated cryptographic primitive has independent roundkeys, it can be considered as a Markov cipher. As differential cryptanalysis considers just the first and last difference and ignores the intermediate values, the probability of such a differential can then be computed as the sum of all characteristics, that are formed by the differentials. While this assumes that the rounds are independent, it provides a more precise estimate and the probability of the most probable differential will always be greater than the probability of the most probable characteristic.
Contributions. We provide a broad study covering different design strategies and investigate the differential gap between single characteristics and differentials for the block ciphers LBlock, Midori, Present, Prince, Rectangle, Simon, Skinny, Sparx, Speck and Twine. In order to do this, we use an automated approach for enumerating the characteristics with the highest probability contributing to a differential based on SMT solvers [41], which we adopt to different design strategies. This allows us to efficiently enumerate a large set of characteristics contributing to the probability of a differential resulting in a precise estimate for the probability of differentials.
For Skinny64 we present an 8round differential distinguisher with a probability of \(2^{56.93}\), while the best single characteristic only suggests a probability of \(2^{72}\). For Midori64 we show that the best characteristic for 8 rounds, with a probability of \(2^{76}\) can be used to find a differential with a probability of \(2^{60.86}\). Our results show that in the case of many new lightweight ciphers like Midori64, Skinny64, and Sparx64 the probabilities improve significantly and that we can find differential distinguishers which are able to cover more rounds. This suggests that one should be particularly careful with lightweight block ciphers when using simpler approximations like counting the number of active Sboxes.
Our method is generic and can easily be applied to other designs as one only needs to describe the differential behaviour of the round function and can reuse all the components we implemented for doing so. This allows both to find optimal differential characteristics and to enumerate all characteristics contributing to a differential.
Furthermore, we provide experiments to verify that our estimates of the differential probability provide a good approximation. However, we also noticed that the distribution over the choice of keys varies significantly for some design strategies and that commonly made assumptions do not hold for reducedround versions. While for Skinny64 the distribution over the keys follows relatively closely what one would expect we noticed that for Midori64 for a large class of keys there are no pairs following the differential at all, while for very few keys the probability is significantly higher.
Related Work. Daemen and Rijmen firstly studied the probability of differentials for AES in their work on Plateau Characteristics [20]. In their work, they analysed AES on the distribution of differential probability over the choice of keys and showed that all 2round characteristics have either a zero probability or for a small subset of keys the probability is nonzero. However, they only considered AES, but conjectured that other ciphers with 4uniform Sboxes will show a similar result. In the case of AES and AESlike ciphers, there has also been a lot of research in studying the expected differential/linear probability (MEDP/MELP) [18, 30], that is used to provable bound the security of a block cipher against differential/linear cryptanalysis.
In recent years, many automated tools were proposed that could help designers to prove bounds against differential/linear attacks. Mouha et al. [42] used Mixed Integer Linear Programming (MILP) to count active Sboxes and compute provable bounds. Furthermore, there have been a few approaches of using automated tools to find optimal characteristics, and to collect many characteristics with the same input/output differences. This idea was first introduced by Sun et al. [46] who used MILP. Likewise, tools using SAT/SMT solvers are used where the results were applied to Salsa20 [41], Norx [5], and Simon [31].
Moreover, there exist several design and attack papers that study the effect of numerous characteristics contributing to the probability of a differential: Mantis [24], Noekeon [29], Salsa [41], Simon/Speck [11, 31], Rectangle [54] and Twine [10]. Yet, these are often based on truncated differentials or dedicated algorithms for finding large numbers of characteristics. For example in [25], Eichlseder and Kales attack Mantis6 by finding a large cluster of differential characteristics. Contrary to the attack on Mantis5 by Dobraunig et al. [24] where the cluster was found manually, in the attack on Mantis6, Eichlseder and Kales used a tool based on truncated differentials.
Similar effects have also been observed in the case of linear cryptanalysis, where Abdelraheem et al. [1] showed that the security margins based on the distribution of linear biases are not always accurate. Their work has further been studied and improved by Blondeau and Nyberg [13].
Software. All the models for enumerating the differential characteristics are publicly available at https://github.com/TheBananaMan/cryptosmt.
Outline. The remainder of this paper is structured as follows. After briefly revisiting some of the necessary definitions about differential cryptanalysis in Sect. 2, we provide details about the automated tools that we use in Sect. 3 and describe how to efficiently find differential characteristics for various ciphers. In Sect. 4 we present the results of our analysis on the gap between single differential characteristics and differentials for various cryptographic primitives. We also analyze the best differential attacks, that are published on those ciphers so far, and show if the attacks can be improved by considering the aforementioned differential gaps. Moreover, in Sect. 5 we give details about our experiments of the distribution over keys for the probability of differentials.
2 Differentials and Differential Characteristics
Differential cryptanalysis is one of the most powerful techniques in the analysis of symmetrickey primitives. Many extensions to it have been developed and it has found wide applications on block ciphers, stream ciphers and cryptographic hash functions. In the following, we state some definitions and notations that we will use throughout the paper.
A block cipher is a family of permutations parameterised by a key \(K \in \mathbb {F}_2^k\), that maps a set of plaintexts \(P \in \mathbb {F}_2^n\) to a set of ciphertexts \(C \in \mathbb {F}_2^n\)
Virtually all currently used block ciphers are iterative block ciphers, i.e., they are composed of applying a simple round function r times
The idea of differential cryptanalysis is to look at pairs of plaintexts \((p_1, p_2)\) and the corresponding ciphertexts \((c_1, c_2)\) and try to find a correlation between the differences \(\alpha \) and \(\beta \), where \(\alpha = p_1 \oplus p_2\) and \(\beta = c_1 \oplus c_2\).
Definition 1
A differential is a pair of differences \((\alpha , \beta ) \in \mathbb {F}_2^n \times \mathbb {F}_2^n\).
If such a correlation holds with high probability, we can use this to distinguish the block cipher from a random permutation and further use this to mount keyrecovery attacks.
Definition 2
The differential probability of a differential over a block cipher is
where X is a random variable that is uniformly distributed over \(\mathbb {F}_2^n\).
For ease of notation we define the weight of a differential as \(\log _2(\text {DP}(\cdot ))\). Any nonzero differential for a random permutation \(F_{\$}: \mathbb {F}_2^n \rightarrow \mathbb {F}_2^n\) will have a differential probability close to \(2^{n}\). Therefore one is interested in finding any differential with \(\text {DP}(\alpha \xrightarrow {\text {E}_K} \beta ) \gg 2^{n}\). In general, it is computationally infeasible to compute the exact value of the \(\text {DP}\) as this would require to exhaustively search through the whole space of all possible plaintexts. One can use the structure of a block cipher, to obtain a good approximation of the actual \(\text {DP}\) with less computational effort by tracking the differences through the round functions.
Definition 3
A differential characteristic is a sequence of differences
Yet, it is still computationally infeasible to compute the exact value of \(\text {DP}(Q)\) and the general approach is to assume independence of the rounds. For most designs it is feasible to compute the exact probability of a differential for a single round. One can therefore compute
While this assumption of independent rounds is not true in general, it has been shown to serve as a good approximation in practice. However, if an adversary wants to construct a distinguisher, she actually does not care about any intermediate differences and is only interested in the probability of the differential. The adversary can therefore collect all differential characteristics sharing the same input and output difference to get a better estimate
It is often assumed that the probability of the differential is close to the probability of the best single characteristic. While this might hold for some ciphers this assumption has been shown to be inaccurate in several cases and does not hold for many modern block ciphers [10, 24]. We will show later in Sect. 4 that this assumption fails particularly often for some recently designed lightweight block ciphers.
We consider two different criteria for a design: differential characteristic resistant (DCR), which means that no single differential characteristic exists with a probability larger than \(2^{n}\) and differential resistant (DR) which means that it should be difficult to find a differential with a probability larger than \(2^{n}\). Note that we typically can not avoid that there are differentials with \(\text {DP}\ge 2^{n}\), as if we fix the input difference to \(\alpha _1\) then \(\sum _{\alpha _r \ne 0} \Pr (\alpha _1 \xrightarrow {E} \alpha _r) = 1\). This implies that there exists at least one differential with a probability \(\text {DP}\ge 2^{n}\). In the WideTrail Strategy which was used to design the AES and subsequently many other ciphers, Daemen and Rijmen suggest that it is a sound design strategy to restrict the probability of difference propagation [19]. Nevertheless, this does not result in a proof for security.
Note that in the definitions so far the influence of the keys was ignored. However, the \(\text {DP}\) for a specific differential strongly depends on the choice of the secret key and it is therefore of interest how this distribution looks like. To solve this problem we could compute the probabilities of a differential over the whole key space, however this is again practically infeasible which leads one to use the expected differential probability.
Definition 4
The expected differential probability of a block cipher \(\text {E}_k\) of an rround differential \((\alpha , \beta )\), with a keysize of \(\kappa \)bits is defined as
In order to derive some sort of security proof against differential cryptanalysis often the Hypothesis of Stochastic Equivalence [33] is used which states that for all differentials Q it holds that for most keys K the differential probability of a characteristic is close to the expected differential probability, \(\text {DP}_K(Q) \approx \text {EDP}(Q)\). In practice this hypothesis does not always hold [16], which we will also see later in Sect. 5.
3 Finding Differential Characteristics Efficiently
While there are many methods based on SAT, MILP or Matsui’s algorithm to find differential characteristics and even prove an upper bound on the probability of the best single characteristic, it remains a hard problem to find a good estimate on the probability of the best differential. Even finding those differential characteristics remains a difficult problem for some design strategies and cryptanalysts had to search manually for differentials in some attacks [53]. Nowadays a variety of automated tools [12, 35, 45] is available which are constantly improved and help cryptanalysts in finding good differential characteristics.
3.1 SAT/SMT Solvers
SAT solvers are used to solve the Boolean satisfiability problem (SAT) and are based on heuristic algorithms. A solver starts from an initial assignment for the literals and then builds a search tree by using systematic backtracking until all conflicting clauses are resolved and either an assignment of variables for a satisfiable set of clauses is returned or the solver decides that this instance is unsatisfiable. The most commonly algorithms used in SAT solvers are based on the original idea of DPLL [21].
SMT solvers are more powerful than SAT solvers in the sense that they can express constraints on a higher abstraction layer and allow simple firstorder logic. In general, SMT solvers often translate the problem to SAT and then use an improved version of the DPLL algorithm and backtracking to infer when theory conflicts arise. Moreover, the solver checks the feasibility of conjunctions from the firstorder logic predicates as it interacts with the Boolean formulas that are returned by the SAT solver.
There exists a few SAT/SMT solvers that are suitable for our use cases. STP [50] is an SMT solver that uses the CVC and SMTLIB2 language to encode the constraints and then invokes a SAT solver to check for satisfiability of the model. CryptoMiniSat [40] is an advanced SAT solver that supports features like XOR recovery^{Footnote 1} to simplify clauses. As XOR operations are commonly used in cryptography this can be an advantage and potentially reduces the solving time. We also considered other solvers like Boolector [43], which for some instances provide a better performance, however in general this only provides an improvement by a small constant factor and it is hard to identify for which instances one obtains any advantage.
3.2 From Differential Cryptanalysis to Satisfiability Modulo Theories
When using automated tool like SAT/SMT solvers, one can simplify the search for differential characteristics and differentials by modeling the differential behavior of the block cipher. For this we represent all intermediate states of our block cipher as variables which corresponds to the differences and encode the transitions of differences through the round functions as constraints that can be processed by the SMT/SAT solver. An advantage of using SMT over SAT for the modeling is that most SMT solvers support reasoning over bitvectors which are commonly used in block cipher designs, especially when considering wordoriented ciphers. This both simplifies the modeling of the constraints and can lead to an improved time for solving the given problem instances compared to an encoding in SAT.
Constructing an SMT Model. In this paper, we focus on a tool that uses the CVC language^{Footnote 2} for encoding the differential behavior of block ciphers. Therefore, we encode the constraints imposed by the round function for each round of the block cipher and the probability of the resulting differential transitions. Our main goal here is to construct an SMT model which decides whether
which allows us to find the best differential characteristic Q for a cipher by finding the minimum value t for which the model is satisfiable.
In order to represent the differential behaviour of a cipher we consider any operation in the cipher, e.g., the application of an Sbox, matrix multiplication, wordwise operation or bit operation, and add constraints for a valid transition from an input to an output difference such that any valid assignment to the variables corresponds to a valid differential characteristic in the actual operation. For any nonlinear component we introduce additional variables \(w^j\) which represent the \(\log _2\) probability of the differential transition. The probability of Q is then given by \(\sum w^j\). This means that a valid assignment for all these variables directly gives us the differential characteristic Q with all intermediate differences and \(\text {DP}(Q) = p\).
In the following we give an overview on how the different components of the ciphers can be modeled in the SMT model. The algorithms to find the optimal differential characteristics and consequently good estimates for the differentials are described in Sect. 3.3.
SBoxes. Substitution Permutation Network (SPN) ciphers typically use Sboxes, which are nonlinear functions operating on a small number of bits. These are often 4 or 8bit functions and therefore we can compute the differential probability by simply constructing the Difference Distribution Table (DDT), which is a full lookup table of all possible pairs of input/output differences, for each Sbox. In our SMT model we represent the input difference to an nbit Sbox as \(\alpha = \alpha _1, \ldots , \alpha _n\) respectively the output as \(\beta = \beta _1, \ldots , \beta _n\). These variables correspond to the input/output difference to this Sbox and we want to constraint them to only allow nonzero probability combinations of input and output differences. We further introduce additional variables \(w = w_1, \ldots , w_n\) which are used to represent the probability of the transition. The probability of the transition is encoded as \(2^{wt(w)}\), where \(wt(\cdot )\) denotes the Hamming weight of w.
In order to construct the constraints on the variables, we first find all valid transitions and their corresponding probability. We want to construct a CNF which is satisfiable if and only if the assignment corresponds to such a valid characteristic. One simple way to this is by just considering all assignments which are impossible. If a transition is defined as \((a \xrightarrow {S} b)\) and has a probability c then we add the following clause
where
This clause is only satisfiable if the variables of the corresponding Sbox are not set to the invalid assignment. For example let \(a = (1, 0, 1, 1)\), \(b = (0, 0, 0, 0)\) and \(c = (0, 0, 0, 0)\) then we add the clause
We implemented this approach to generate the SMT models for 4 and 8bit Sboxes, where most of the lightweight ciphers actually use 4bit Sboxes which allows a very compact description (i.e., to represent the 4bit Sbox of Skinny we need 12 variables and about 3999 clauses in CNF). Note that our method is limited to Sboxes which have a DDT with entries that are a power of 2. For other Sboxes a similar method could be used by using l additional variables for encoding probabilities of the form \(2^{0.5}, 2^{0.25}, \ldots \) to get an approximation of the actual probability.
Linear Layers. The diffusion layers of Substitution Permutation Networks in lightweight ciphers are often constructed with simple bitpermutations (e.g., Present) or by multiplication with matrices having only binary coefficients (e.g., Midori, Skinny). ARXbased ciphers (e.g., Speck) use the diffusion properties of XOR combined with rotations. Feistel networks (e.g., Simon, LBlock, Twine) also mix the state by switching parts of the states on every Feistel switch.
For modeling rotations and bitpermutations in an SAT/SMT solver, we simply have to reindex the variables accordingly before they are input to another function. This can be achieved using SMT predicates (ASSERT and equality) in the CVC language. Rotations can be realized using predicates for shifting words and the wordwise or function that are available in the CVC language. The multiplication by a binary matrix can be modeled using the xor predicate at the wordlevel.
ARX Designs. ARX designs use modular additions (modulo \(2^n\)), XOR and rotations. As modular addition is the only nonlinear component, that is not already available in the SMT solver, we use an algorithm proposed by Lipmaa and Moriai [36] to efficiently compute the differential probability of modular addition. Let \(xdp^+(\alpha , \beta \rightarrow \gamma )\) be the XOR differential probability of modular addition, where \(\alpha , \beta \) are input differences and \(\gamma \) is the output difference, then it holds that a differential is valid if and only if:
where
The weight of a valid differential is defined as:
where \(wt'(\cdot )\) denotes the Hamming weight omitting the most significant bit. We implemented this algorithm to calculate the differential probability of modular additions.
3.3 Finding the Best Characteristics and Differentials
We use the opensource tool CryptoSMT [45] for the automated search of differential characteristics and implemented several missing functionalities for block ciphers (i.e., support for Sboxes as described in Sect. 3.2, and binary diffusion matrices). CryptoSMT is based on the stateoftheart SAT/SMT solvers, CryptoMiniSat [40] and STP [50].
The tool offers a simple API that allows cryptanalysts and designers to formulate various cryptanalytic problems and solve them with the underlying SAT/SMT solver. We added the models for the block ciphers Skinny, Midori, Rectangle, Present, Prince, Sparx, Twine and LBlock (Note that some of these are block cipher families and we focused on a subset of parameters) to CryptoSMT and use the following two functionalities provided by the tool:

Decide if a differential characteristic with probability p exists.

Enumerate all differential characteristics with a probability of p.
Based on this we can achieve our two goals, namely finding the best differential characteristic and estimating the probability of the differential.
Best Differential Characteristic. In order to find the characteristic Q with maximum probability \(p_\text {max}\) for r rounds of a block cipher we start by checking whether our model is satisfiable for a probability of p, starting at \(p = 1\). If our model is not satisfiable we continue by checking whether there is a valid assignment for \(p = 2^{1}\). Note that for all our block ciphers the probability of the differential transitions are powers of two and therefore there does not exist any differential characteristic which has a probability \(p'\) such that \(2^{(t+1)}< p' < 2^{t}\) for any integer t. We continue this process until we reach a model which is satisfiable, which gives us an assignment of all variables of the state forming a valid differential characteristic with probability \(p_\text {max} = 2^{t}\). Considering that we start with probability \(p=1\) and then we constantly increase the weight, and finish as soon as we found an valid assignment, we can ensure that we found the best differential characteristic.
Estimate for the Probability of a Differential. In order to find a good differential we can use a tool assisted approach to compute an approximation for Eq. 6, as shown in [41]. We first obtain the best single characteristic Q with probability \(p = 2^{t}\) which gives us the input difference \(\alpha _1\) and output difference \(\alpha _r\). Subsequently we modify our model and fix the input and output difference to \(\alpha _1\) respectively \(\alpha _r\). Note that this restricts the search space significantly and results in a much faster time for solving any subsequent SMT instances.
The next step is to find all differential characteristics Q, such that \(\text {DP}(Q) = 2^{u}\), for \(u = t, t + 1, \ldots \), under this new constraints. This allows us to collect more and more terms of the sum in Eq. 6, improving our approximation for the differential. By doing this process we always search for those differential characteristics which contribute the most to the probability of the differential first.
Here we assume that the input and output difference imposed by the best differential characteristic correspond to a good differential. While this assumption might not always hold and some of the differentials we found significantly improve the best differential distinguishers there could still exist better starting points for our search, for example as shown in [32] against the block cipher Simeck.
4 Analysis of the Gap in Lightweight Ciphers
The construction of cryptographic primitives optimized for resource constrained devices has received a lot of attention over the last decade and various design strategies and optimisation targets have been explored. All these primitives exhibit the idea of using simpler operations in order to save costs and therefore often exhibit a simpler algebraic structure compared to other symmetrickey algorithms.
For some design strategies this leads to a significant larger gap between single characteristics and differentials. This gap becomes especially relevant for aggressively optimised designs with minor security margins. Table 1 gives an overview of all the block ciphers we analysed with the methodology outlined in Sect. 3 and their security margins as well as the best known differential attacks.
4.1 Designs Strategies
We categorise these lightweight ciphers according to their design strategies as this has the largest influence on the gap. In general one can distinguish between two main design families: SubstitutionPermutation Networks (SPN) and Feistel Networks. Within these families we can gather ciphers according to other structural properties. These are for SPN: AESlike, Bitsliced Sboxes, Bitbased Permutation Layers, Reflection Ciphers, ARXbased and for Feistel: ARXbased, Generalized Feistel Networks and Twobranched.
In our study, we then analyzed the differential gaps for Midori [6], Skinny [8], Rectangle [54], Present [14], Prince [15], Sparx [23], Simon [7], Speck [7], Twine [47], and LBlock [47] where Table 1 categorises the ciphers according their aforementioned structural properties.
4.2 Skinny
Skinny [8] is an AESlike tweakable block cipher, based on the Tweakey framework [28]. The aim of Skinny is to achieve the hardware performance of the ANDRXcipher Simon and have strong security bounds against differential/linear attacks (this includes the relatedkey scenario), while also having competitive software performance. The resistance against differential/linear attacks in Skinny is based on counting the minimal number of active Sboxes, in the singlekey and relatedtweakey models. As the design of Skinny is based on a few very simple but highly efficient cryptographic building blocks it seems intuitive that one can expect that a large number of differential characteristics will contribute to a differential. Recent attacks [3, 38] exploited the low branch number of the binary diffusion matrix, as well as properties of the tweakey schedule.
Using our toolassisted approach we analysed this gap in Skinny64 (see Fig. 1) and can provide some new insights to the security of Skinny64. For example the best 8round single differential characteristic \(Q^8_{\max }\) suggests a probability of \(2^{72}\) while the differential \(D^8\) defined by the input/output difference of \(Q^8_{\max }\) consists of a large cluster of characteristics leading to the differential
with a probability larger than \(2^{56.55}\) by taking all 821896 characteristics^{Footnote 3} into account which have \(\text {DP}> 2^{99}\). Note that the probabilities and the number of characteristics are obtained with a fixed input/output difference as noted in Eq. 15. This suggests that estimates from active Sboxes should be taken with care as the gap is fairly large. However, the number of rounds in Skinny64 is chosen very conservatively and it provides a large security margin.
In particular the probability of the differential improves very quickly when adding more characteristics, as the distribution of the number of characteristics with a probability \(2^{t}\) is very flat over the choice of t (see Fig. 1). For example there are 39699 characteristics with \(\text {DP}= 2^{75}\) and 25413 characteristics with \(\text {DP}= 2^{76}\) and the probability of the differential only improves marginally by considering more characteristics with a lower probability. On the contrary, for designs like Simon (see Fig. 5) this distribution grows exponentially as the probability of the single characteristics decreases as has also been noted in [31], and one has to take a much larger number of characteristics into account before getting a good approximation. For a detailed overview over how many characteristics contribute to each differential see Appendix A.
4.3 Midori
Midori is an AESlike lightweight block cipher optimized for lowenergy usage using a binary nearMDS matrix combined with a generic cell permutation for diffusion. Despite that Midori64 has a large number of \(2^{32}\) weak keys, for which Midori64 can be practically broken with invariant subspace attacks [27], there has been no differential attacks on even reduced versions of Midori, apart from a relatedkey attack by Gérault and Lafourcade [26].
The gap between the differential probability of a single characteristic and a differential behaves similar to Skinny64, i.e., counting the active Sboxes gives an inaccurate bound against differential distinguishers. For example we found new differentials for Midori64 where the 8round single differential characteristic suggests a probability of \(2^{76}\) and the corresponding 8round differential
has a probability larger than \(2^{60.86}\) by summing all 693730 characteristics up to a probability of \(2^{114}\). Similar to Skinny the distribution of the contributing characteristics is very flat, which means that we quickly approach a good estimate for the probability of the differential (see Fig. 2).
4.4 Sparx
Sparx [23] is based on the longtrail strategy, introduced alongside with Sparx, which can be seen as combining the ARX approach with an SPN, allowing to provide bounds on the differential resistance of an ARX cipher by counting the active Sboxes. While it is also feasible to prove such a bound using the methodology from Sect. 3, it is often computationally infeasible or the bounds are not very tight [41]. The designers of Sparx used the YAARX toolkit [12] to show truncated characteristics, that they used to compute the differential bounds. One of the main design motivations of Sparx was that it should be very difficult to find differential characteristics for a large number of rounds for ARXbased ciphers with a state of more than 32 bits [22].
In general ARX ciphers do not have a very strong differential effect compared to the previous lightweight SPN constructions, however as Sparx is inbetween those it is an interesting target. Our results suggest that Sparx64 has a differential effect comparable to other ARX designs like Speck64 (see Fig. 3). The major limitation for applying our approach to Sparx is that the search for optimal differential characteristics on Sparx is computationally very costly. While singlecharacteristics up to 6 rounds can be found in less then 5 min, the 10round singlecharacteristic took already 32 days, on a single core^{Footnote 4}.
4.5 Results for Other Lightweight Ciphers
Table 2 summarizes the gaps between singlecharacteristics and differentials for all lightweight block ciphers we analyzed. We observed that for most ciphers a large gap between the probability for singlecharacteristics and differentials exists and that a higher number of rounds is required for the block ciphers to be differential resistant. The gaps also increase significantly with the number of rounds, which is not surprising as with more rounds there are more valid differential characteristics for a given input/output difference.
The biggest gap, in term of number of rounds, occurs for Simon64 with a gap of five rounds. There is also a 2round gap for ciphers like Present, Midori and Twine. However, it seems that the gap for Simon64 grows faster, considering that the differentials and characteristics seem to follow an exponential growth as also observed in [31]. In comparison Present, Midori and Twine seem to grow in a linear way. In relation to the number of rounds, the gap for Midori also has quite a significant impact and allows to extend the distinguisher by two rounds. Further we observed that there seem to be nearly no gaps for ciphers like Rectangle and Speck. We illustrate the gaps for the analyzed ciphers in Fig. 4 and we provide Fig. 5 showing the distribution of valid differential characteristics that contribute to the probability of the best differential for each cipher.
4.6 Application of the Differential Gaps to the Best Published Differential Attacks
In the following, we analyze the best published attacks and discuss improvements of the attacks when possible:
Gérault and Lafourcade [26] proposed relatedkey differential attacks on fullround Midori64, where they use 16 15round and \(4 \cdot 14\)round relatedkey differential characteristics to recover the key. In their attacks they do not exploit differentials. In comparison, the best differential that we found reaches 8 rounds with a probability of \(2^{60.86}\).
Liu et al. [38] propose relatedtweakey rectangle attacks on 26 rounds of Skinny64192 and they use optimal single differential characteristics based on truncated differential characteristics. The authors exploit the differential gap of Skinny by using 5000 single differential characteristics to compute the differential for a 22round distinguisher. In comparison, the best differential characteristic with no differences in the tweak/key that we found reaches 8 rounds with a probability of \(2^{56.55}\).
Zhang et al. [54] studied the differential effect and showed an 18round differential attack, where they used a 14round differential with a probability of \(2^{62.83}\). In our analysis we found a better differential for 14 rounds with probability of \(2^{60.63}\) by summing up 40627 singlecharacteristics which would improve the complexity of these attacks. For more rounds the distinguisher are below \(2^{64}\).
Liu and Jin [37] presented an 18round attack based on slendersets. Wang et al. [51] further presented normal differential attacks on 16round Present where they used a differential with probability \(2^{62.13}\) by summing up 91 differential characteristics which is comparable to our differentials.
Canteaut et al. [17] showed differential attacks on 10 rounds of Prince, by considering multiple differential characteristics. In their attack they use 12 differentials for 6 rounds with a probability of \(2^{56.42}\) by summing up 1536 singlecharacteristics. The differential we found for 6 rounds only has a probability of about \(2^{62}\), but does not lead to further improvements of the attack.
Ankele and List [4] studied truncated differential attacks on 16 rounds of Sparx64/128 and used single differential characteristics, for the first part of the 14round distinguisher, and truncated the second part of the distinguisher. The designers of Sparx64 claim that Sparx is differential secure for 15 rounds, however, by considering the differential effect of Sparx64, also in comparison with Speck64, it seems likely that there exist differentials with more than 15 rounds with a data complexity below using the full codebook.
Abed et al. [2] presented differential attacks on Simon64, where they used a 21round distinguisher with a probability of \(2^{61.01}\). Better distinguishers are reported by [39] for 23 rounds with a probability of \(2^{63.91}\). The differentials we found are in line with previous results.
Song et al. [44] presented 20round attacks on Speck64 by constructing a distinguisher from two short characteristics where they concatenated the two characteristics to a 15round characteristic with probability \(2^{60.56}\). The distinguishers used in the attack are already based on differentials and the differentials we found do not lead to any improvement.
Biryukov et al. [10] showed a 25round impossible differential attack and a truncated differential attack on 23 rounds by chaining several iterated 4round characteristics together. In the paper the authors also considered differentials for 12 rounds with a probability of \(2^{52.08}\) and 16 rounds with probability \(2^{67.59}\). The best differential that we found reaches 15 rounds with a probability of \(2^{62.89}\).
Wang et al. [52] published a 24round impossible differential attack on LBlock. Due to the nature of impossible differential attacks, characteristics with probability 1 are used for constructing these. The best differential that we found reaches 15 rounds with a probability of \(2^{61.43}\).
5 Experimental Verification and the Influence of Keys
In Sect. 2 we made several assumptions in order to compute \(\text {DP}(Q)\) and in this section we compare the theoretical estimates with experiments for reducedround versions. This serves two purpose: First we want to see how close our estimate for \(\text {DP}(\alpha , \beta )\) is and secondly we want to see the distribution over the choice of keys. Specifically, we are interested in the number of pairs
This number of good pairs will vary over the choice of the key. For a random process we would expect that the number of valid pairs is about \(\text {DP}\cdot 2^n\) and follows a Poisson distribution.
Definition 5
Let X be a Poisson distributed random variable representing the number of pairs (a, b) with values in \(\mathbb {F}_2^n\) following a differential \(D = (\alpha \xrightarrow {f} \beta )\), that means \(f(a) \oplus f(a \oplus \alpha ) = \beta \), then
where p is the probability of the differential.
In the following, we experimentally verify differentials for Skinny, Speck and Midori for a large number of random pairs of plaintexts and a random choice of keys to see how good this approximation is.
5.1 Skinny
As a first example we look at Skinny64. We use the 6round differential
for Skinny64. The best characteristic which is part of D has a probability of \(2^{32}\) and by collecting all characteristics (100319) contributing to this differential we estimate \(\text {DP}(D) \approx 2^{23.52}\). We try out \(2^{30}\) randomly selected pairs for 10000 keys and count the number of pairs following D. From our estimate we would expect that on average we get about 89 pairs for a key.
As one can see from Fig. 6 our estimate of \(\text {DP}(D)\) provides a good approximation for the distribution over the keys, although the distribution has a larger variance than we expected.
5.2 Speck
For Speck64 we look at the differential
over 7 rounds. The best characteristic in D has a probability of \(2^{21}\) and this only slightly improves to about \(2^{20.95}\) using 6 additional characteristics. We again run our experiments for \(2^{30}\) randomly selected pairs for 10000 keys and count the number of pairs following D. On average we would expect 530 pairs.
In Fig. 7 it can be seen that for 7round Speck64 the distribution is bimodal and we over respectively underestimate the number of valid pairs for most keys.
5.3 Midori
For Midori64 we look at the differential
over 4 rounds. The best characteristic in D has a probability of \(2^{32}\) and this improves to about \(2^{23.79}\) using 896 additional characteristics. We again run our experiments for \(2^{30}\) randomly selected pairs for 3200 keys and count the number of pairs following D. On average we would expect about 74 pairs.
In Fig. 8 it can be seen that for 4round Midori64 the distribution is very different from the previous cases. For some keys the probability is significantly higher and for about \(80\%\) of the keys we get 0 good pairs. This means that for a large fraction of keys we actually found an impossible differential and one should be careful when constructing differential distinguishers for Midori. In particular it would be interesting to classify this set of impossible keys and we leave this as an open problem. Moreover, this also implies the existance of a large class of weak keys, that has also been observed in the invariant subspace attacks on Midori64 [27, 34, 49].
6 Conclusions
In this work we showed for several lightweight block ciphers that the gap between single characteristics and differentials can be surprisingly large. This leads to significantly higher probability of differentials in several designs and allows us to have differential distinguishers covering more rounds.
We provided a simple framework to automate the process of collecting many differential characteristics that are contributing to the probability of a differential. We hope this will encourage future designs of cryptographic primitives to apply our methodology in order to provide better bounds on the security against differential cryptanalysis.
Further we verified differentials for a reduced number of rounds experimentally and showed that our improved estimates of the probability of differentials of Skinny closely resembles what happens in experiments. However, we can also observe that some commonly made assumptions on the distribution of good pairs following a differential over the choice of keys has to be made very carefully. For instance, the results for Speck and Midori indicate that one needs to be very careful in presuming that the estimates apply to all key values.
Notes
 1.
 2.
A list of all bitwise and word level functions in CVC is available at: http://stp.github.io/cvcinputlanguage/.
 3.
This process took in total 23.5 h on a single core, however after 1 h the estimate for the differential probability improves by less than \(2^{0.9}\).
 4.
Note that this process can not easily be parallelized as most SAT solvers are inherently serial.
References
Abdelraheem, M.A., Ågren, M., Beelen, P., Leander, G.: On the distribution of linear biases: three instructive examples. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 50–67. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_4
Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of roundreduced Simon and Speck. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 525–545. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662467060_27
Ankele, R., et al.: Relatedkey impossibledifferential attack on reducedround Skinny. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 208–228. Springer, Cham (2017). https://doi.org/10.1007/9783319612041_11
Ankele, R., List, E.: Differential cryptanalysis of roundreduced sparx64/128. Cryptology ePrint Archive, Report 2018/332 (2018). https://eprint.iacr.org/2018/332
Aumasson, J.P., Jovanovic, P., Neves, S.: Analysis of NORX: investigating differential and rotational properties. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 306–324. Springer, Cham (2015). https://doi.org/10.1007/9783319162959_17
Banik, S., et al.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662488003_17
Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013). http://eprint.iacr.org/2013/404
Beierle, C., et al.: The SKINNY family of block ciphers and its lowlatency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530085_5
Biham, E., Shamir, A.: Differential cryptanalysis of DESlike cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3540384243_1
Biryukov, A., Derbez, P., Perrin, L.: Differential analysis and meetinthemiddle attack against roundreduced TWINE. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 3–27. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662481165_1
Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662467060_28
Biryukov, A., Velichkov, V.: Automatic search for differential trails in ARX ciphers. In: Benaloh, J. (ed.) CTRSA 2014. LNCS, vol. 8366, pp. 227–250. Springer, Cham (2014). https://doi.org/10.1007/9783319048529_12
Blondeau, C., Nyberg, K.: Improved parameter estimates for correlation and capacity deviates in linear cryptanalysis. IACR Trans. Symmetric Cryptol. 2016(2), 162–191 (2016). https://doi.org/10.13154/tosc.v2016.i2.162191
Bogdanov, A., et al.: PRESENT: an ultralightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540747352_31
Borghoff, J., et al.: PRINCE – a lowlatency block cipher for pervasive computing applications  extended abstract. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642349614_14
Canteaut, A.: Differential cryptanalysis of Feistel ciphers and differentially uniform mappings. In: Selected Areas on Cryptography, SAC 1997, pp. 172–184 (1997)
Canteaut, A., Fuhr, T., Gilbert, H., NayaPlasencia, M., Reinhard, J.R.: Multiple differential cryptanalysis of roundreduced PRINCE. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 591–610. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662467060_30
Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected differential probability of 4round AES and AESlike ciphers. Computing 85(1), 85–104 (2009). https://doi.org/10.1007/s006070090034y
Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3540453253_20
Daemen, J., Rijmen, V.: Plateau characteristics. IET Inf. Secur. 1(1), 11–17 (2007)
Davis, M., Logemann, G., Loveland, D.: A machine program for theoremproving. Commun. ACM 5(7), 394–397 (1962). https://doi.org/10.1145/368273.368557
Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Private communication
Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 484–513. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_18
Dobraunig, C., Eichlseder, M., Kales, D., Mendel, F.: Practical keyrecovery attack on MANTIS5. IACR Trans. Symmetric Cryptol. 2016(2), 248–260 (2016). https://doi.org/10.13154/tosc.v2016.i2.248260
Eichlseder, M., Kales, D.: Clustering relatedtweak characteristics: application to MANTIS6. IACR Trans. Symmetric Cryptol. 2018(2), 111–132 (2018). https://doi.org/10.13154/tosc.v2018.i2.111132
Gérault, D., Lafourcade, P.: Relatedkey cryptanalysis of Midori. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 287–304. Springer, Cham (2016). https://doi.org/10.1007/9783319498904_16
Guo, J., Jean, J., Nikolic, I., Qiao, K., Sasaki, Y., Sim, S.M.: Invariant subspace attack against Midori64 and the resistance criteria for Sbox designs. IACR Trans. Symmetric Cryptol. 2016(1), 33–56 (2016). https://doi.org/10.13154/tosc.v2016.i1.3356
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456088_15
Daemen, J., Peeters, M., Van Assche, G., Rijmen, V.: Nessie Proposal: NOEKEON (2000). http://gro.noekeon.org/Noekeonspec.pdf
Keliher, L., Sui, J.: Exact maximum expected differential and linear probability for tworound advanced encryption standard. IET Inf. Secur. 1(2), 53–57 (2007). https://doi.org/10.1049/ietifs:20060161
Kölbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 161–185. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662479896_8
Kölbl, S., Roy, A.: A brief comparison of Simon and Simeck. In: Bogdanov, A. (ed.) LightSec 2016. LNCS, vol. 10098, pp. 69–88. Springer, Cham (2017). https://doi.org/10.1007/9783319557144_6
Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991). https://doi.org/10.1007/3540464166_2
Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642227929_12
Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642349614_15
Lipmaa, H., Moriai, S.: Efficient algorithms for computing differential properties of addition. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 336–350. Springer, Heidelberg (2002). https://doi.org/10.1007/354045473X_28
Liu, G.Q., Jin, C.H.: Differential cryptanalysis of PRESENTlike cipher. Des. Codes Cryptogr. 76(3), 385–408 (2015). https://doi.org/10.1007/s1062301499651
Liu, G., Ghosh, M., Song, L.: Security analysis of SKINNY under relatedtweakey settings (long paper). IACR Trans. Symmetric Cryptol. 2017(3), 37–72 (2017). https://doi.org/10.13154/tosc.v2017.i3.3772
Liu, Z., Li, Y., Wang, M.: Optimal differential trails in SIMONlike ciphers. IACR Trans. Symmetric Cryptol. 2017(1), 358–379 (2017). https://doi.org/10.13154/tosc.v2017.i1.358379
Mate Soos: CryptoMiniSat SAT solver (2009). https://github.com/msoos/cryptominisat/
Mouha, N., Preneel, B.: Towards finding optimal differential characteristics for ARX: application to Salsa20. Cryptology ePrint Archive, Report 2013/328 (2013). http://eprint.iacr.org/2013/328
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixedinteger linear programming. In: Wu, C.K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642347047_5
Niemetz, A., Preiner, M., Biere, A.: Boolector 20 system description. J. Satisf. Boolean Model. Comput. 9, 53–58 (2014). (Published 2015)
Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 379–394. Springer, Cham (2016). https://doi.org/10.1007/9783319403670_24
Kölbl, S.: CryptoSMT: an easy to use tool for cryptanalysis of symmetric primitives (2015). https://github.com/kste/cryptosmt
Sun, S., et al.: Towards finding the best characteristics of some bitoriented block ciphers and automatic enumeration of (relatedkey) differential and linear characteristics with predefined properties. Cryptology ePrint Archive, Report 2014/747 (2014). http://eprint.iacr.org/2014/747
Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642359996_22
Tezcan, C., Okan, G.O., Şenol, A., Doğan, E., Yücebaş, F., Baykal, N.: Differential attacks on lightweight block ciphers PRESENT, PRIDE, and RECTANGLE revisited. In: Bogdanov, A. (ed.) LightSec 2016. LNCS, vol. 10098, pp. 18–32. Springer, Cham (2017). https://doi.org/10.1007/9783319557144_2
Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack  practical attack on full SCREAM, iSCREAM, and Midori64. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538906_1
Ganesh, V., Hansen, T., Soos, M., Liew, D., Govostes, R.: STP constraint solver (2007). https://github.com/stp/stp
Wang, M., Sun, Y., Tischhauser, E., Preneel, B.: A model for structure attacks, with applications to PRESENT and Serpent. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 49–68. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642340475_4
Wang, N., Wang, X., Jia, K.: Improved impossible differential attack on reducedround LBlock. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 136–152. Springer, Cham (2016). https://doi.org/10.1007/9783319308401_9
Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, HAVAL128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199 (2004). http://eprint.iacr.org/2004/199
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bitslice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015). https://doi.org/10.1007/s1143201554597
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Detailed Data for Midori, Skinny and Sparx
In the following we give a more detailed overview over the analysis on Midori, Skinny and Sparx. In particular we give the following metrics

Best differential characteristic for r rounds.

Estimate of the differential with the input/output difference of the best differential characteristic found.

Number of differential characteristics we used for the estimate.

The maximum weight of the differential characteristics we use for the estimate.

Search time to find the best single differential characteristic and all the differential characteristics for the best differential (Tables 3 and 4).
B Differentials for Midori, Skinny and Sparx
In the following we give the best differentials that we found for Midori, Skinny and Sparx. The differentials for many other lightweight ciphers together with the source code to generate the differential models is publicly available at: https://github.com/TheBananaMan/cryptosmt (Tables 5, 6, 7 and 8).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Ankele, R., Kölbl, S. (2019). Mind the Gap  A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis. In: Cid, C., Jacobson Jr., M. (eds) Selected Areas in Cryptography – SAC 2018. SAC 2018. Lecture Notes in Computer Science(), vol 11349. Springer, Cham. https://doi.org/10.1007/9783030109707_8
Download citation
DOI: https://doi.org/10.1007/9783030109707_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030109691
Online ISBN: 9783030109707
eBook Packages: Computer ScienceComputer Science (R0)