Abstract
At CRYPTO’16, Beierle et al. presented SKINNY, a family of lightweight tweakable block ciphers intended to compete with the NSA designs SIMON and SPECK. SKINNY can be implemented efficiently in both soft and hardware and supports block sizes of 64 and 128 bits as well as tweakey sizes of 64, 128, 192 and 128, 256, 384 bits respectively. This paper presents a relatedtweakey impossibledifferential attack on up to 23 (out of 36) rounds of SKINNY64/128 for different tweak sizes. All our attacks can be trivially extended to SKINNY128/128.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
 Symmetric Cryptography
 Cryptanalysis
 Tweakable block cipher
 Impossible differential
 Lightweight cryptography
1 Introduction
SKINNY is a family of lightweight tweakable block ciphers recently proposed at CRYPTO 2016 by Beierle et al. [3]. Its goal was to design a cipher that could be implemented highly efficiently on both soft and hardware platforms, with performance comparable or better than the SIMON and SPECK families of block ciphers [1]. Like the NSA designs SIMON and SPECK, SKINNY supports a wide range of block sizes and tweak/key sizes – however, in contrast to the AndRX and AddRX based NSA proposals, SKINNY is based on the better understood SubstitutionPermutationNetwork approach.
SKINNY offers a large security margin within the number of rounds for each member of the SKINNY family. The designers show that the currently best known attacks approach close to half of the number of rounds of the cipher. To motivate thirdparty cryptanalysis, the designers of SKINNY recently announced a cryptanalysis competition [2] for SKINNY64/128 and SKINNY128/128 with the obvious challenge of attacking more rounds than the preliminary analysis, concerning both the single and relatedkey models.
Related Work. Recently and independent of our analysis Liu et al. [7] analyzed SKINNY in the relatedtweakey model, showing impossibledifferential and rectangle attacks on 19, 23, and 27 rounds of SKINNYn/n, SKINNYn/2n and SKINNYn/3n, respectively. In [9], Tolba et al. showed impossibledifferential attacks for 18, 20, 22 rounds of SKINNYn/n, SKINNYn/2n and SKINNYn/3n, respectively. Additionally, Sadeghi et al. [8] studied relatedtweakey impossible differential and zerocorrelation linear characteristics. In comparison to the other attacks, our 23round relatedtweakey impossibledifferential attack on SKINNY64/128 has the lowest time complexity so far. Table 1 summarizes our attacks and compares them to existing attacks on SKINNY64/128.
Contributions and Outline. In this paper, we propose an impossibledifferential attack on SKINNY64/128 reduced to 23 rounds in the relatedkey model. The attack uses an 11round impossible differential trail, to which six and four rounds can be added for obtaining a 21round attack. Later, we show that another round can be appended leading to a 22round attack, and even a 23round attack.
The paper is organized as follows. In Sect. 2, we give a brief introduction to the SKINNY family of block ciphers. In Sect. 3, we detail the attack on SKINNY and provide time and memory complexities. Finally, Sect. 4 concludes the paper.
2 Description of SKINNY
Each round of SKINNY consists of the operations SubCells, AddRoundConstants, AddRoundTweakey, ShiftRows, and MixColumns. The round operations are schematically illustrated in Fig. 1. A cell represents a 4bit value in SKINNY64/* and an 8bit value in SKINNY128/*.
We concentrate on SKINNY64/128, which has a 64bit block size and a 128bit tweakey size. The data is arranged nibblebynibble in a rowwise fashion in a \(4 \times 4\)matrix. SKINNY64/128 recommends 36 rounds.
 SubCells (SC):

substitutes each nibble x by S(x), which is given below.
x  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f 

S(x)  c  6  9  0  1  a  2  b  3  8  5  d  4  e  7  f 
 AddRoundConstants (AC):

adds LFSRbased round constants to Cells 0, 4, and 8 of the state.
 AddRoundTweakey (ART):

adds the round tweakey to the first two state rows.
 ShiftRows (SR):

rotates the \(i^{th}\) row, for \(0 \le i \le 3\), by i positions to the right.
 MixColumns (MC):

multiplies each column of the state by a matrix M:
Tweakey Schedule. The tweakey schedule of SKINNY, as illustrated in Fig. 2, follows the TWEAKEY framework [5]. In contrast to the previous TWEAKEY designs DeoxysBC and JoltikBC, SKINNY employs a significantly more lightweight strategy. In each round, only the two topmost rows of each tweakey word are extracted and XORed to the state. An additional rounddependent constant is also XORed to the state to prevent attacks from symmetry.
The 128bit tweakey is arranged in two 64bit tweakey words, represented by \(TK_1\) and \(TK_2\). In each round, the tweakey words are updated by a cell permutation \(P_T\) that ensures that the two bottom rows of a tweakey word in a certain round are exchanged with the two top rows in the tweakey word in the subsequent round. The permutation is given as:
The permutation \(P_T\) has a period of 16, as visualized in Fig. 7 in the appendix. Moreover, each individual cell in the two topmost rows of \(TK_2\) is transformed by a 4bit LFSR to minimise the cancellation of differences from \(TK_1\) and \(TK_2\); \(TK_1\) employs no LFSR transformation. The LFSR transformation L is given by
where \(x_3,x_2,x_1,x_0\) represent the individual bits of every tweakey nibble.
3 RelatedKey ImpossibleDifferential Attack
Impossibledifferential attacks were introduced independently by Biham et al. [4] and Knudsen [6]. They are widely used as an important cryptanalytic technique. The attack starts with finding an input difference that can never result in an output difference. By adding rounds before and/or after the impossible differential, one can collect pairs with certain plaintext and ciphertext differences. If there exists a pair that meets the input and output values of the impossible differential under some subkey, these subkeys must be wrong. In this way, we filter as many wrong keys as possible and exhaustively search the rest of the keys.
Notations. Let us state a few notations that are used in the attack description:

\(K^{r}\) represents the \(r^{th}\) round key. This is equal to \(TK_1^r\oplus TK_2^{r}\). Similarly, \(k^r[i] = tk^r_1[i] \oplus tk^r_2[i]\) represents the individual \(i^{th}\) tweakey nibble in round r.

\(A^{r}\) represents the internal state before SC in round r.

\(B^{r}\) represents the internal state after SC in round r.

\(C^{r}\) represents the internal state after AT in round r.

\(D^{r}\) represents the internal state after SR in round r.

\(E^{r}\) represents the internal state after MC in round r. Furthermore, \(E^r = A^{r+1}\).

\(L^{t}\) represents the ttimes composition of LFSR function L.

\(\overline{X}\) represents the corresponding variable X in the relatedkey setting.

\(X[i ]\) represents the \(i^{th}\) nibble of the corresponding variable X.
ImpossibleDifferential Trail. Figure 3 presents the 11round relatedkey differential trail that we use. We introduce a nibble difference in Cell 8 of the combined tweakey. Since the initial difference is in Cell 8, i.e. in one of the bottom two rows in the tweakey, it does not affect the state in the first round, and will be added to the state from the second round onwards. Similarly in the backward trail, the difference in the \(11^{th}\) roundtweakey appears in Cell 11 (in a bottom row), due to which we get an extra round in the backward direction.
Lemma 1
The equation \(S(x \oplus \varDelta _i) \oplus S(x)=\varDelta _o\) has one solution x on average for \(\varDelta _i,\varDelta _o \ne 0\). Similar result holds for the inverse SBox \(S^{1}\).
Proof
The above fact can be deduced by analyzing the DifferentialDistribution Table (DDT) of the Sbox S as illustrated in Table 2 in the appendix. The average can be calculated as \(\frac{1}{225}\cdot \sum _{\varDelta _i,\varDelta _o \ne 0} DDT(\varDelta _i,\varDelta _o)\approx 1\). A similar exercise can be done for the inverse Sbox yielding the same result.
Lemma 2
For random values of x and \(\varDelta _i,\varDelta _o \ne 0\), the equation \(S(x \oplus \varDelta _i) \oplus S(x)=\varDelta _o\) holds with probability around \(2^{4}\).
Proof
The above fact can also be deduced by analyzing the DifferentialDistribution Table (DDT) of the Sbox S as illustrated in Table 2 in the appendix. The probability can be calculated as (let \(\mathsf{Pr}[(x,\delta _i,\delta _o)\) denote the probability that the equation is satisfied for the triplet \(x,\delta _i,\delta _o\))
Attack on 21 Rounds. The impossible differential trail described in Fig. 3 can be extended by six and four rounds in backward and forward direction as will be explained in the following two lemmas.
Lemma 3
It is possible to find plaintext pairs \(P,\overline{P}\) and relatedtweakey pairs \(K,\overline{K}\) such that if the tweakey pairs differ only in nibble position 11, then there is no difference in the internal state after executing six rounds of SKINNY64/128 with the plaintexttweakey pairs (P, K) and \((\overline{P},\overline{K})\).
Proof
We will show how the required plaintext and tweakey pairs are generated. We choose the nibble at Position 11 to introduce the initial difference because after completing six rounds, the difference is shuffled to Cell 8 of the round key, which coincides with the beginning of the impossible differential trail, shown in Fig. 3. It can be seen that the AddRoundTweakey in the first round can be pushed behind the MixColumns operation by changing the first round key to Lin \((K_1)\) where Lin = MC \(\circ \) SR represents the linear layer (refer to Fig. 4).
Furthermore, the initial difference between \(K=TK_1^1 \oplus TK_2^1\) and \(\overline{K}=\overline{TK_1^1} \oplus \overline{TK_2^1}\) can be selected in a specific form, so that in Round 6, the tweakey difference is zero. Let us denote \(\delta _1 = tk_1^1[11] \oplus \overline{tk_1^1}[11]\) and \(\delta _2 = tk_2^1[11] \oplus \overline{tk_2^1}[11]\). In Round 6, the difference will appear in Cell 0 of the round key and so we want:
So, if the attacker chooses \(\delta _1, \delta _2\) satisfying the equation \(\delta _1 \oplus L^3(\delta _2)=0\), then there is no difference introduced via the roundkey addition in Round 6. The attacker should therefore follow the steps:

1.
Take any Plaintext P and compute the state after the first round MixColumns, i.e. \(E^1\).

2.
Take any threenibble difference \(\varDelta _1,\varDelta _3,\varDelta _4\) to construct \(\overline{E^1}\) such that
The value of \(\varDelta _2\) will be determined shortly. The attacker can recover \(\overline{P}\) by inverting the MC, SR, AC and SC layers on \(\overline{E^1}\).

3.
The attacker chooses the difference \(\alpha \) in Cell 14 of \(E^2\). She calculates then \(k^1[1]\), \(k^1[3]\), \(k^1[7]\) so that
For example, \(k^1[1]\) is a solution of the equation:
$$ S\left( E^1[5] \oplus k^1[1]\right) \oplus S\left( E^1[5] \oplus \varDelta _1 \oplus k^1[1]\right) = \alpha . $$Lemma 1 ensures that the equation above has one solution on average.

4.
\(\beta \) needs to be equal to \(k^2[7] \oplus \overline{k^2}[7] = tk_1^2[7] \oplus tk_2^2[7] \oplus \overline{tk_1^2}[7] \oplus \overline{tk_2^2}[7]\). This is equal to \(tk_1^1[11] \oplus L(tk_2^1[11]) \oplus \overline{tk_1^1}[11] \oplus L(\overline{tk_2^1}[11]) = \delta _1 \oplus L(\delta _2)\). So, the attacker chooses \(\delta _1\) and \(\delta _2\) satisfying \(\delta _1 \oplus L^3(\delta _2) = 0\) and calculates \(\beta = \delta _1 \oplus L(\delta _2)\). \(\varDelta _2\) can then be determined as a solution of the equation:
$$\begin{aligned} S\left( E^1[7] \oplus k^1[3]\right) \oplus S\left( E^1[7] \oplus \varDelta _2 \oplus k^1[3]\right) = \beta \end{aligned}$$(1)The attacker now has the values of \(\varDelta _1\), \(\varDelta _2\), \(\varDelta _3\), \(\varDelta _4\) and so, he can compute \(E^1,\overline{E^1}\) and hence \(P,\overline{P}\).

5.
However, the attacker still needs that in Round 4, the active nibble in \(B^4[1]\) is equal to \(\delta _1 \oplus L^2(\delta _2)\) to make all the state cells inactive in \(C^4\), \(D^4\), and \(E^4\).

6.
The attacker needs to guess three roundkey values in Round 1 (i.e. \(k^1[2]\), \(k^1[4]\), \(k^1[6]\)) and three roundkey values in Round 2 (i.e. \(k^2[1] = tk_1^1[15] \oplus L(tk_2^1[15])\), \(k^2[2] = tk_1^1[8] \oplus L(tk_2^1[8])\), \(k^2[6] = tk_1^1[12] \oplus L(tk_2^1[12])\)). If the attacker can guess these values, then he knows the actual values (marked with v) of the state cells for the plaintext pair \(P,\overline{P}\) as opposed to only differences (marked by 0) in both Figs. 4 and 5.

7.
Guessing the tweakey nibbles mentioned above enables the attacker to calculate the value of \(B^3[1]\). Then, she calculates \(k^3[1] = tk_1^1[7] \oplus L(tk_2^1[7])\) as follows. Since \(D^3[1] = B^3[1]\oplus k^3[1]\) holds, we have:
$$ S\left( D^3[1] \oplus D^3[9] \oplus D^{3}[13]\right) \oplus S\left( D^3[1] \oplus D^3[9] \oplus \overline{D^{3}}[13]\right) = \delta _1 \oplus L^2(\delta _2). $$Since the knowledge of the guessed key nibbles already allows the attacker to calculate \(D^3[9]\), \(D^3[13]\), and \(\overline{D^3}[13]\), \(k^3[1] = tk_1^1[7] \oplus L(tk_2^1[7])\) is the solution to the equation above. Again, Lemma 1 guarantees one solution on average. Since the attacker has already determined \(k^1[7] = tk_1^1[7] \oplus tk_2^1[7]\), this also determines the values of \(tk_1^1[7]\) and \(tk_2^1[7]\).

8.
This guarantees that there are no more active nibbles after Round 4. The key difference does not add to the state in Round 5, and due to the fact that \(\delta _1 \oplus L^3(\delta _2) = 0\), the tweak difference becomes 0 in Round 6.
Thus, by guessing six and calculating three key nibbles, we can construct \(P,\overline{P}\) and \(K,\overline{K}\) so that the internal state after six rounds has no active nibbles.
Lemma 4
Given \(C,\overline{C}\) as the two output ciphertexts after querying plaintext tweakey pairs (P, K) and \((\overline{P},\overline{K})\) to a 21round SKINNY\({\textit{64/128}}\) encryption oracle. Then for a fraction \(2^{40}\) of the ciphertext pairs, it is possible to construct a backward trail for round 21 to round 18 by guessing intermediate tweakey nibbles so that there are no active nibbles in the internal state at the end of round 17.
Proof
The attacker starts working backward from the ciphertext pairs \(C,\overline{C}\) and proceeds as follows (illustrated in Fig. 5):

1.
The attacker rejects ciphertext pairs which do not have seven inactive cells in Cells 3, 4, 5, 8, 9, 11, and 14) after peeling off the final MixColumns layer (i.e. \(D^{21}\)). Thus, a fraction of \(2^{28}\) pairs are filtered after this stage.

2.
Furthermore, the attacker rejects ciphertext pairs which do not have the difference \(\delta _1 \oplus L^{10}(\delta _2)\) in Cell 13 of \(A^{21}\), i.e. reject if \(A^{21}[13] \oplus \overline{A^{21}}[13]\ne \delta _1 \oplus L^{10}(\delta _2)\). Since calculating this cell does not require any key guess, she can do this filtering instantly leaving a fraction of \(2^{4}\) pairs after this stage.

3.
Since the two bottommost rows of the state are not affected by the tweakey addition, and since \(tk_1^1[7],tk_2^1[7]\) are already known, the attacker can calculate the actual values in Cells 0, 8, and 12 in \(A^{21}\) for the ciphertext pairs. These have to be equal since they are the output of the \(20^{th}\)round MixColumns operation on the leftmost column which had only one active nibble in its input. If the active Cells 8 and 12 are different, the attacker can reject the pair. This adds another filter with probability \(2^{4}\).

4.
Since the actual values in Cell 0 in \(A^{21}\) for the ciphertext pairs were already calculated in the previous step, the attacker checks if the value of the active Cell 0 is equal to that of Cells 8 and 12, and rejects the pair otherwise. This adds another filter of probability \(2^{4}\).

5.
The attacker determines \(k^{21}[5] = tk_1^1[4] \oplus L^{10}(tk_2^1[4])\) so that the active nibble in Cell 5 of \(A^{21}\) is \(\delta _1 \oplus L^{10}(\delta _2)\). Since \(A^{21}[5] = S^{1}\left( k^{21}[5] \oplus C^{21}[5]\right) \), \(k^{21}[5]\) is a solution to the equation below:
$$ S^{1}\left( k^{21}[5] \oplus C^{21}[5]\right) \oplus S^{1}\left( k^{21}[5] \oplus \overline{C^{21}}[5]\right) = \delta _1 \oplus L^{10}(\delta _2). $$ 
6.
The attacker determines \(k^{21}[2]=tk_1^1[1]\oplus L^{10}(tk_2^1[1])\) and \(k^{21}[6] = tk_1^1[2]\oplus L^{10}(tk_2^1[2])\) so that the active nibble in Cell 2 and 6 of \(A^{21}\) are equal to the active nibble in Cell 14. Again, this works since those cells are output of the \(20^{th}\)round MixColumns operation on Column 2 which had only one active nibble in its input.

7.
Additionally, the attacker guesses \(k^{21}[4] = tk_1^1[0] \oplus L^{10}(tk_2^1[0])\). This enables the attacker to compute the actual values for the entire leftmost column of \(A^{21}\) and hence to compute the leftmost column of \(D^{20}\).

8.
The value of the active nibble in cell 10 of \(A^{20}\) is given as:
$$\begin{aligned} \begin{aligned} A^{20}[10] \oplus \overline{A^{20}}[10]&= S^{1}\left( B^{20}[10]\right) \oplus S^{1}\left( \overline{B^{20}}[10]\right) \\&= S^{1}\left( D^{20}[8]\right) \oplus S^{1}\left( \overline{D^{20}}[8]\right) = \eta . \end{aligned} \end{aligned}$$(2)Since the leftmost column of \(D^{20}\) is known, the attacker can calculate \(\eta \), which must be equal to Cell 14 of \(A^{20}\) since they are output of the \(19^{th}\)round MixColumns operation with one active input nibble.
$$\begin{aligned} \begin{aligned} A^{20}[14] \oplus \overline{A^{20}}[14]&= S^{1}\left( D^{20}[13]\right) \oplus S^{1}\left( \overline{D^{20}}[13]\right) \\&= S^{1}\left( A^{21}[1] \oplus A^{21}[13]\right) \oplus S^{1}\left( \overline{A^{21}}[1] \oplus \overline{A^{21}}[13]\right) . \end{aligned} \end{aligned}$$(3)It holds that \(A^{21}[1] = S^{1}\left( C^{21}[1] \oplus k^{21}[1]\right) \) and \(\overline{A^{21}}[1] = S^{1}(\overline{C^{21}}[1] \oplus k^{21}[1])\). By calculating Eqs. (2) and (3), the attacker can solve for \(k^{21}[1] = tk_1^1[3] \oplus L^{10} (tk_2^1[3])\). One solution on average is guaranteed by Lemma 1.

9.
The values \(tk_1^1[i] \oplus tk_2^1[i]\), for \(i = 1, 2, 3, 4\), were already determined during the calculation of the forward trail. So, using their values, the attacker can determine the actual values \(tk_1^1[i],~tk_2^1[i]\) for \(i = 1, 2, 3, 4\).

10.
The attacker calculates \(k^{20}[2] = tk_1^1[9] \oplus L^{10}(tk_2^1[9])\) so that the active nibble in Cell 2 in \(A^{20}\) is equal to the active value \(\eta \) in Cells 10 and 14 since they are output of the \(19^{th}\)round MixColumns operation with one active input nibble. This is done by solving
$$\begin{aligned} \eta = A^{20}[2]\oplus \overline{A^{20}}[2] = S^{1}\left( C^{20}[2]\oplus k^{20}[2]\right) \oplus S^{1}\left( \overline{C^{20}}[2]\oplus k^{20}[2]\right) . \end{aligned}$$(4) 
11.
The final condition to be satisfied is that the active nibble in Cell 8 of \(A^{19}\) has to be equal to \(\delta _1 \oplus L^9(\delta _2) = \gamma \).
$$\begin{aligned} \begin{aligned}\gamma&= S^{1}\left( D^{19}[10]\right) \oplus S^{1}\left( \overline{D^{19}}[10]\right) \\&= S^{1}\left( A^{20}[6] \oplus A^{20}[14]\right) \oplus S^{1}\left( \overline{A^{20}}[6] \oplus \overline{A^{20}}[14]\right) . \end{aligned} \end{aligned}$$(5)Note that \(A^{20}[6] = S^{1}(C^{20}[6] \oplus k^{20}[6])\). And since \(\overline{A^{20}}[6] = A^{20}[6]\), solving Eq. (5) helps to determine \(k^{20}[6] = tk_1^1[10] \oplus L^{10}(tk_2^1[10])\).
The result follows since in the Steps 1–4, a total of \(2^{28444}=2^{40}\) ciphertext pairs are filtered.
3.1 First Attack
Now, we put together the findings of Lemmas 3 and 4 into an attack procedure (see Fig. 8 in the appendix for details):

1.
The attacker chooses the nibble values of the random base variable \(E^1\) in all locations except Cells 5, 7, 8, and 15.

2.
She chooses fixed differences \(\delta _1, \delta _2\) satisfying \(\delta _1 = L^3(\delta _2)\).

3.
For each choice of \((E^1[5]\), \(E^1[7]\), \(E^1[8]\), \(E^1[15])\) (\(2^{16}\) choices):

Calculate P by inverting the first round.

Query the 21round encryption oracle for P, K and \(P, \overline{K}\).

So, for every choice of the base variable \(E^1\), we have \(2^{17}\) encryption calls. We can pair related plaintext and tweakey pairs in the following way: For every plaintext \(P_i\), choose a plaintext \(P_j\) so that \(E^1\) for \(P_i\) and \(P_j\) have a nonzero difference in all Cells 5, 7, 8, and 15. For every \(P_i\), there exist \((2^41)^4 \approx 2^{15.6}\) such values of \(P_j\), and so \(2^{16+15.6} = 2^{31.6}\) pairs to work with. The attack now proceeds as follows. For each choice of \(P_i,P_j\) (\(2^{31.6}\) choices):

Denote \(P = P_i\) and \(\overline{P} = P_j\).

The attacker can choose \(\alpha \) and proceed with the steps of the above attack with one exception: She can no longer choose \(\varDelta _2\) as in Step 4 of Lemma 3 since she has already chosen \(P, \overline{P}, K, \overline{K}\).

With probability \(2^{4}\) (as per Lemma 2), the plaintext pair satisfies Eq. (1) in Step 4 of Lemma 3 and proceeds; otherwise, she aborts.

Request the ciphertext \(\overline{C}\) for \((\overline{P}, \overline{K})\) and the ciphertext C for (P, K).

If \(C \oplus \overline{C}\) does not pass the \(2^{36}\) filter (Steps 1, 2, and 3 in Lemma 4), then abort and start again.

If they pass the filter, the attacker can guess seven tweakey cells (\(2^{28}\) guesses) and calculate 17 key/tweak cells as follows:
#
Guessed
Rnd
Calculated
Rnd
1
\(tk_1^1[i] \oplus tk_2^1[i]\) for \(i=2,4,6\)
1
2
\(tk_1^1[i] \oplus L(tk_2^1[i])\) for \(i=8,12,15\)
2
3
\(tk_1^1[i] \oplus L^{10}(tk_2^1[i])\) for \(i=0\)
21
4
\(tk_1^1[i], ~tk_2^1[i]\) for \(i=7\)
3
5
\(tk_1^1[i], ~tk_2^1[i]\) for \(i=1,2,3,4 \)
21
6
\(tk_1^1[i]\oplus L^{10}(tk_2^1[i])\) for \(i=9,10\)
20
The 17 tweakey nibbles used for elimination are therefore:

(a)
\(tk_1^1[i], ~tk_2^1[i]\) for \(i=1,2,3,4,7 \) (d) \(tk_1^1[i]\oplus L(tk_2^1[i]) \) for \(i=8,12,15\)

(b)
\(tk_1^1[i]\oplus L^{10}(tk_2^1[i])\) for \(i=9,10\) (e) \(tk_1^1[i]\oplus tk_2^1[i] \) for \(i=6\)

(c)
\(tk_1^1[i]\oplus L^{10}(tk_2^1[i])\) for \(i=0\)

(a)

A fraction of \(2^{4}\) tweakeys fulfills the condition required in Step 4 of Lemma 4.

Therefore, the attacker has a set of \(2^{284}=2^{24}\) wrong key candidates.
The above procedure is repeated with \(2^x\) chosen plaintexts until a single key solution remains for the 17 nibbles of the tweakey.
Complexity. For every base value of \(E^1\), the attacker makes \(2^{17}\) encryption calls. Out of these, she has \(2^{31.6}\) pairs to work with. For each pair, the attacker can then choose \(\alpha \) in \(2^4  1\) ways, which gives her around \(2^{35.6}\) initial guesses for the forward key nibbles \(k^1[1]\), \(k^1[3]\), and \(k^1[7]\), of which a fraction of \(2^{4}\) passes the filter in Eq. (1). So, she has \(2^{31.6}\) pairs to work with. In fact, for every pair \((P_i, P_j)\) there is only one choice of \(\alpha \) going forward on average.
The attacker gets wrong solutions for \(2^{x4.4+24}=2^{x+19.6}\) incorrect solutions for 17 nibbles. To reduce the keyspace to 1 we need:
For this, we need \(x = 55\). So, the total number of encryption calls to 21round SKINNY64/128 is \(2^{55+17} = 2^{72}\) and the total number of guesses is \(2^{74.6}\). We also need \(2^{68}\) memory accesses, which are negligible in the total complexity. The memory complexity is upper bounded by storing one bit per key candidate which is therefore \(2^{68}\) bits. The memory for storing the approximately \(2 \cdot 2^{17}\) plaintexts and corresponding ciphertexts of a structure at each time is negligible.
3.2 22Round Attack Under Partially Known Tweak
The attack above can be extended to 22round SKINNY64/128 under the assumption that 48 of the 128 bits in the tweakey are publicly known tweak (see Fig. 9 in the appendix for details). In particular, we assume that \(tk_1^1[i], tk_2^1[i]\) for \(i = 8,11,12,13,14,15\) are reserved for the tweak. The remaining 80 bit constitute the secret key.
In this case, the attacker can add a round at the end (see Fig. 6 for details). Knowing six out of eight cells in the lower half of the tweakey blocks helps in the following way. From the ciphertext (i.e. \(E^{22}\)), one can revert the final round to compute \(E^{21}\) if we guess \(k^{22}[4,5]\), i.e. \(tk_1^1[9,10]\oplus L^{11}(tk_2^1[9,10])\). The attack is almost the same as the previous attack, except that the tweakey indices \(i = 8,11,12,13,14,15\) and their functions are known and need not be guessed.

1.
Generate \(2^{31.6}\) plaintext/ciphertext pairs from every base choice of \(E^1\) and \(2^{17}\) encryption calls.

2.
For each choice of \(P_i, P_j\) (\(2^{31.6}\) choices):

Denote \(P=P_i\) and \(\overline{P}=P_j\).

The attacker can choose \(\alpha \) and calculate \(k^1[1]\), \(k^1[3]\), and \(k^1[7]\) as per Step 3 of Lemma 3.

She can no longer choose \(\varDelta _2\) as in Step 4 of Lemma 3 since she has already chosen P, \(\overline{P}\), K, \(\overline{K}\).

With probability \(2^{4}\), the plaintext pair satisfies Eq. (1) in Step 4 of Lemma 3 and proceeds; otherwise, she aborts.

The attacker doesn’t need to guess the Round 2 tweakey nibbles since these are in the lower half of the tweakey blocks and therefore known.

Retrieve the ciphertext \(\overline{C}\) for \((\overline{P},\overline{K})\) and the ciphertext C for (P, K).

Guess \(k^{22}[4,5] = tk_1^1[9,10]\oplus L^{11}(tk_2^1[9,10])\) to get \(E_{21}\).

If \(E_{21}\oplus \overline{E_{21}}\) does not pass the \(2^{36}\) filter, then abort and restart.

After determining \(k^{20}[2] = tk_1^1[9] \oplus L^{10}(tk_2^1[9])\) and \(k^{20}[6] = tk_1^1[10] \oplus L^{10}(tk_2^1[10])\) in Steps 10 and 11 of Lemma 4, the attacker can uniquely determine \(tk_1^1[9,10]\) since \(tk_1^1[9,10] \oplus L^{11}(tk_2^1[9,10])\) is already guessed.

If they pass the filter, the attacker can guess six tweakey cells (\(2^{24}\) guesses) and calculate 16 key cells as follows:
#
Guessed
Rnd
Calculated
Rnd
1
\(tk_1^1[i] \oplus tk_2^1[i] \) for \(i=2,4,6\)
1
2
\(tk_1^1[i] \oplus L^{10}(tk_2^1[i])\) for \(i=0\)
21
3
\(tk_1^1[i] \oplus L^{11}(tk_2^1[i])\) for \(i=9,10\)
22
4
\(tk_1^1[i], tk_2^1[i]\) for \(i = 7\)
3
5
\(tk_1^1[i], tk_2^1[i]\) for \(i = 1,2,3,4\)
21
6
\(tk_1^1[i], tk_2^1[i]\) for \(i = 9,10\)
20
The 16 tweakey nibbles used for elimination are therefore:

(a)
\(tk_1^1[i], tk_2^1[i]\) for \(i = 1,2,3,4,7,9,10\). (c) \(tk_1^1[i] \oplus tk_2^1[i] \) for \(i = 6\).

(b)
\(tk_1^1[i] \oplus L^{10}(tk_2^1[i])\) for \(i = 0\).

(a)

A fraction of \(2^{4}\) tweakeys fulfills the condition in Step 4 of Lemma 4.

Therefore, the attacker has a set of \(2^{244} = 2^{20}\) wrong key candidates.

The procedure above is repeated with \(2^x\) chosen plaintexts until a single key solution remains for the 16 nibbles of the tweakey.
Complexity. For every base value of \(E^1\), the attacker makes \(2^{17}\) encryption calls. Out of these, she has \(2^{31.6}\) pairs to work with. For each pair, the attacker can choose then \(\alpha \) in \(2^41\) ways, which gives her around \(2^{35.6}\) initial guesses for the forward key nibbles \(k^1[1],k^1[3],k^1[7]\), of which only a fraction of \(2^{4}\) passes the filter in Eq. (1). So, the attacker has \(2^{31.6}\) pairs to work with. In effect, for every pair \((P_i,P_j)\) there is only once choice of \(\alpha \) going forward on average.
The attacker gets wrong solutions for \(2^{x4.4+20}=2^{x+15.6}\) incorrect solutions for 16 nibbles. To reduce the keyspace to 1 we need:
For this, we need \(x = 54\). So, the total number of encryption calls to 22round SKINNY64/128 is \(2^{54+17} = 2^{71}\). We also need \(2^{64}\) memory accesses, which are negligible in the total complexity. The memory complexity is upper bounded by storing one bit per key candidate which is therefore \(2^{64}\) bits. The memory for storing the approximately \(2 \cdot 2^{17}\) plaintexts and corresponding ciphertexts of a structure at each time is negligible.
3.3 23Round Attack Under Partially Known Tweak
We can extend the 22 round attack to a 23 round attack by prepending one round at the beginning. In order to not disturb the notation, we denote the additonal round prepended at the beginning as the 0th round. That is, the 23 rounds are labelled as rounds 0 to 22, and the variables \(A^0,B^0\) etc. are defined as above. The plaintext is denoted by \(A^0\) and the ciphertext by \(E^{22}\). Note that, from the base value of \(E^1\), the plaintext can be calculated if we guess \(k^0[9,10]\).
There are two principal differences to the 22round attack.

1.
When the attacker guesses \(k^{22}[4,5]\) which is \(tk_1^1[9,10]\oplus L^{11}(tk_2^1[9,10])\) to invert the final round to get \(E_{21}\), he uniquely determines \(tk_1^1[9,10]\) and \(tk_2^1[9,10]\). This is because at the beginning of the outer loop \(k^0[9,10]\) has already been guessed by the attacker to invert the initial round.

2.
As the attacker can no longer determine \(k^{20}[2] = tk_1^1[9] \oplus L^{10}(tk_2^1[9])\) and \(k^{20}[6] = tk_1^1[10] \oplus L^{10}(tk_2^1[10])\) using Steps 10 and 11 of Lemma 4. The probability that with the given values of \(tk_1^1[9,10]\) and \(tk_2^1[9,10]\), Eqs. (4) and (5) are satisfied is \(2^{8}\). This decreases the probability of ciphertext filter from \(2^{36}\) to \(2^{44}\).
For each initial guess of \(k^0[9,10]\), the guessed and calculated key bytes are:
#  Guessed  Rnd  Calculated  Rnd 

1  \(tk_1^1[i] \oplus tk_2^1[i] \) for \(i=2,4,6\)  1  
2  \(tk_1^1[i] \oplus L^{10}(tk_2^1[i])\) for \(i=0\)  21  
3  \(tk_1^1[i] \oplus L^{11}(tk_2^1[i])\) for \(i=9,10\)  22  
4  \(tk_1^1[i], tk_2^1[i]\) for \(i = 7\)  3  
5  \(tk_1^1[i], tk_2^1[i]\) for \(i = 1,2,3,4\)  21 
The 14 tweakey nibbles used for elimination are therefore:

(a)
\(tk_1^1[i], tk_2^1[i]\) for \(i = 1,2,3,4,7\). (c) \(tk_1^1[i] \oplus tk_2^1[i] \) for \(i = 6\).

(b)
\(tk_1^1[i] \oplus L^{10}(tk_2^1[i])\) for \(i = 0\). (d) \(tk_1^1[i] \oplus L^{11}(tk_2^1[i])\) for \(i=9,10\)
As before, a fraction of \(2^{4}\) tweakeys fulfills the condition in Step 4 of Lemma 4. Therefore, the attacker has a set of \(2^{244} = 2^{20}\) wrong key candidates.
Complexity. For each iteration of the outer loop, the complexity is calculated as follows: For every base value of \(E^1\), the attacker makes \(2^{17}\) encryption calls. Out of those, she has \(2^{31.6}\) pairs to work with. For each pair, the attacker can choose then \(\alpha \) in \(2^41\) ways, which gives her around \(2^{35.6}\) initial guesses for the forward key nibbles \(k^1[1],k^1[3],k^1[7]\), of which only a fraction of \(2^{4}\) passes the filter in Eq. (1). In effect, for every pair \((P_i,P_j)\) there is only one choice of \(\alpha \) going forward on average.
The attacker gets \(2^{x+31.644+20}=2^{x+7.6}\) incorrect solutions for 14 nibbles. To reduce the keyspace to 1 we need:
We need \(x = 54\) leaving the total number of encryption calls to 22round SKINNY64/128 with \(2^{54+17} = 2^{71}\). Multiplying this by \(2^8\) for the outer loop gives a total complexity of \(2^{71+8} = 2^{79}\) which is just short of exhaustive search for the 80bit key. We also need \(2^{56+8}=2^{64}\) memory accesses, which are negligible in the total complexity. The memory complexity is upper bounded by storing one bit per key candidate which is therefore \(2^{64}\) bits. The memory for storing the approximately \(2 \cdot 2^{17}\) plaintexts and ciphertexts of a structure is negligible.
4 Conclusion
In this paper, we outline relatedkey impossibledifferential attacks against 21round SKINNY64/128 as well as attacks on 22 and 23 rounds under the assumption of having 48 of the 128bit tweakey as public tweak. Our attacks are based on an 11round impossible differential trail, to which we prepend six and append five rounds before and after the trail, respectively, to obtain an attack on 22 rounds. Finally, we can prepend a 23rd round under similar assumptions.
References
Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers (2013). Cryptology ePrint Archive, Report 2013/404. http://eprint.iacr.org/
Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: Cryptanalysis competition (2016). https://sites.google.com/site/skinnycipher/cryptanalysiscompetition
Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its lowlatency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). doi:10.1007/9783662530085_5
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). doi:10.1007/354048910X_2
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). doi:10.1007/9783662456088_15
Knudsen, L.: DEAL  A 128bit Block Cipher. In: NIST AES Proposal (1998)
Liu, G., Ghosh, M., Ling, S.: Security Analysis of SKINNY under RelatedTweakey Settings (2016). Cryptology ePrint Archive, Report 2016/1108. http://eprint.iacr.org/2016/1108
Sadeghi, S., Mohammadi, T., Bagheri, N.: Cryptanalysis of Reduced round SKINNY Block Cipher (2016). Cryptology ePrint Archive, Report 2016/1120. http://eprint.iacr.org/2016/1120
Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysis of reducedround SKINNY. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017. LNCS, vol. 10239, pp. 117–134. Springer, Cham (2017). doi:10.1007/9783319573397_7
Acknowledgements
This work was initiated during the group sessions of the 6th Asian Workshop on Symmetric Cryptography (ASK 2016) held in Nagoya, Japan. Ralph Ankele is supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. H2020MSCAITN2014643161 ECRYPTNET. Gaoli Wang is supported by National Natural Science Foundation of China (Grant Nos. 61572125, 61373142), Shanghai HighTech Field Project (Grant No. 16511101400). Siang Meng Sim is supported by the Singapore National Research Foundation Fellowship 2012 (NRFNRFF201206). This work has been supported in part by the Austrian Science Fund (project P26494N15).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ankele, R. et al. (2017). RelatedKey ImpossibleDifferential Attack on ReducedRound Skinny . In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds) Applied Cryptography and Network Security. ACNS 2017. Lecture Notes in Computer Science(), vol 10355. Springer, Cham. https://doi.org/10.1007/9783319612041_11
Download citation
DOI: https://doi.org/10.1007/9783319612041_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783319612034
Online ISBN: 9783319612041
eBook Packages: Computer ScienceComputer Science (R0)