# Probabilistic Slide Cryptanalysis and Its Applications to LED-64 and Zorro

## Abstract

This paper aims to enhance the application of slide attack which is one of the most well-known cryptanalysis methods using self-similarity of a block cipher. The typical countermeasure against slide cryptanalysis is to use round-dependent constants. We present a new probabilistic technique and show how to overcome round-dependent constants in a slide attack against a block cipher based on the general Even-Mansour scheme with a single key. Our technique can potentially break more rounds than any previously known cryptanalysis for a specific class of block ciphers. We show employing round constants is not always sufficient to provide security against slide variant cryptanalysis, but also the relation between the round constants should be taken into account. To demonstrate the impact of our model we provide analysis of two round-reduced block ciphers LED-64 and Zorro, presented in CHES 2011 and CHES 2013, respectively. As a first application we recover the key for 16 rounds of Zorro. This result improves the best cryptanalysis presented by the designers which could be applied upto 12 rounds of its 24 rounds. In the case of LED-64 the cryptanalysis leads to the best results on 2-step reduced LED-64 in the known-plaintext model.

## Keywords

Block cipher Slide attack Zorro LED-64 Even-mansour## 1 Introduction

Block ciphers can be attacked using a large variety of attacks employing different properties of the ciphers. Statistical cryptanalysis like differential [4] and linear [25] attacks make use of non-randomness characteristics of the cipher and the complexity of the attack is increased by adding more rounds to the cipher. In contrast, self-similarity cryptanalysis techniques are applicable on a small class of block ciphers and the complexity of the attacks is usually independent of the number of rounds. Self-similarity attacks exploit the weakness of the key schedule rather than non-random statistical properties of the cipher. *Slide cryptanalysis* is a well-known example of such techniques and it utilizes the symmetry properties of the cipher [7]. If an iterative block cipher with identical round functions has a periodic key schedule, it can be presented as a cascade of repeated copies of a single function \(F_k\) with an identical key \(k\), where \(F_k\) consists of one or more rounds of the cipher. Slide attacks are based on the observation that if two plaintexts \(P\) and \(P'\) satisfy the relation \(P'=F_k(P)\) then \(C'=F_k(C)\) holds for free. Such a pair \(((P,C),(P',C'))\) is called the *slid pair*. Given a slid pair the security of the cipher is reduced to finding the key for the function \(F_k\) in the known plaintext model. In general, \(2^{n/2}\) known plaintexts are required to find at least one slid pair for an \(n\)-bit block cipher. The total time complexity of the cryptanalysis consists of the complexities of three steps: preparing the required data, detecting a slid pair, and finally obtaining the key from the slide pair.

Slide attacks and other self-similarity cryptanalysis can be prevented by a careful design of a key schedule. But a strong key schedule cannot be achieved for free. It has impact on latency, power consumption and size of the implementation. Therefore the designers of lightweight ciphers such as PRINTcipher [23], LED [20], PRINCE [11] and Zorro [17], adopted another direction to establish security against self-similarity cryptanalysis. They introduced round-dependent constants added to the data input at each round to make the rounds different. Then a single master key is simply added after every fixed number of rounds called as *step*. Even if in such a construction each step has the same structure and the key used at every step is the same, the computation at each step is varied by the round constants. In this manner, the slide cryptanalysis can be prevented.

Such a cipher construction can be seen as an instance of the generalized Even-Mansour scheme [15] with a single key. It is defined as \(C=E_K(P)=F_s(\cdots F_2(F_1(P\oplus K)\oplus K)\oplus K \cdots \oplus K)\) where \(F_i\) are constructed as cascades of the same fixed permutations but with different round constants. In this work, we investigate the security of this cipher structure and develop a new statistical variant of slide cryptanalysis. The idea is to slide one instance of encryption against another instance of encryption by one step and investigate, if for a pair \(((P,C),(P',C'))\) it would be possible to predict, with significant probability, the difference \(C\oplus F_s(C'\oplus K)\) given the difference \(P'\oplus F_1(P\oplus K)\). By taking a probabilistic approach we can circumvent the devastating effect of different round constants in the deterministic slide cryptanalysis.

Potentially, the described attack has two main advantages compared to the classical differential cryptanalysis. The first one is that the attacker has more freedom to control the active S-boxes. If the difference in the round constants and data are identical, they cancel each other, which leads to a smaller number of active S-boxes in the characteristic. Example of such a situation is given in Sect. 4.2 for LED-64. While it is proved that the normal differential characteristic over four rounds has at least 25 S-boxes, we can find differential characteristics of LED-64 over four iterative rounds which in our slide setting have just 13 active S-boxes. We also note that even if we exploit a kind of related-key differential characteristics, our attack is in the single-key model, since we exploit the relation between the round constants instead of keys to control the differential pattern. The second merit is the existence of an efficient key-recovery method for our model. As each step of our target ciphers consists of several rounds, it makes it hard to convert a distinguisher to the key-recovery attack over more steps by guessing just a part of the key. But we present an efficient method to obtain the key of \(s\) steps of the cipher based on the differential property in slide mode for \(s-1\) steps.

Summary of single-key attacks on round-reduced LED-64 and Zorro

Cipher | Attack Type | Steps | Data | Time | Memory | Source |
---|---|---|---|---|---|---|

Zorro | Impossible differential | 2.5 | \(2^{115}\)CP | \(2^{115}\) | \(2^{115}\) | [17] |

Meet-in-the-middle | 3 | \(2^2\)KP | \(2^{104}\) | - | [17] | |

Probabilistic slide | 4 | \(2^{123.62}\)KP | \(2^{123.8}\) | \(2^{123.62}\) | Sect. 4.1 | |

Probabilistic slide | 4 | \(2^{121.59}\)KP | \(2^{124.23}\) | \(2^{121.59}\) | Sect. 4.1 | |

Internal differential\(^\mathrm{{a}}\) | 6 | \(2^{54.25 }\)CP | \(2^{54.25}\) | \(2^{54.25}\) | [19] | |

LED-64 | Meet-in-the-middle | 2 | \(2^8\)CP | \(2^{56}\) | \(2^{11}\) | [21] |

Meet-in-the-middle | 2 | \(2^{16}\)CP | \(2^{48}\) | \(2^{17}\) | [13] | |

Meet-in-the-middle | 2 | \(2^{48}\)KP | \(2^{48}\) | \(2^{48}\) | [13] | |

Generic | 2 | \(2^{45}\)KP | \(2^{60.1}\) | \(2^{60}\) | [14] | |

Probabilistic slide | 2 | \(2^{45.5}\)KP | \(2^{46.5}\) | \(2^{46.5}\) | Sect. 4.2 | |

Probabilistic slide | 2 | \(2^{41.5}\)KP | \(2^{51.5}\) | \(2^{42.5}\) | Sect. 4.2 | |

Generic | 3 | \(2^{49}\)KP | \(2^{60.2}\) | \(2^{60}\) | [14] |

Some previous cryptanalysis of LED-64 do not exploit any specific property of the cipher. In [27] it is shown that the behavior of the function \(x\oplus F(x)\), for a random permutation \(F\), is not ideally random and they exploit this fact in a generic attack on the EM-construction with two alternative keys. The result is improved in [14] via a generic attack on a 3-step EM-construction with a single key. This attack is independent of the permutations but has high complexity. An accelerated exhaustive search for 2-step reduced version of LED-64 is presented in [21] in the chosen-plaintext model. Our attack requires only known plaintext and has much lower time complexity. Recently, parallel to our work, an advanced meet-in-the-middle cryptanalysis is presented for a 2-step version of LED-64 in IACR Eprint Archive [13], but is slightly slower than our cryptanalysis in known-plaintext model.

Zorro was presented recently at CHES 2013. It is a tweaked version of the standard block cipher AES and targets on efficient masking to establish side-channel security with better performance. The best key-recovery cryptanalysis so far was presented by the designers in the classical single-key model. It is a meet-in-the-middle attack on 12 rounds. We carry out the first third-party cryptanalysis of Zorro and mount a key-recovery cryptanalysis on 16 rounds of Zorro. Let us also mention that simultaneously a cryptanalysis of the full Zorro is presented in [19]. It works for a fraction \(2^{64}\) out of \(2^{128}\) keys in the weak-key model and requires chosen plaintexts, whereas our result work for all keys in known-plaintext model.

This paper is organized as follows. In Sect. 2, we start by recalling the typical slide cryptanalysis and previous works, and then continue to introduce the basic concepts of our method. In Sect. 3, we describe the target ciphers Zorro and LED briefly. Section 4 gives an overview of our strategy to construct a distinguisher followed by applications of the probabilistic slide cryptanalysis on step-reduced Zorro and LED-64. We conclude in Sect. 5.

## 2 Slide Cryptanalysis

### 2.1 Basic Idea

*slid pair*. For an \(n\)-bit block cipher \(P'=F(P)\) occurs with probability \(2^{-n}\). Given \(2^{n/2}\) plaintext-ciphertexts \((P,C)\) there exists \(2^n\) pairs which emphasize to expect one slide pair. To convert the distinguisher to a key-recovery cryptanalysis the only requirement for \(F_k\) is to be weak enough against known-plaintext cryptanalysis.

### 2.2 Previous Works

Since the basic slide cryptanalysis is a too restrictive approach, several developments have been proposed to enhance the basic idea. Two advanced techniques termed as *sliding with a twist* and *complementation slide* are presented by Biryukov and Wagner [8]. If two keys are used alternatively in a Feistel cipher, then we can slide two instances of encryption against each other by one round to cancel the difference between the keys by the complementation slide property. In slide-with-a-twist cryptanalysis an instance of decryption is slid against an instance of encryption. This technique is applicable on another class of ciphers.

This idea is extended to introduce a weak key class of involution block ciphers in [5]. In [28] Feistel ciphers with independent pre- and post-whitening keys are studied and shown that there is a cryptanalysis with time and data complexity \(n2^{n/2\,+1}\). Furuya uses the observation presented in [8] that if \((P,P')\) is a slid pair, then \((F_K(P),F_K(P'))\) is also a slid pair. This technique provides more known plaintexts to mount efficient slide cryptanalysis on more complicated functions \(F_K\) [16]. Biham et al. pursue another direction which allows to find a slid pair much faster with the cost of almost the whole codebook [3]. As another direction slide cryptanalysis can be leveraged to a distinguisher on hash functions as it is done for the inner component of SHA-1 [30]. It does not seem useful for collision or (second) preimage cryptanalysis but works for distinguishing and also key recovery in MAC mode [18].

To the best of our knowledge, this paper is the first application of probabilistic slide cryptanalysis in the single-key model. In [8] it is suggested to use a differential property of the identical function to find the key from a slid pair which is a different approach and have not been applied in practice. Also in [29] the method of *realigning slide cryptanalysis* is presented to pass the middle round in a nondeterministic way in related-key scenario.

### 2.3 Probabilistic Slide Cryptanalysis

In this section we present our new technique which combines a usual slide attack with differential type characteristics. We focus our attention to an \(n\)-bit block cipher with general Even-Mansour construction that consists of \(s\) different permutations and one key. Analogically to the basic slide distinguisher we consider an encryption instance and slide it against another instance of the same encryption by one step. Due to the differences between round functions the basic slide cryptanalysis is not applicable. Assume there exists a sequence of differences \(\mathcal {D}=\lbrace \varDelta _r: 0\le r\le s-1 \rbrace \) such that \(\Pr [F_{r}(x)\oplus F_{r-1}(x\oplus \varDelta _{r-2})=\varDelta _{r-1}]=2^{-p_{r-1}}\) where \(0\le p_r\) and \(2\le r \le s\). Thanks to the equality of keys we obtain a differential type characteristic by concatenating the differences in \(\mathcal {D}\). This characteristic has probability \(2^{-p}=\prod _{r=1}^{s-1}2^{-p_r}\). So \(F_{s-1}\circ \cdots \circ F_1(x) \oplus F_s\circ \cdots \circ F_2(x\oplus \varDelta _{in})=\varDelta _{out}\) holds with probability \(2^{-p}\) where \(\varDelta _{in}=\varDelta _0\) and \(\varDelta _{out}=\varDelta _{s-1}\) as illustrated in Fig. 2. In other words, if a pair \((P,P')\) satisfies \(F_1(P\oplus K)\oplus P'=\varDelta _{in}\) then \(C\oplus F_s^{-1}(C'\oplus K)=\varDelta _{out}\) occurs with the probability \(2^{-p}\).

*right slid pair*. Given \(2^m=2^{n/2+p/2}\) known plaintext there exist \(2^{n+p}\) pairs of which \(2^p\) are expected to satisfy the relation \(F_1(P\oplus K)\oplus P'=\varDelta _{in}\) for the unknown key. The right slid pairs are among them. Since the input difference \(\varDelta _{in}\) yields the output \(\varDelta _{out}\) with probability \(2^{-p}\), we expect to get one right slid pair for the characteristic.

**Key-Recovery.**Next we describe the key-recovery algorithm. For a correct slid pair \(((P,C),(P',C'))\) we have

- 1.
Ask for the encryption of \(2^m=2^{n/2+p/2}\) arbitrary plaintexts.

- 2.
For all plaintext-ciphertext pairs \((P,C)\) compute the value of \(C\oplus F^{-1}_1(P\oplus \varDelta _{in})\) and store the computed value with the corresponding \(C\) in the hash table \(T_1\). Sort them according to the value \(C\oplus F^{-1}_1(P\oplus \varDelta _{in})\).

- 3.
For all plaintext-ciphertext pairs \((P,C)\) compute the value of \(P\oplus F_s(\varDelta _{out}\oplus C)\) and store the computed value with \(C\) in the hash table \(T_2\). Sort them according to the value \(P\oplus F_s(\varDelta _{out}\oplus C)\). Keep some \((P,C)\) pairs to test the key candidates.

- 4.
For each collision in the hash tables \(T_1\) and \(T_2\) find corresponding ciphertexts \(C\) and \(C'\) then compute a key candidate \(K=C'\oplus F_s(C\oplus \varDelta _{out})\). Use a \((P,C)\) to test the key.

Step 1 requires \(2^m\) full encryptions. To prepare each hash tables we compute one step of the cipher for all known plaintexts. So Step 2 and Step 3 requires totally \(2\cdot 2^m/r\) full encryptions. We expect to have \(2^{2m-n}= 2^{p}\) key candidates to try in Step 4 which requires \(2^p\) encryptions. The total time complexity is \(2^m+2^{m+1}/r+2^p\). To perform the attack, one needs two hash tables \(T_1\) and \(T_2\) to store \(2^m\) ordered pairs of \(n\)-bit values in both \(T_1\) and \(T_2\).

**More Output Differences.** In this part we study the improvements of the described distinguisher. A natural improvement is to consider a differential instead of a single differential characteristic, and try to improve the estimate of the differential probability.

Another approach is to consider \(L\) different output differences \(\varDelta ^i_{out}\), \(i\in \lbrace 1,\cdots , L \rbrace \), to decrease the data requirement by increasing the total probability. This comes with the cost of repeating the attack algorithm \(L\) times and a small increase in the memory requirement. Without loss of generality we can assume that each output difference \(\varDelta ^i_{out}\) occurs with equal probability \(2^{-p}\) for a fixed input difference \(\varDelta _{in}\), that is, if \(F_1(P\oplus K)\oplus P'=\varDelta _{in}\), then \(C\oplus F_r^{-1}(C'\oplus K)=\varDelta _{out}^i\) holds with probability \(2^{-p}\), for all \(i\in \lbrace 1,\cdots , L \rbrace \). If the probabilities are not equal, order the output differences in the decreasing order according to their probabilities.

- 1.
Get encryptions \(C\) of \(2^m\) arbitrary plaintexts \(P\).

- 2.
For all pairs \((P,C)\) compute the value of \(C\oplus F^{-1}_1(P\oplus \varDelta _{in})\) and store the computed value with \(P\) and \(C\) in a hash table \(T_1\). Sort them according to the value \(C\oplus F^{-1}_1(P\oplus \varDelta _{in})\).

- 3.for \(i\in \lbrace 0,\cdots ,2^\ell \rbrace \)
- 3.1
Allocate \(2\cdot 2^m\) memory for the hash table \(T_2\).

- 3.2
For all plaintext-ciphertext pairs \((P,C)\) compute the value of \(P\oplus F_s(\varDelta _{out}^i\oplus C)\) and store the computed value and the corresponding \(C\) in the hash table \(T_2\). Sort them based on the value \(P\oplus F_s(\varDelta _{out}^i\oplus C)\).

- 3.3
For each collision in the hash tables \(T_1\) and \(T_2\) find corresponding ciphertexts \(C\) and \(C'\) then compute the key candidate as \(K=C'\oplus F_s(C\oplus \varDelta _{out}^i)\). Given some \(P\) and \(C\), test the key.

- 3.4
If all key candidates are wrong, free the allocated memory of \(T_2\).

- 3.1

We denote by \(\ell \) the logarithm of \(L\). Since \(\Pr [C\oplus F_r^{-1}(C'\oplus K)=\varDelta _{out}^i, \text {for some} i\in \lbrace 1,\cdots , 2^\ell \rbrace |F_1(P\oplus K)\oplus P'=\varDelta _{in}]=2^{\ell -p} \) the attack requires \(2^m=2^{n/2+(p-\ell )/2}\) known plaintexts. Time complexity is \(2^m+2^m/r+2^\ell (2^m/r+2^{2m-n})\) encryptions which is dominated by \(2^\ell (2^m/r+2^{2m-n})\). Given \(L\) output differences, any number of them can be used in the attack allowing trade-off between data and time complexity. The memory requirement is the same for all \(L> 1\). To perform the attack, one needs two hash tables \(T_1\) and \(T_2\) where \(T_1\) is used to store \(2^m\) triplets of \(n\)-bit values and \(T_2\) to store \(2^m\) ordered pairs \(n\)-bit values.

## 3 Target Ciphers

In this section we present a brief description of the block ciphers to be analyzed. We describe first the block cipher Zorro and continue with the description of the block cipher LED, and finally introduce the notation to be used in this paper.

### 3.1 Description of Zorro

Zorro is a 128-bit block cipher and supports 128-bit key. The state can be illustrated as a \(4\times 4\) matrix where each cell represents a byte. Zorro is a generalized Even-Mansour cipher consisting 6 steps. There exist no key schedule and after each step the same key is xored to the state. Each step is composed of 4 rounds. One round consists of four transformations. One is the adding of the round constant and the other three are borrowed from the AES and applied in the following order.

- 1.
SubCells: A byte-wise transformation that applies an 8-bit S-box to each byte of the first row.

- 2.
AddConstants: XOR operation between the first row of the state and the current round constant. Let \(r\) be the number of the current round represented as a byte, for \(1\le r \le 24\). Then the round constant is defined as \(r\parallel r\parallel r\parallel r\, \ll 3\).

- 3.
ShiftRows: A linear transformation that cyclically shifts the \(i\)’th row \(i\) bytes to the left.

- 4.
MixColumns: A linear transformation represented by a \(4\times 4\) matrix over \(GF(2^8)\).

The last two operations are exactly like in the AES. For the definition of S-box and more details we refer to [17].

### 3.2 Description of LED

LED is a 64-bit block cipher. Two main variants of the cipher are LED-64 and LED-128, which support the key sizes 64 and 128, respectively. The 64-bit state is represented by a \(4 \times 4\) matrix, where each cell represents a nibble in \(GF(2^4)\). The construction of LED-64 is a generalized Even-Mansour with one key and 8 steps. Each step includes four rounds. Each round consists of four transformations of which three are inspired by the AES.

- 1.AddConstants adds a round-dependent constant to the state. To construct the round constants one proceeds as follows. A string of six bits \((rc_5, rc_4,rc_3,\) \(rc_2, rc_1, rc_0)\) is initialized to zero. Then at each round, the bits are shifted to the left by one position, and the new value of \(rc_0\) is computed as \(rc_5\oplus rc_4\oplus 1\). Let us denote by \((ks_7, ks_6, . . . ks_0)\) the bits of the byte that represents the key size. Then the corresponding round constant is defined as follows.
\(ks_7||ks_6||ks_5||ks_4\)

\(0||rc_5||rc_4||rc_3\)

0

0

\(ks_7||ks_6||ks_5||ks_4\oplus 1\)

\(0||rc_2||rc_1||rc_0\)

0

0

\(ks_3||ks_2||ks_1\oplus 1||ks_0\)

\(0||rc_5||rc_4||rc_3\)

0

0

\(ks_3||ks_2||ks_1\oplus 1||ks_0\oplus 1\)

\(0||rc_2||rc_1||rc_0\)

0

0

- 2.SubCells applies the same 4-bit to 4-bit S-box given in Table 2 in parallel on each of the 16 nibbles of the state.Table 2.
S-box of LED

\(x\)

0

1

2

3

4

5

6

7

8

9

A

B

C

D

E

F

S-box(\(x\))

C

5

6

B

9

0

A

D

3

E

F

8

4

7

1

2

- 3.
ShiftRows cyclically rotates the \(i\)’th row by \(i\) nibble(s) to the left.

- 4.
MixColumns multiplies each column by an MDS matrix \(M=\) \( \left[ \begin{array}{llll} \mathtt{4}&{}\mathtt{1}&{}\mathtt{2}&{}\mathtt{2}\\ \mathtt{8}&{}\mathtt{6}&{}\mathtt{5}&{}\mathtt{6}\\ \mathtt{B}&{}\mathtt{E}&{}\mathtt{A}&{}\mathtt{9}\\ \mathtt{2}&{}\mathtt{2}&{}\mathtt{F}&{}\mathtt{B}\\ \end{array}\right] \), over the field \(GF(2^4)\) under the polynomial \(x^4+x+1\).

### 3.3 Notations

Each step of Zorro and LED has four rounds. In our cryptanalysis, we slide two instances of encryption against each other by one step and compare their states. Let us denote by \(RC_r\) the round constant in \(r\)’th round and by \(DRC_r\) the difference between round constants in the rounds \(r\) and \(r+4\). Then \(DRC_r=RC_r\oplus RC_{r+4}\). Let us note that in Zorro this difference has only four non-zero bytes \(DRC_r(0,1,2,3)\) on the first row. Similarly, the round constant difference \(DRC_r\) of LED can have non-zero nibbles only on the second column \(DRC_r(1,5,9,13)\). Throughout the paper SC, SR, MC and AC stands for SubCells, ShiftRows, MixColumns and AddConstants operations.

## 4 Applications of the Probabilistic Slide Cryptanalysis

Our aim is to find a differential type characteristic with high probability between two slid instances of the cipher as depicted in Fig. 2. Finding differential characteristics have the highest probability among all possible choices is a challenging task as a general problem since even an automatic search for the whole space is not feasible. There are some techniques to make this simpler and speed up the search effectively. Matsui presents an algorithm to find the best differential characteristic and linear approximation in [26]. The algorithm uses a branch-and-bound method recursively to find the \(r\)-round characteristic of DES with highest probability based on the best \(r-1\)-round characteristics. The algorithm is not feasible for all ciphers but the main principles of the algorithm have been adopted widely in several works (for example look at [1, 6, 9, 10]). The probability of differential characteristic is proportional to the number of involved active S-boxes. One direction in the word-oriented block ciphers and hash functions is to find a general pattern of active and inactive differences holds in the cipher properties such that the number of active S-boxes is as small as possible. Next the differential characteristic with specific differential values for the existence pattern can be found by guess-and-determine methods. In this section we explore this approach for two block ciphers Zorro and LED-64 to construct a distinguisher described in Sect. 2.3 for each cipher separately and proceed by applying key-recovery cryptanalysis. We use the notations introduced in Sect. 3.3 to denote the various intermediate states \(X\) of the encryption process of \(P\) to \(C\). We use similar notation for the pair \((P',C')\) but now with \(X'\).

### 4.1 Slide Cryptanalysis on Zorro

Since about one half of all S-box differentials exist, to construct a \(2\)-round differential characteristic as described, a fraction of \(2^{-4}\) choices can match the conditions of four S-boxes. We can start with an initial state such that the bytes in the first row have no difference. Since there exist \(2^{96}\) different states we expect \(2^{96-2r}\) states to satisfy the pattern of \(r\)-rounds. This shows that even for the full round cipher there exist numerous candidates. A naive question arises how one can exploit these degrees of freedom to create a differential characteristic which has still less active S-boxes. Our choice is to select the difference value \(\varDelta _{in}=X'^I_1\oplus X_5^I\) such that the first three rounds have no active S-boxes. The first row after MC has no difference with probability around \(2^{-8\times 4}=2^{-32}\). So if we start with a state by no difference in the first row a fraction \(2^{-32\times 2}\) out of \(2^{96}\) states can bypass two more rounds with probability one. While trying all \(2^{96}\) states is not feasible as is described in [17] we can find these 3-round characteristics efficiently by utilizing an alternative method. In the remainder of this part we take a detailed look at this technique summarized in Algorithm 1.

**Key Recovery.** For all \(2^{32}\) states obtained from Algorithm 1 we extend the characteristic by two rounds iteratively. The best differential characteristic we found for 12 rounds has probability \(\Pr [X'^I_{13}\oplus X^I_{17}=\varDelta _{out}|X'^I_{1}\oplus X^I_{5}=\varDelta _{in}]=2^{-119.24}\) where the values \(\varDelta _{in}\) and \(\varDelta _{out}\) with the details of characteristic are given in Appendix A.2. It leads to the the key-recovery cryptanalysis described in Sect. 2.3 on 16-reduced round of Zorro. The attack requires \(2^{64+59.62}=2^{123.62}\) known plaintexts and the time complexity is \(2^{123.62}+2^{124.62}/4+2^{119.24}\simeq 2^{123.8}\) encryptions. To reduce the data complexity we can allow degrees of freedom for an active S-box in the last round of the characteristic. There exist 25 different \(\alpha \in GF(2^8)\) such that \(\Pr [S(x)\oplus S(x\oplus \mathtt {0x76})=\alpha ]=2^{-6}\). Let us consider the same characteristic in Appendix A.2 while \(X_{16}^S(1)\oplus X'^S_{12}(1)=\alpha \). The probability for such a characteristic is \(2^{-113.82}\cdot (25\cdot 2^{-6})=2^{-115.17}\) which indicates that the data complexity decreases to \(2^{64+57.59}=2^{121.59}\) with the cost of increasing the time complexity to \(25\cdot (2^{121.59}/4+2^{115.17})\simeq 2^{124.23}\) encryptions.

### 4.2 Slide Cryptanalysis of LED-64

Let us recall that the difference between \(RC_r\) and \(RC_{r+4}\) of LED-64 has nonzero value only in the second column. Then we start by looking at the state after AC in an arbitrary round \(r\) to investigate different scenarios. Since we are interested in characteristic with less active S-boxes, one may think the best case happens when all active nibbles in \(X'^I_r\oplus X^I_{r+4}\) get canceled by the difference \(DRC_r\) to bypass SC with probability one. We note it can activate four nibbles \(X'^A_{r+1}(1,5,9,13)\oplus X^A_{r+5}(1,5,9,13)\). Next each active nibble propagates to a different column after SR and makes all nibbles active at \(X'^M_{r+1}\oplus X^M_{r+5}\), which is against our goal. Another choice is to have just one active nibble \(X'^A_r(1)\oplus X^A_{r+4}(1)\) such that after MC it transfers to four nibbles which cancel the three out of four nibbles differences injected by round constants in the next round. It can be considered as an iterative 1-round characteristic. After testing this approach we found that due to the differences between round constants we cannot utilize this iteratively for the round constants chosen by the designers, because it works just for one round. So we chose a moderate strategy to find the best pattern. First we try to hesitate activate the nibbles from the first, third and forth columns of \(X'^I_r\oplus X^I_{r+4}\) since we cannot cancel them by the differences of round constants. Secondly we aim to cancel as many nibbles in the second column as possible. To find the best pattern we start from the middle rounds and try to extend it in both backward and forward directions. It is proved in [20] that any differential characteristic over four consecutive rounds of the cipher has at least 25 active S-boxes and probability at most \(2^{-50}\). Thanks to the differences in the round-constants, the best characteristic we found for four rounds has probability \(2^{-27}\) and just 13 active S-boxes. This demonstrates the superiority of our model in comparison with differential cryptanalysis of LED-64.

**Key Recovery.**

The 4-round differential characteristic illustrated in Appendix A.1 has probability \(2^{-27}\). This property enables us to retrieve the key of 8-round reduced of LED-64 with the same technique described in Sect. 2.3. The cryptanalysis requires \(2^{32+13.5}=2^{45.5}\) known plaintexts and the time complexity is roughly \(2^{45.5}+2^{46.5}/2+2^{27}\simeq 2^{46.5}\) encryptions. To have less data complexity we can consider a truncated type differential for the last round. The differences \(\mathtt {2}\), \(\mathtt {c}\), \(\mathtt {d}\) and \(\mathtt {6}\) can be transferred through the S-box to the set of differences \(\mathcal {A}_1=\lbrace \mathtt {3, 5, 6, a, c, d, e} \rbrace \), \(\mathcal {A}_2=\lbrace \mathtt {2, 5, 7, 8, 9, a, e} \rbrace \), \(\mathcal {A}_3=\lbrace \mathtt {1, 2, 3, 4, 7, a, b} \rbrace \) and \(\mathcal {A}_4=\lbrace \mathtt {2, 6, 8, b, c, f} \rbrace \) respectively. If \(X^I_5\oplus P'=\varDelta _{in}\) holds for the given \(\varDelta _{in}\) in Appendix A.1 then the truncated difference \(X^S_8\oplus X'^S_4\in \lbrace \) \(\mathtt {0}\) \(a_1\) \(\mathtt {000}\) \(a_2\) \(\mathtt {000}\) \(a_3\) \(\mathtt {000}\) \(a_4\) \(\mathtt {00}|\) \(a_i \in \mathcal {A}_i, 1\le i\le 4\rbrace \) with its corresponding truncated difference \(\varDelta _{out}=X^M_8\oplus X'^M_4\) holds with probability \(2^{-19}\). Using this characteristic the data complexity decreases to \(2^{32+9.5}=2^{41.5}\) known plaintexts while the time complexity increases to \(6\cdot 7^3(2^{41.5}/2+2^{19})\simeq 2^{51.5}\) encryptions.

## 5 Conclusion

In this paper we provide a new insight into slide cryptanalysis which is illustrated by cryptanalysis of step-reduced block ciphers Zorro and LED-64. We describe a new framework to enhance slide cryptanalysis against general Even-Mansour scheme with one key in a probabilistic setting. Our method exploits some features from related-key differential cryptanalysis to build a kind of differential characteristic that is applicable in the single key model. In the related-key cryptanalysis model [2, 22] one can consider the encryption under unknown secret keys but with a determined difference, which allows attacker to control the data difference by differences injected by the key difference. The probabilistic slide cryptanalysis presented in this paper is inspired by the same idea but instead of using two different keys it slides a copy of encryption to take advantage of the round constant differences in a single key model. Since known statistical cryptanalysis is not affected by the values of round constants, choosing their values usually has not been taken into account by the designers of block ciphers (for example look at [24, 31]). In this work we shed more light on how round constants can potentially weaken the security of the cipher. One possible direction of future research is to inquire the application of probabilistic slide cryptanalysis against other block ciphers based on the general Even-Mansour scheme with a single key like PRINCE, PRINTcipher and 3-WAY [12].

## Notes

### Acknowledgments

The author wishes to thank Kaisa Nyberg for the helpful discussions, detailed comments and insightful suggestions that significantly improved the quality of this paper. The program for finding the characteristic used for cryptanalysis of Zorro was performed on the Triton computing cluster provided by the Aalto University Science-IT programme. The work of Hadi Soleimany is supported by Helsinki Doctoral Program in Computer Science - Advanced Computing and Intelligent Systems (HECSE). He was partially supported by the Nokia Foundation which is also gratefully acknowledged.

## References

- 1.Aoki, K., Kobayashi, K., Moriai, S.: Best differential characteristic search of FEAL. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 41–53. Springer, Heidelberg (1997) CrossRefGoogle Scholar
- 2.Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol.
**7**(4), 229–246 (1994)CrossRefzbMATHGoogle Scholar - 3.Biham, E., Dunkelman, O., Keller, N.: Improved slide attacks. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 153–166. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 4.Biham, E., Shamir, A.: Differential cryptanalysis of des-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1990) Google Scholar
- 5.Biryukov, A.: Analysis of involutional ciphers: khazad and anubis. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 45–53. Springer, Heidelberg (2003) CrossRefGoogle Scholar
- 6.Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, camellia, khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 7.Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999) CrossRefGoogle Scholar
- 8.Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000) CrossRefGoogle Scholar
- 9.Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 10.Bogdanov, A., Knezevic, M., Leander, G., Toz, D., Varici, K., Verbauwhede, I.: Spongent: the design space of lightweight cryptographic hashing. IEEE Trans. Comput.
**62**(10), 2041–2053 (2013)CrossRefMathSciNetGoogle Scholar - 11.Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçın, T.: PRINCE –a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 12.Daemen, J., Govaerts, R., Vandewalle, J.: A new approach to block cipher design. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809. Springer, Heidelberg (1994) CrossRefGoogle Scholar
- 13.Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Improved Linear Sieving Techniques withApplications to Step-Reduced LED-64. Cryptology ePrint Archive, Report 2013/634 (2013). http://eprint.iacr.org/
- 14.Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on 3-round even-mansour, 8-step led-128, and full aes\(^\text{2 }\). In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 337–356. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 15.Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Matsumoto, Tsutomu, Imai, Hideki, Rivest, Ronald L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993) CrossRefGoogle Scholar
- 16.Furuya, Soichi: Slide attacks with a known-plaintext cryptanalysis. In: Kim, Kee-cheon (ed.) ICISC 2001. LNCS, vol. 2288, p. 214. Springer, Heidelberg (2002) CrossRefGoogle Scholar
- 17.Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013) CrossRefGoogle Scholar
- 18.Gorski, M., Lucks, S., Peyrin, T.: Slide attacks on a class of hash functions. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 143–160. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 19.Guo, J., Nikolic, I., Peyrin, T., Wang, L.: Cryptanalysis of Zorro. Cryptology ePrint Archive, Report 2013/713 (2013). http://eprint.iacr.org/
- 20.Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The led block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 21.Isobe, T., Shibutani, K.: Security analysis of the lightweight block ciphers XTEA, LED and piccolo. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 71–86. Springer, Heidelberg (2012) CrossRefGoogle Scholar
- 22.Kelsey, J., Schneier, B., Wagner, D.: Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 233–246. Springer, Heidelberg (1997) CrossRefGoogle Scholar
- 23.Knudsen, L., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: a block cipher for ic-printing. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 16–32. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 24.Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 25.Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) CrossRefGoogle Scholar
- 26.Matsui, M.: On correlation between the order of s-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995) CrossRefGoogle Scholar
- 27.Nikolić, I., Wang, L., Wu, S.: Cryptanalysis of round-reduced LED. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 112–130. Springer, Heidelberg (2014) CrossRefGoogle Scholar
- 28.Onions, P.: On the strength of simply-iterated feistel ciphers with whitening keys. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 63–69. Springer, Heidelberg (2001) CrossRefGoogle Scholar
- 29.Phan, R.C.-W.: Advanced slide attacks revisited: realigning slide on des. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 263–276. Springer, Heidelberg (2005) CrossRefGoogle Scholar
- 30.Saarinen, M.-J.O.: Cryptanalysis of block ciphers based on SHA-1 and MD5. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 36–44. Springer, Heidelberg (2003) CrossRefGoogle Scholar
- 31.Soleimany, H., Blondeau, C., Yu, X., Wu, W., Nyberg, K., Zhang, H., Zhang, L., Wang, Y.: Reflection cryptanalysis of prince-like ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 71–91. Springer, Heidelberg (2014) CrossRefGoogle Scholar