Improved (Related-key) Differential Cryptanalysis on GIFT

Abstract

In this paper, we reevaluate the security of GIFT against differential cryptanalysis under both single-key scenario and related-key scenario. Firstly, we apply Matsui’s algorithm to search related-key differential trails of GIFT. We add three constraints to limit the search space and search the optimal related-key differential trails on the limited search space. We obtain related-key differential trails of GIFT-64/128 for up to 15/14 rounds, which are the best results on related-key differential trails of GIFT so far. Secondly, we propose an automatic algorithm to increase the probability of the related-key boomerang distinguisher of GIFT by searching the clustering of the related-key differential trails utilized in the boomerang distinguisher. We find a 20-round related-key boomerang distinguisher of GIFT-64 with probability \( 2^{-58.557} \). The 25-round related-key rectangle attack on GIFT-64 is constructed based on it. This is the longest attack on GIFT-64. We also find a 19-round related-key boomerang distinguisher of GIFT-128 with probability \( 2^{-109.626} \). We propose a 23-round related-key rectangle attack on GIFT-128 utilizing the 19-round distinguisher, which is the longest related-key attack on GIFT-128. The 24-round related-key rectangle attack on GIFT-64 and 22-round related-key boomerang attack on GIFT-128 are also presented. Thirdly, we search the clustering of the single-key differential trails. We increase the probability of a 20-round single-key differential distinguisher of GIFT-128 from \( 2^{-121.415} \) to \( 2^{-120.245} \). The time complexity of the 26-round single-key differential attack on GIFT-128 is improved from \( 2^{124.415} \) to \( 2^{123.245} \).

Appendices

A Improved Matsui’s Algorithm for GIFT

The improved Matsui’s algorithm for GIFT proposed in [22] is demonstrated in Algorithm 3. There are ten different weights of the difference propagations for the new 8-bit S-box in GIFT, wich are denoted by the new table:

$$\begin{aligned}\begin{gathered} \text{ WeightTable[10] } = \{6.000,5.000,4.415,4.000,3.415,3.000,2.830,2.000,1.415,0.000\}. \end{gathered}\end{aligned}$$

To implement speeding-up method-1, the output differences of each S-box are classified according to the corresponding weights and one new table is constructed as follows:

• DDTwY[SboxN][WeightN][OutN]

  DDTwY[t][j][r] represents the \( r^{th} \) output difference of the \( t^{th} \) S-box with weight WeightTable[j].

  SboxN represents the index of the S-box. It ranges from 1 to ns. WeightN represents the index of the weights. It ranges from 0 to 9. OutN represents the index of the output difference. It ranges from 0 to 255.

B Related-key Boomerang Attack on 22-round GIFT-128

1.1 B.1 Determining the Related-key Boomerang Distinguisher

We choose the same 19-round related-key rectangle distinguisher as in Sect. 6.2. We append two rounds at the end of the distinguisher and one round at the beginning of the distinguisher. The details of the 22-round key-recovery model are shown in Table 7. The input difference of the 22-round model equals to \( \varDelta Z_{2} = 0x 00 00 00 00 00 00 00 80 00 00 00 00 60 00 00 00\).

1.2 B.2 Data Collection

We collect data of the value of output in Table 7. There are 52 unknown bits in output marked as “?”, affecting 13 S-boxes in round 23 and four S-boxes in round 22. Thus, \( \boldsymbol{ r_{f} = 52} \) and the number of key bits needed to be guessed in \( E_{f} \) is \( \boldsymbol{ m_{f} = 34}\). We utilize the key-recovery model proposed by Zhao et al. in [33] to perform the boomerang key-recovery attack:

1. 1

   Choose \( y = s/(2^{r_{f} } \cdot \hat{p}^{2}\hat{q}^{2}) \) structures of \( 2^{r_{f}} \) ciphertexts each. s is the expected number of right quartets. Each structure takes all the possible values for the \( r_{f} \) active bits while the other \( n - r_{f} \) bits are fixed to some constant.

2. 2

   For each structure, we obtain the plaintext \( P_{1} \) for each ciphertext \( C_{1} \) by calling the decryption oracle under \( K_{1} \). Compute \( P_{2} \) by \( P_{2} = P_{1} \oplus \alpha \) and obtain the ciphertext \( C_{2} \) by \( E_{K_{2}}(P_{2}) \). Here we gain a set:

   $$\begin{aligned}\begin{gathered} L_{1} = \{( P_{1} , C_{1}, P_{2}, C_{2}) : P_{1}= E^{-1}_{K_{1}}(C_{1}), P_{2} = P_{1} \oplus \alpha , C_{2} = E_{K_{2}}(P_{2}) \}. \end{gathered}\end{aligned}$$

   Construct the set \( L_{2} \) under \( K_{3} \) and \( K_{4} \) in a similar way:

   $$\begin{aligned}\begin{gathered} L_{2} = \{( P_{3} , C_{3}, P_{4}, C_{4}) : P_{3}= E^{-1}_{K_{3}}(C_{3}), P_{4} = P_{3} \oplus \alpha , C_{4} = E_{K_{4}}(P_{4}) \}. \end{gathered}\end{aligned}$$
3. 3

   Insert \( L_{1} \) into a hash table \( H_{1} \) indexed by the \( n-r_{f} \) bits of \( C_{2} \). For each element of \( L_{2} \), find the corresponding \( ( P_{1} , C_{1}, P_{2}, C_{2}) \) colliding in the \( n-r_{f} \) bits. We gain a total of \( y \cdot 2^{2r_{f}-(n-r_{f})} = y \cdot 2^{3r_{f} -n} \) quartets.

4. 4

   The process that recovers the subkeys involved in \( E_{f} \) is the same as the one in the related-key rectangle attack in Sect. 5.1, The complexity of this step is denoted as \( \varepsilon \).

5. 5

   Select the top \( 2^{m_{f} - h} \) hits in the counter to be the candidates which delivers a h bits or higher advantage. Exhaustively search the remaining \( k - m_{f} \) unknown key bits in the master key.

1.3 B.3 Key Recovery

Choose the expected number of right quartets s to be 2, then we have \( y = s/(2^{r_{f} } \cdot \hat{p}^{2}\hat{q}^{2}) = 2^{58.63}\) and \( y \cdot 2^{r_{f}} = 2^{110.63} \). Make use of all the \( y \cdot 2^{3r_{f} -n} = 2^{86.63} \) quartets obtained in step 3 to recover the subkeys involved in \( E_{f} \). The key recovery process are similar to the process of the 25-round attack in Sect. 5.1. There are about \( 2^{86.63} \cdot 2^{-(48+24)} = 2^{14.63}\) quartets remain after the key guessing and filtering procedure. Choose \( h = 22 \) and select the top \( 2^{ m_{f} - h} \) hits in the counter to be the candidates. Exhaustively search the remaining \( 128 - m_{f} \) unknown key bits in the key.

1.4 B.4 Complexity and Success Probability

The data complexity is \( 4y \cdot 2^{r_{f}} = 2^{112.63}\) adapted chosen ciphertexts and plaintexts. We need \( 4y \cdot 2^{r_{f}} \) chosen ciphertexts and plaintexts and \( y \cdot 2^{r_{f}} \) looking-up-table operations to construct quartets. \( y \cdot 2^{3r_{f} -n} \cdot \varepsilon = 2^{86.63} \cdot 4\cdot 2^{2}/22 \) encryptions are needed in the key recovery process. Thus, the time complexity is bounded by \( 4y \cdot 2^{r_{f}} = 2^{112.63} \). The memory complexity is the size of each structure and the size of the key counter, which is bounded by \( 2^{r_{f}} = 2^{52} \). The success probability is \( 92.01\% \) according to Eq. 12.

C Analyzing the Probability of the 19-round Distinguisher Proposed in [18]

The propagation of the 2-round boomerang switch \( E_{m} \) is illustrated in Fig. 4. The details of \( E_{m} \) in the 19-round related-key rectangle distinguisher for GIFT-64 proposed in [18] is shown in Table 8. The authors calculated the value of r as 1 according to the BCT. The probability of the rectangle distinguisher is \( 2^{-n}\cdot \hat{p}^{2}\hat{q}^{2}r = 2^{-64}\cdot 2^{-50} \). It should be noted that at the time the authors write the paper [18], the BDT technology has not been proposed yet.

Table 8. The propagation of \( E_{m} \) of the 19-round related-key rectangle distinguisher for GIFT-64 in [18]

It has been proved in [32] that when \( R_{m} = 2\), the probability of \( E_{m} \) should be evaluated by the BDT and the iBDT, which is

$$\begin{aligned} r=2^{-2n}\varSigma _{1\le i \le 2\text{ ns }}(\text{ BDT }(\beta [i],\beta '[i],\gamma ''[i]) \times \text{ iBDT }(\gamma [i],\gamma '[i],\beta ''[i])). \end{aligned}$$

Meanwhile,

$$\begin{aligned}\begin{gathered} \text{ BDT }(\beta [i],\beta '[i],\gamma ''[i]) = \text{ DDT }(\beta [i],\beta '[i]), \, \text{ if } \ \gamma ''[i] = 0; \\ \text{ iBDT }(\gamma [i],\gamma '[i],\beta ''[i]) = \text{ DDT }(\gamma [i],\gamma '[i]) , \, \text{ if } \ \beta ''[i] = 0; \end{gathered}\end{aligned}$$

\( \beta [\text{2ns }]||\cdots ||\beta [1] := \beta \), \( \gamma [\text{2ns }]||\cdots ||\gamma [1] := \gamma \). We correct the value of r according to the data in Table 8:

$$\begin{aligned} r&=2^{-2n}\varSigma _{1\le i \le 16}(\text{ BDT }(\beta [i],\beta '[i],\gamma ''[i]) \times \text{ iBDT }(\gamma [i],\gamma '[i],\beta ''[i]))\\&=2^{-2n}\varSigma _{1\le i \le 16}(\text{ DDT }(\beta [i],\beta '[i]) \times \text{ DDT }(\gamma [i],\gamma '[i]))\\&=2^{-18}. \end{aligned}$$

The value of the DDT is shown in Table 9. As a result, the probability of the rectangle distinguisher in [18] is \( 2^{-n}\cdot p^{2}q^{2}r = 2^{-64}\cdot 2^{-68}\).

It has been introduced in Sect. 2.4 that only if \( p^{2}q^{2}r > 2^{-n} \) can we count more right quartets than random noise through the related-key rectangle distinguisher. For GIFT-64, the distinguisher should satisfy \( p^{2}q^{2}r > 2^{-64} \). Therefore, the 23-round related-key rectangle attack proposed in [18] and the 24-round related-key rectangle attack proposed in [34] are invalid.

Table 9. Differential Distribution Table (DDT) of GIFT S-box

D (Related-key) Differential Trails

Table 10. Two related-key differential trails of GIFT-64 and GIFT-128

Table 11. Two 9-round related-key differential trails of GIFT-128

Table 12. Four 20-round single-key differential trails with weight \( w_{sum} \) of GIFT-128

Table 13. Sixteen 10-round related-key differential trails of \( E_{0} \) with weight 20.415 of GIFT-64

Table 14. Eight 9-round related-key differential trails of \( E_{1} \) with weight 13.415 of GIFT-64

Table 15. Two 9-round related-key differential trails of \( E_{0} \) with weight 30.000 of GIFT-128

Table 16. Two 9-round related-key differential trails of \( E_{1} \) with weight 30.000 of GIFT-128