TY - JOUR
AU - Zhang,, GuoYan
AB - Abstract The rectangle attack is the extension of the traditional differential attack and is evolved from the boomerange attack. It has been widely used to attack several existing ciphers. In this article, we study the security of lightweight block ciphers GIFT, Khudra and MIBS against related-key rectangle attack. We use Mixed-Integer Linear Programming-aided cryptanalysis to search rectangle distinguishers by taking into account the effect of the ladder switch technique. For GIFT, we build a 19-round related-key rectangle distinguisher and attack on 23-round GIFT-64, which requires 260 chosen plaintexts and 2107 encryptions. For Khudra, a 14-round related-key rectangle distinguisher can be built, which leads us to a 17-round rectangle attack. Our attack on 17-round Khudra requires a data complexity of 262.9 chosen plaintexts and a time complexity of 273.9 encryptions. For MIBS, we construct a 13-round related-key rectangle distinguisher and propose an attack on 15-round MIBS-64 with time complexity of 259 and data complexity of 245. Compared to the previous best related-key rectangle attack, we can attack one more round on Khudra and MIBS-64 than before. 1. Introduction Differential cryptanalysis has been introduced in 1990 by Biham and Shamir [1]; it is one of the most widely used cryptanalytic tools against block ciphers. Differential cryptanalysis analyzes differential trails of a cipher, discover where the cipher exhibits non-random behaviors and exploit such properties to build a distinguisher or recover the secret key. Since differential cryptanalysis has been used to break many ciphers, it has become a basic concern of cipher designers. Applying the differential cryptanalysis under the related-key model was presented in [2]. The idea of related-key differential is that the adversary is allowed to control the difference between the keys, though the key values are unknown. Particularly, it would be admirable that the key schedule is completely linear. Given the key difference, the attacker can calculate what will be the key difference for any round keys. However, in many cases, it is difficult to find a high-probability trail. Under this circumstances, the boomerang attack proposed by Wagner [3] is designed to find two short high-probability differential trails and connect them in one differential pattern over many rounds of the primitive. The aim of this attack is to break more rounds by finding higher probability trails than the differential attack can reach. Under the model of the boomerang attack, the entire cipher |$E$| is treated as two sub-ciphers, i.e. |$E=E_1\circ E_0$|⁠. Then assume there is a differential |$\alpha \rightarrow \beta $| with probability |$p$| in |$E_0$| and there is a differential |$\gamma \rightarrow \delta $| with probability |$q$| in |$E_1$|⁠. As a consequence, it requires |$(pq)^{-2}$| adaptive chosen plaintext/ciphertext queries to distinguish the target cipher from an ideal cipher. After that, the boomerang attack has been transformed into a variant attack named the amplified boomerang (also knowed as the rectangle attack) and simplified the requirements to chosen plaintext attack instead of adaptive chosen plaintext and ciphertext attack. In the rectangle attack, a right quartet is expected to be obtained with probability |$p^2q^22^{-n}$| [4], and the quartet structure that the adversary is interested in is shown in Fig. 1(a). As indicated in [5, 6], any value of |$\beta $| and |$\gamma $| are allowed as long as |$\beta \neq \gamma $|⁠. Ultimately, the probability of the right quartet updates to |$2^{-n}\hat {p}^2\hat {q}^2$|⁠, where $$\hat {p} = \sqrt {\begin {matrix} \sum _{i}Pr^2(\alpha \rightarrow \beta _i) \end {matrix}}$$ and $$\hat {q} = \sqrt {\begin {matrix} \sum _{j}Pr^2(\gamma _j \rightarrow \delta ) \end {matrix}}$$ ⁠. Before everything else, choosing suitable differential characteristics for |$E_0$| and |$E_1$| is the important part in boomerang-style attacks. Due to its importance, several researchers have investigated how to select two differential characteristics. Originally, two characteristics can be independently selected for two segments of the cipher, which attemps to optimize the characteristics independently. And then, in the literature [7], it discussed two perspectives of the dependency between two characteristics. On the one hand, two differential characteristics, which is chosen independently would be incompatible, result in the probability of obtaining a right quartet being zero. On the other hand, it will help attackers to find a better differential trails about the target cipher. In [8], it shows how to use middle-round S-box trick to obtain better results. Furthermore, Biryukov et al. [9] applies a techique (named the |$boomerang$||$switch$|⁠) in the analysis of the boomerang distinguisher instead of combining two independent characteristics directly. Three types of boomerang switch (Ladder switch, S-box switch and Feistel switch) were offered in [9]. As for the |$ladder$||$switch$|⁠, it decomposes the cipher into words. Some words may be in |$E_0$| and others may be in |$E_1$|⁠. If a part of the state are active only in |$E_0$|⁠, and the rest of the state is active only in |$E_1$|⁠, we can be sure that the probability of all the active S-boxes is 1. For a more detailed introduction to boomerang switch, the reader is referred to [9]. Subsequently, Dunkelman et al. [10, 11] formally identified the above cases of dependency and named it as the |$sandwich$||$attack$|⁠. Under this attack, the target cipher is decomposed as |$E=E_1\circ E_r \circ E_0$|⁠, where |$E_r$| is a short operation that satisfies some differential propagation with probability |$r$|⁠. The |$sandwitch$||$attack$| is shown in Fig. 1(b). The main idea behind the |$sandwitch$||$attack$| is the transition in the middle. In the sandwich framework, we get $$ \begin{equation*} (x_1\oplus x_2=\beta)\wedge (y_1\oplus y_3=\gamma)\wedge (y_2\oplus y_4=\gamma). \end{equation*} $$ Hence, the probability of the three-layer boomerang distinguisher is |$p^2q^2r$|⁠, where $$ \begin{align*} r=&\ {\textrm{Pr}}\ \big[(x_3\oplus x_4=\beta)\vert \ (x_1\oplus x_2=\beta)\\ &\qquad\wedge (y_1\oplus y_3=\gamma)\wedge (y_2\oplus y_4=\gamma)\big]. \end{align*} $$ Thereafter, many researchers give much attention to computing the value of |$r$| in an efficient and systematic way. Recently, Cid et al. [12] offered a new cryptanalysis tool called |$Boomerang$||$Connectivity$||$Table$| (BCT) to calculate the connection probability with greater precision. With the BCT, Cid et al. define the entry (⁠|$\Delta _{IN}$|⁠, |$\Delta _{OUT}$|⁠) as follows: $$ \begin{equation*} S^{-1}\big(S(x)\oplus \Delta_{OUT}\big)\oplus S^{-1}\big(S(x\oplus \Delta_{IN})\oplus \Delta_{OUT}\big)=\Delta_{IN}. \end{equation*} $$ Moreover, the authors also proposed an algorithm to compute the BCT for an |$n\times n$| S-box in time complexity of |$O(2^{3n})$|⁠. Then, Dunkelman et al. [13] presented a new algorithm that takes time |$O(2^{2n})$| for the same BCT. Whereafter, Li et al. [14] showed some novel properties about BCT and the boomerang uniformity of permutations over |$\mathbb {F}_{2^n}$| in terms of theory and experiment. It is noticed that the introductory paper of BCT [12] merely coped with the dependency of two differential trails in boomerang distinguishers when |$E_r$| is of one S-box layer. Very recently in [15], Song et al. proposed a generalized framework, which is able to identify the actual boundaries of |$E_r$| that contains dependency of the two differential trails and systematically evaluate the probability of |$E_r$| with any number of rounds. In [16], Wang et al. simultaneously studied the effect of BCT in multiple rounds. FIGURE 1. Open in new tabDownload slide Boomerang-style attack FIGURE 1. Open in new tabDownload slide Boomerang-style attack The related-key boomerang attack was published first in [17]. Namely, related-key boomerang attack apply boomerang-style attack to ciphers using different but related keys. In [18], a generic method for launching key recovery attacks, calculating the data and time complexity with boomerang or rectangle distinguishers is introduced. And it also proves that the key recovery attacks succeed with high probability assuming the distinguisher are tenable. For differential attacks, many attackers try to convert classical cryptanalysis to mathematical optimization problems which aim to find out differential characteristics with high probability of objective function under certain constraints. The Mixed-Integer Linear Programming (MILP) technique was used to solve these optimization problems. Mouha et al. [19] proposed MILP method to count active S-boxes of word-oriented block ciphers. Later, at Asiacrpt 2014, Sun et al. [20] extended Mouha et al.’s technique to serach for the actual differential characteristics. Meanwhile, Sun et al. [21] also introduced a MILP model to search linear trails. Cui et al. [22] and Sasaki et al. [23] gave the MILP-based impossible differential search model independently. Moreover, Cid et al. [24] incorporated the ladder switch into the MILP model and generated boomerang distinguishers. In [25], Xiang et al. showed how to model the propagation of the division property by using MILP. In [26], Todo et al. constructed a MILP model in the integral attack by the bit-based division property. Li et al. [27] introduced a new MILP tool to present conditional cube attacks on Keccak keyed modes. At CHES 2017, Banik et al. proposed a new lightweight block cipher GIFT [28]. To the best of our knowledge, no related-key rectangle attack on GIFT block cipher has been proposed. And the best known attack on GIFT-64 is a differential cryptanalysis, which covers 19-round of GIFT-64 in the single-key model [29]. In addition, Sasaki et al. [30] successfully found new choices of independent key bits for three-subset Meet-in-the-Middle attack on GIFT. Khudra [31] is a new lightweight block cipher proposed by Kolay et al. in SPACE 2014 conference. The best known related-key rectangle attack on Khudra is presented in [32], which covers 16-round of Khudra. MIBS [33] is the lightweight block ciphers proposed in CANS 2009 conference. The best known related-key rectangle attack on MIBS-64 is presented in [34], which covers 14-round of MIBS-64. Our Contributions. In this paper, we study the security of lightweight block ciphers GIFT, Khudra and MIBS and give a more accurate measurement of the resistance of target ciphers against the rectangle attack. We are able to build (related-key) rectangle distinguishers with applying the ladder switch technique in the middle of the switching point, which can help us to save several active S-Boxes. By using the MILP technique, we convert a standard description of a cipher into an MILP instance and make it into an automatic tool for searching differential trails. First, we build 19-round related-key rectangle distinguishers and attack on 23-round GIFT-64, which requires |$2^{60}$| chosen plaintexts and |$2^{107}$| encryptions. Then, we build rectangle distinguishers for Khudra block cipher on up to 14-round with practical complexities. Moreover, using |$2^{62.9}$| chosen plaintexts we recover all key bits in |$2^{73.9}$| time for 17-round of Khudra. In addition, we present valid rectangle distinguishers on up to 13-round of MIBS and analyze the 15-round MIBS with |$2^{45}$| chosen plaintexts and |$2^{59}$| encryptions. We show our results and comparisons in Table 1. Table 1. Summarization of related-key rectangle attack for some block ciphers Cipher Round Time Data Memory Ref GIFT-64 23 |$2^{107}$| |$2^{60}$| |$2^{60}$| Sec.3 Khudra 16 |$2^{59.77}$| |$2^{57.82}$| |$2^{57.82}$| [35] 16 |$2^{64.08}$| |$2^{53}$| |$2^{53}$| [32] 17 |$2^{73.9}$| |$2^{62.9}$| |$2^{62.9}$| Sec.4 MIBS-64 13 |$2^{40}$| |$2^{61}$| |$2^{24}$| [36] 13 |$2^{55}$| |$2^{43}$| |$2^{43}$| [37] 14 |$2^{37.2}$| |$2^{40}$| |$2^{40}$| [36] 14 |$2^{55}$| |$2^{55}$| |$2^{55}$| [34] 15 |$2^{59}$| |$2^{45}$| |$2^{45}$| Sec.5 Cipher Round Time Data Memory Ref GIFT-64 23 |$2^{107}$| |$2^{60}$| |$2^{60}$| Sec.3 Khudra 16 |$2^{59.77}$| |$2^{57.82}$| |$2^{57.82}$| [35] 16 |$2^{64.08}$| |$2^{53}$| |$2^{53}$| [32] 17 |$2^{73.9}$| |$2^{62.9}$| |$2^{62.9}$| Sec.4 MIBS-64 13 |$2^{40}$| |$2^{61}$| |$2^{24}$| [36] 13 |$2^{55}$| |$2^{43}$| |$2^{43}$| [37] 14 |$2^{37.2}$| |$2^{40}$| |$2^{40}$| [36] 14 |$2^{55}$| |$2^{55}$| |$2^{55}$| [34] 15 |$2^{59}$| |$2^{45}$| |$2^{45}$| Sec.5 Open in new tab Table 1. Summarization of related-key rectangle attack for some block ciphers Cipher Round Time Data Memory Ref GIFT-64 23 |$2^{107}$| |$2^{60}$| |$2^{60}$| Sec.3 Khudra 16 |$2^{59.77}$| |$2^{57.82}$| |$2^{57.82}$| [35] 16 |$2^{64.08}$| |$2^{53}$| |$2^{53}$| [32] 17 |$2^{73.9}$| |$2^{62.9}$| |$2^{62.9}$| Sec.4 MIBS-64 13 |$2^{40}$| |$2^{61}$| |$2^{24}$| [36] 13 |$2^{55}$| |$2^{43}$| |$2^{43}$| [37] 14 |$2^{37.2}$| |$2^{40}$| |$2^{40}$| [36] 14 |$2^{55}$| |$2^{55}$| |$2^{55}$| [34] 15 |$2^{59}$| |$2^{45}$| |$2^{45}$| Sec.5 Cipher Round Time Data Memory Ref GIFT-64 23 |$2^{107}$| |$2^{60}$| |$2^{60}$| Sec.3 Khudra 16 |$2^{59.77}$| |$2^{57.82}$| |$2^{57.82}$| [35] 16 |$2^{64.08}$| |$2^{53}$| |$2^{53}$| [32] 17 |$2^{73.9}$| |$2^{62.9}$| |$2^{62.9}$| Sec.4 MIBS-64 13 |$2^{40}$| |$2^{61}$| |$2^{24}$| [36] 13 |$2^{55}$| |$2^{43}$| |$2^{43}$| [37] 14 |$2^{37.2}$| |$2^{40}$| |$2^{40}$| [36] 14 |$2^{55}$| |$2^{55}$| |$2^{55}$| [34] 15 |$2^{59}$| |$2^{45}$| |$2^{45}$| Sec.5 Open in new tab Organization of the Paper. The rest of the paper is organized as follows. Section 2 introduces the boomerang-style attack and describes MILP model to build boomerang distinguishers. Section 3 proposes the detailed description of the rectangle attack on GIFT-64. Section 4 proposes the detailed description of the rectangle attack on Khudra. Section 5 proposes the detailed description of the rectangle attack on MIBS. Finally, Section 6 concludes the paper. 2. Preliminaries 2.1. Brief introduction of the boomerang-style attack framework The main idea in the boomerang attack is to use two short differentials with high probability instead of one long differentials. Designers of the boomerang attack hope that it can do better than the original differential attack. The target cipher can be decomposed into two sub-ciphers: |$E=E_1\cdot E_0$|⁠, where |$E_0$| has a differential |$\alpha \rightarrow \beta $| and |$E_1$| has a differential |$\gamma \rightarrow \delta $| with probability |$p$| and |$q$|⁠, respectively. The basic boomerang attack works in an adaptive chosen plaintext/ciphertext scenario, and a right quartet is obtained with probability |$p^2q^2$|⁠. The rectangle attack is a chosen plaintext attack, and a ciphertext quartet result in a right quartet with probability |$p^2q^22^{-n}$|⁠. Then the probability of |$p$| and |$q$| can be increased by exploiting multiple differentials as $$\hat {p} = \sqrt {\begin {matrix} \sum _{i}Pr^2(\alpha \rightarrow \beta _i) \end {matrix}}$$ and $$\hat {q} = \sqrt {\begin {matrix} \sum _{j}Pr^2(\gamma _j \rightarrow \delta ) \end {matrix}}$$ ⁠. As a result, the number of right quartets can be calculated by |$N^2\cdot 2^{-n}\hat {p}^2\hat {q}^2$| given |$N$| quantity of plaintext pairs. We mainly review the related-key rectangle attack, which was proposed in [38] by accessing four related-key oracles with |$K_1$|⁠, |$K_2 = K_1 \oplus \Delta K$|⁠, |$K_3 = K_1 \oplus \nabla K$|⁠, |$K_4 = K_1 \oplus \Delta K \oplus \nabla K $|⁠, where |$\Delta K$| and |$\nabla K$| are the differences for the two sub-ciphers. In the rectangle attack, a plaintext quartet (⁠|$P_1$|⁠, |$P_2$|⁠, |$P_3$|⁠, |$P_4$|⁠) such that |$P_1\oplus P_2=P_3\oplus P_4=\alpha $| are first queried to encryption oracle under the key |$K_1$|⁠, |$K_2$|⁠, |$K_3$| and |$K_4$|⁠, and the attackers can receive a ciphertext quartet (⁠|$C_1$|⁠, |$C_2$|⁠, |$C_3$|⁠, |$C_4$|⁠). We have |$C_1\oplus C_3=C_2\oplus C_4=\delta $| with probability |$\hat {p}^2\hat {q}^22^{-n}$|⁠. Hence, when the probability of obtaining this quartet of ciphertexts is |$\hat {p}^2\hat {q}^22^{-n}$|⁠, where |$\hat {p}^2\hat {q}^2> 2^{-n/2}$|⁠, the cipher can be distinguished by the related-key rectangle attack. The related-key boomerang attack can be formulated similar to the related-key rectangle attack. FIGURE 2. Open in new tabDownload slide Ladder switch FIGURE 2. Open in new tabDownload slide Ladder switch Boomerang Switch. Briyukov et al. [9] proposed a technique which is a transition from the sub-trail |$E_0$| to the sub-trail |$E_1$| and called it the |$boomerang$||$switch$|⁠. The aim of this techique is to obtain free rounds and minimize the overall complexity of the distinguisher. Notice that the attacker can gain middle rounds for free due to a careful choice of the upper and lower differentials. One type of the boomerang switch are used in this paper is the |$ladder$||$switch$|⁠. By default, the cipher is decomposed into rounds. In such cases, this decomposition may not be the best choice for the boomerang attack. Instead, we further decompose the round into simple operations (such as S-box) and exploit the parallelism of these operations so that some of the operations can be treated as a part of |$E_0$| and the rest of them as a part of |$E_1$|⁠. For example, assume that the simple operation is an S-box. If there exists an S-box, which is active in the final round of |$E_0$| or in the first round of |$E_1$|⁠, we consider to switch the active S-box to another sub-trails where the corresponding S-box is non-active. Namely, we don’t need to pay the corresponding probability. Ladder switch can thus be summarized as follows. |$Ladder$||$switch$|⁠. In the boomerang-style attack, we decompose the round into an S-box. The careful choice of the top and bottom differentials can help the attacker gain 1–2 middle rounds for free. As shown in Fig. 2, suppose that a paired input to the S-box |$x_1$| and |$x_2$| becomes |$y_1 = S(x_1)$| and |$y_2 = S(x_2)$| in the final round of |$E_0$| where |$x_1\oplus x_2=\Delta _i=0$| and |$y_1=y_2$| by paying the cost of 1. Then, values of the S-box output for the other pair are |$y_3=y_1\oplus \nabla _o$| and |$y_4=y_2\oplus \nabla _o$|⁠, where |$y_3= y_4$|⁠. Hence, the corresponding |$x_3$| and |$x_4$| with probability 1 satisfy the difference |$\Delta _i=0$|⁠. Either one of the input or output difference is zero, while the other is non-zero. That means if there is a active S-box in the final round of |$E_0$| and the S-box in the same position is not active in the first round of |$E_1$|⁠, we do not pay for this S-box. Fianlly, we can minimize the overall complexity of the distinguisher. 2.2. Mouha et al.’s framework for word-oriented bloack ciphers MILP is a general mathematical tool to solve the optimization problems that minimizes/maximizes the objective function. Seaching differential and linear trails is one of the most successful applications of MILP. Mouha et al. [19] introduced MILP model to count the number of active S-boxes for word-oriented block ciphers. Mouha et al.’s framework uses binary variables to denote the word level differences propagating through the cipher (1 for non-zero difference and 0 for zero difference). Mouha et al. translated the XOR operation and operation and the linear transformation to linear inequalities as follows: Constraints describing the XOR operation. Suppose (⁠|$a$|⁠, |$b$|⁠) is the input difference pair for the XOR operation and |$c$| is the corresponding output difference. The following constraints will make sure that when input differences and output difference are not all zero, then there are two of them are nonzero: $$ \begin{equation} \left \{ \begin{array}{@{}l@{}r} a+b+c\ge 2d_\oplus\\ d_\oplus \ge a, d_\oplus \ge b,\ d_\oplus \ge c, \end{array} \right. \end{equation} $$ (1) where |$d_\oplus $| is a dummy variable, |$d_\oplus \in \{0,1\}$|⁠. Constraints describing the linear transformation. Assume |$x_{i}$| and |$y_i$|⁠, |$i$||$\in $| {0, 1, |$\dots $|⁠, |$m-1$|}, be binary varables denoting the word-level input and output differences of the linear transformation |$L$|⁠, respectively. We include the following constraints to describe the relation between the input and output difference: $$ \begin{equation} \left \{ \begin{array}{@{}l@{}r} \sum\limits_{i=0}^{m-1}(x_i+y_i)\ge \mathcal{B}_Ld_L\\[10pt] d_L \ge x_i,\ d_L \ge y_i,\ k\in \{0,1,\dots, m-1\}, \end{array} \right. \end{equation} $$ (2) where |$d_L$| is a dummy variable taking values in {0, 1}, and |$\mathcal {B}_L$| is the branch number of the linear transformation. 2.3. Sun et al.’s framework for bit-oriented block ciphers At Asiacrypt 2014, Sun et al. [20] introduced MILP model to count the number of active S-boxes for bit-oriented block ciphers, which is an extension of Mouha et al.’s [19] framework for word-oriented block ciphers. Two bit-oriented operations are used in this paper: XOR, |$\oplus $|⁠: |$\mathbb {F}^n_2$||$\times $||$\mathbb {F}^n_2$||$\rightarrow $||$\mathbb {F}^n_2$|⁠; S-box, |$S$|⁠: |$\mathbb {F}^n_2$||$\rightarrow $||$\mathbb {F}^n_2$|⁠.Describing the XOR operation into the MILP model. Suppose (⁠|$a$|⁠, |$b$|⁠) is the input difference pair for the XOR operation and |$c$| is the corresponding output difference. The set of constraints imposed by XOR operations for bit-oriented ciphers are similar to Eq. (1). We need to exclude (⁠|$a$|⁠, |$b$|⁠, |$c$|⁠) |$\in $| {(0, 0, 1), (0, 1, 0), (1, 0, 0), (1, 1, 1)} from the solution space, which can be done by adding one inequality in Eq. (1): $$ \begin{equation} \left \{ \begin{array}{@{}l@{}r} a+b+c\ge 2d_\oplus\\[2pt] a+b+c\le 2\\[2pt] d_\oplus \ge a,\ d_\oplus \ge b,\ d_\oplus \ge c, \end{array} \right. \end{equation} $$ (3) where |$d_\oplus $| is a dummy variable, |$d_\oplus \in \{0,1\}$|⁠. Describing the S-box operation into the MILP model. Suppose (⁠|$x_0$|⁠, |$\cdots $|⁠, |$x_{n-1}$|⁠) and (⁠|$y_0$|⁠, |$\cdots $|⁠, |$y_{m-1}$|⁠) are the input and output bit-level difference of an |$n\times m$| S-box. Note that |$A$| is dummy variable to represent whether the S-box is active or not, |$A \in \{0,1\}$|⁠. |$A$| will take value 1 if and only if |$x_0$|⁠,…,|$x_{n-1}$| are not all zero. The following constraints can describe the relationship between the input bit-level differences, they should be suject to: $$\begin{equation} \left \{ \begin{array}{@{}l@{}r} A-x_i\ge 0,\qquad i\in \{0,\dots n-1 \}\\[3pt] \sum_{i}^{n-1} x_i-A\ge 0. \end{array} \right. \end{equation}$$ (4) FIGURE 3. Open in new tabDownload slide One round of GIFT-64 FIGURE 3. Open in new tabDownload slide One round of GIFT-64 Table 2. Specifications of GIFT S-box GS |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 1 a 4 c 6 f 3 9 2 d b 7 5 0 8 e |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 1 a 4 c 6 f 3 9 2 d b 7 5 0 8 e Open in new tab Table 2. Specifications of GIFT S-box GS |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 1 a 4 c 6 f 3 9 2 d b 7 5 0 8 e |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 1 a 4 c 6 f 3 9 2 d b 7 5 0 8 e Open in new tab 2.4. Method for generating valid cutting-off inequalities In this section, we define the convex hull of all possible differentials for an S-box for generating valid cutting-off inequalities. Eq. (4) could not consider the differential property of the S-box, thus it could not apply to bit-oriented ciphers. This restriction was later solved by Sun et al. [20, 21], which described the possible and impossible differential propagations of the S-box with a system of inequalities. We regard a differential of |$n\times m$| S-box as a discrete point in |$\mathbb {R}^{n+m}$|⁠. Then we can obtain a set of all possible differential patterns of (⁠|$x_{n-1}$|⁠, |$x_{n-2}$|⁠, |$\cdots $|⁠, |$x_0$|⁠, |$y_{m-1}$|⁠, |$y_{m-2}$|⁠, |$\cdots $|⁠, |$y_0$|⁠) and describe this set with the following inequalities (also called the H-Representation of a |$n\times m$| S-box): $$\begin{equation} \left \{\!\! \begin{aligned} \alpha_{0,0}x_0+\dots+\alpha_{0,n-1}x_{n-1}+\beta_{0,0}y_0+\dots+\\[-2pt] \beta_{0,m-1}y_{m-1}+\gamma_0\ge 0\\[-2pt] \dots\\[-2pt] \alpha_{w,0}x_0+\dots+\alpha_{w,n-1}x_{n-1}+\beta_{w,0}y_0+\dots+\\[-2pt] \beta_{w,m-1}y_{m-1}+\gamma_w\ge 0\\[-2pt] \end{aligned}. \right. \end{equation}$$ (5) These linear inequalities are generated by SageMath, and we can gain hundreds of linear inequalities for an S-box. Since the number of inequalities is really large, we apply an algorithm which was proposed by Sasaki et al. [39] to minimize the number of the inequalities. The basic idea of this algorithm is to remove all the impossible differentail pattern of the target S-box. The only constraint we need is ensuring that each impossible pattern should be excluded from the solution space by at least one inequality. Then we can minimize the number of linear inequalities by using MILP model. 3. Related-key Rectangle Attack against 23-round GIFT 3.1. Specification GIFT [28] is a lightweight block cipher with 128-bit key length. It contains two versions: GIFT-64 and GIFT-128. GIFT-64 is a 28-round SPN cipher whose block length is 64-bit, and GIFT-128 is a 40-round SPN cipher whose block length is 128-bit. One round of GIFT-64 is shown in Fig. 3. Table 3. Specifications of Bit Permutation in GIFT GIFT-64 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{64}(i)$| 0 17 34 51 48 1 18 35 32 49 2 19 16 33 50 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{64}(i)$| 4 21 38 55 52 5 22 39 36 53 6 23 20 37 54 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{64}(i)$| 8 25 42 59 56 9 26 43 40 57 10 27 24 41 58 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{64}(i)$| 12 29 46 63 60 13 30 47 44 61 14 31 28 45 62 15 GIFT-128 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{128}(i)$| 0 33 66 99 96 1 34 67 64 97 2 35 32 65 98 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{128}(i)$| 4 37 70 103 100 5 38 71 68 101 6 39 36 69 102 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{128}(i)$| 8 41 74 107 104 9 42 75 72 105 10 43 40 73 106 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{128}(i)$| 12 45 78 111 108 13 46 79 76 109 14 47 44 77 110 15 |$i$| 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |$P_{128}(i)$| 16 49 82 115 112 17 50 83 80 113 18 51 48 81 114 19 |$i$| 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |$P_{128}(i)$| 20 53 86 119 116 21 54 87 84 117 22 55 52 85 118 23 |$i$| 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |$P_{128}(i)$| 24 57 90 123 120 25 58 91 88 121 26 59 56 89 122 27 |$i$| 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |$P_{128}(i)$| 28 61 94 127 124 29 62 95 92 125 30 63 60 93 126 31 GIFT-64 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{64}(i)$| 0 17 34 51 48 1 18 35 32 49 2 19 16 33 50 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{64}(i)$| 4 21 38 55 52 5 22 39 36 53 6 23 20 37 54 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{64}(i)$| 8 25 42 59 56 9 26 43 40 57 10 27 24 41 58 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{64}(i)$| 12 29 46 63 60 13 30 47 44 61 14 31 28 45 62 15 GIFT-128 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{128}(i)$| 0 33 66 99 96 1 34 67 64 97 2 35 32 65 98 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{128}(i)$| 4 37 70 103 100 5 38 71 68 101 6 39 36 69 102 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{128}(i)$| 8 41 74 107 104 9 42 75 72 105 10 43 40 73 106 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{128}(i)$| 12 45 78 111 108 13 46 79 76 109 14 47 44 77 110 15 |$i$| 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |$P_{128}(i)$| 16 49 82 115 112 17 50 83 80 113 18 51 48 81 114 19 |$i$| 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |$P_{128}(i)$| 20 53 86 119 116 21 54 87 84 117 22 55 52 85 118 23 |$i$| 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |$P_{128}(i)$| 24 57 90 123 120 25 58 91 88 121 26 59 56 89 122 27 |$i$| 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |$P_{128}(i)$| 28 61 94 127 124 29 62 95 92 125 30 63 60 93 126 31 Open in new tab Table 3. Specifications of Bit Permutation in GIFT GIFT-64 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{64}(i)$| 0 17 34 51 48 1 18 35 32 49 2 19 16 33 50 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{64}(i)$| 4 21 38 55 52 5 22 39 36 53 6 23 20 37 54 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{64}(i)$| 8 25 42 59 56 9 26 43 40 57 10 27 24 41 58 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{64}(i)$| 12 29 46 63 60 13 30 47 44 61 14 31 28 45 62 15 GIFT-128 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{128}(i)$| 0 33 66 99 96 1 34 67 64 97 2 35 32 65 98 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{128}(i)$| 4 37 70 103 100 5 38 71 68 101 6 39 36 69 102 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{128}(i)$| 8 41 74 107 104 9 42 75 72 105 10 43 40 73 106 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{128}(i)$| 12 45 78 111 108 13 46 79 76 109 14 47 44 77 110 15 |$i$| 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |$P_{128}(i)$| 16 49 82 115 112 17 50 83 80 113 18 51 48 81 114 19 |$i$| 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |$P_{128}(i)$| 20 53 86 119 116 21 54 87 84 117 22 55 52 85 118 23 |$i$| 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |$P_{128}(i)$| 24 57 90 123 120 25 58 91 88 121 26 59 56 89 122 27 |$i$| 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |$P_{128}(i)$| 28 61 94 127 124 29 62 95 92 125 30 63 60 93 126 31 GIFT-64 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{64}(i)$| 0 17 34 51 48 1 18 35 32 49 2 19 16 33 50 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{64}(i)$| 4 21 38 55 52 5 22 39 36 53 6 23 20 37 54 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{64}(i)$| 8 25 42 59 56 9 26 43 40 57 10 27 24 41 58 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{64}(i)$| 12 29 46 63 60 13 30 47 44 61 14 31 28 45 62 15 GIFT-128 |$i$| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |$P_{128}(i)$| 0 33 66 99 96 1 34 67 64 97 2 35 32 65 98 3 |$i$| 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |$P_{128}(i)$| 4 37 70 103 100 5 38 71 68 101 6 39 36 69 102 7 |$i$| 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |$P_{128}(i)$| 8 41 74 107 104 9 42 75 72 105 10 43 40 73 106 11 |$i$| 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 |$P_{128}(i)$| 12 45 78 111 108 13 46 79 76 109 14 47 44 77 110 15 |$i$| 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |$P_{128}(i)$| 16 49 82 115 112 17 50 83 80 113 18 51 48 81 114 19 |$i$| 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |$P_{128}(i)$| 20 53 86 119 116 21 54 87 84 117 22 55 52 85 118 23 |$i$| 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |$P_{128}(i)$| 24 57 90 123 120 25 58 91 88 121 26 59 56 89 122 27 |$i$| 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |$P_{128}(i)$| 28 61 94 127 124 29 62 95 92 125 30 63 60 93 126 31 Open in new tab The cipher receives an |$n$|-bit plaintext |$P$| = |$b_{n-1}b_{n-2}\dots b_0$| as the cipher state |$X$|⁠, where |$n$| = 64, 128. The cipher state can also be expressed as |$s$| many 4-bit nibbles |$X$| = |$w_{s-1}||w_{s-2}||\dots ||w_0$|⁠, where |$s$| = 16, 32. Each round of the cipher has the following three transformations applied to the internal state in the order specified below. SubCells - Both versions of GIFT apply the 4-bit S-box GS to every nibble of the internal state. The action of this S-box in hexadecimal notation is given in Table 2. $$ \begin{eqnarray*} w_i\gets GS(w_i), i \in \{0,\dots, s-1\}. \end{eqnarray*} $$ PermBits - The bit permutation used in GIFT-64 and GIFT-128 are both given in Table 3. It maps bits from bit position |$i$| of the cipher state to bit position |$P_n(i)$|⁠. $$\begin{eqnarray*} b_{P_n(i)}\gets b_i, i \in \{0,\dots, n-1\}. \end{eqnarray*}$$ AddRoundKey - For GIFT-64, a 32-bit round key RK is XORed to |$b_{4i+1}$| and |$b_{4i}$| of the cipher state, respectively, where |$i$||$\in $||$\{0,\cdots ,15\}$|⁠. For GIFT-128, a 64-bit round key RK is XORed to |$b_{4i+2}$| and |$b_{4i+1}$| of the cipher state, respectively, where |$i$||$\in $||$\{0,\cdots ,31\}$|⁠. Key schedule and round constants. For both versions of GIFT, the key schedule are the same. The cipher receives a 128-bit key |$K = k_7||k_6||\dots ||k_0$| as the key state, where |$k_i$| is a 16-bit word. The round key RK is extracted from the key state. |$RK = U||V = u_{s-1} \dots u_0||v_{s-1} \dots v_0$|⁠, where |$s = 16, 32$|⁠. |$U$| and |$V$| are defined as follows. For GIFT-64, |$U$| and |$V$| are XORed to |$b_{4i+1}$| and |$b_{4i}$| of the cipher state respectively, $$ \begin{eqnarray*} &U \leftarrow k_1, V \leftarrow k_0,\\ &b_{4i+1} \leftarrow b_{4i+1} \oplus u_i, b_{4i} \leftarrow b_{4i} \oplus v_i, \forall i\in\{0,\cdots,15\}. \end{eqnarray*} $$ For GIFT-128, |$U$| and |$V$| are XORed to |$b_{4i+2}$| and |$b_{4i+1}$| of the cipher state, respectively, $$ \begin{eqnarray*} &U \leftarrow k_5||k_4, V \leftarrow k_1||k_0,\\ &b_{4i+2} \leftarrow b_{4i+2} \oplus u_i, b_{4i+1} \leftarrow b_{4i+1} \oplus v_i, \forall i\in\{0,\cdots,31\}. \end{eqnarray*} $$ Notably, a round key is first extracted from the key state before the key state is updated. The key state for two versions are then updated as follows, $$ \begin{eqnarray*} &k_7||k_6||\cdots||k_1||k_0 \leftarrow k_1 \ggg 2||k_0 \ggg 12||\cdots||k_3|k_2. \end{eqnarray*} $$ A single bit ”1” and the round constant |$C=c_5c_4c_3c_2c_1c_0$| are XORed into the cipher state at bit position |$n$|-1, 23, 19, 15, 11, 7 and 3 respectively. The value of the constants for each round are displayed in Table 4. Table 4. The Round Constants used in each round of GIFT Rounds Constants 1–16 01, 03, 07, 0F, 1F, 3E, 3D, 3B, 37, 2F, 1E, 3C, 39, 33, 27, 0E 17–32 1D, 3A, 35, 2B, 16, 2C, 18, 30, 21, 02, 05, 0B, 17, 2E, 1C, 38 33–48 31, 23, 06, 0D, 1B, 36, 2D, 1A, 34, 29, 12, 24, 08, 11, 22, 04 Rounds Constants 1–16 01, 03, 07, 0F, 1F, 3E, 3D, 3B, 37, 2F, 1E, 3C, 39, 33, 27, 0E 17–32 1D, 3A, 35, 2B, 16, 2C, 18, 30, 21, 02, 05, 0B, 17, 2E, 1C, 38 33–48 31, 23, 06, 0D, 1B, 36, 2D, 1A, 34, 29, 12, 24, 08, 11, 22, 04 Open in new tab Table 4. The Round Constants used in each round of GIFT Rounds Constants 1–16 01, 03, 07, 0F, 1F, 3E, 3D, 3B, 37, 2F, 1E, 3C, 39, 33, 27, 0E 17–32 1D, 3A, 35, 2B, 16, 2C, 18, 30, 21, 02, 05, 0B, 17, 2E, 1C, 38 33–48 31, 23, 06, 0D, 1B, 36, 2D, 1A, 34, 29, 12, 24, 08, 11, 22, 04 Rounds Constants 1–16 01, 03, 07, 0F, 1F, 3E, 3D, 3B, 37, 2F, 1E, 3C, 39, 33, 27, 0E 17–32 1D, 3A, 35, 2B, 16, 2C, 18, 30, 21, 02, 05, 0B, 17, 2E, 1C, 38 33–48 31, 23, 06, 0D, 1B, 36, 2D, 1A, 34, 29, 12, 24, 08, 11, 22, 04 Open in new tab 3.2. Related-key rectangle distinguisher of 19-round GIFT-64 In this section, we search for rectangle distinguishers for GITF-64 by solving the MILP model. It contains two sub-model, marked as outer-MILP and inner-MILP. In the outer-MILP stage, the objective function is to minimize the number of the active S-boxes. When truncated differential path is found and the information of the positions of active S-boxes will enter to the next stage as constraints. In the inner-MILP stage, we search for the best or better differential characteristic on the upper path and the lower path independently. Merging the ladder switch into the outer-MILP model. The main goal is to find a rectangle distinguisher over |$R_1+R_2$| rounds. We construct an MILP model covering round 1 to round |$R_1+1$| and round |$R_1$| to round |$R_1+R_2$|⁠, respectively. Suppose binary variable |$a_\omega $| represents the active S-boxes in the first |$R_1+1$| rounds, and |$b_\nu $| represents the active S-boxes in the last |$R_2+1$| rounds, where |$\omega \in \{0, \dots , 16\cdot R_1+15\}$| and |$\nu \in \{0,\dots , 16\cdot R_2+15\}$|⁠. Then we let binary variables |$l_0,\dots ,l_{31}$| denote the active S-boxes in the middle two rounds, which is the overlaps between the first |$R_1+1$| rounds and the last |$R_2+1$| rounds, and $$ \begin{eqnarray*} \left. \begin{array}{rr} a_{16\cdot(R_1-1)+i}-l_i\ge 0, &b_i-l_i\ge 0,\\ a_{16\cdot R_1+i}-l_{16+i}\ge 0,&-a_{16\cdot(R_1-1)+i}-b_i+l_i\ge -1,\\ b_{16+i}-l_{16+i}\ge 0,&-a_{16\cdot R_1+i}-b_{16+i}+l_{16+i}\ge -1,\\ \end{array} \right. \end{eqnarray*} $$ for |$0 \le i \le 15$|⁠. In the above linear inequalities, |$l_i=1$| if and only if both of |$a_{16\cdot (R_1-1)+i}$| and |$b_i$| are 1. Whereas, |$l_i=0$|⁠. Now the number of the active S-boxes in the entire cipher is the sum of the first |$R_1-1$| rounds, the last |$R_2-1$| rounds and the middle two rounds. Thus, the objective function to minimize the number of active S-boxes is updated to $$ \begin{eqnarray*} \left. \begin{array}{rr} \sum\limits_{i=0}^{16\cdot (R_1-1)-1} a_i+\sum\limits_{i=0}^{31} l_i+\sum\limits_{i=32}^{16\cdot R_2+15}b_i. \end{array} \right. \end{eqnarray*} $$Construct an inner-MILP model. In this section, we study how to model the differential behavior of an S-box without losing its information of differential probability. We can be able to know which S-boxes are active in the outer-MILP stage. For the inner-MILP stage, we need to calculate the probability of those active S-boxes. Note that there are 4 different entries in the differential distribution table (DDT) of the GIFT S-box. For every possible differential pattern (⁠|$x_0$|⁠, |$x_1$|⁠, |$x_2$|⁠, |$x_3$|⁠) |$\to $| (⁠|$y_0$|⁠, |$y_1$|⁠, |$y_2$|⁠, |$y_3$|⁠), we need three extra bits (⁠|$z_2$|⁠, |$z_1$|⁠, |$z_0$|⁠) to encode each differential pattern with its probability. Thus, the corresponding differential pattern with probability information is (⁠|$x_0$|⁠, |$x_1$|⁠, |$x_2$|⁠, |$x_3$|⁠, |$y_0$|⁠, |$y_1$|⁠, |$y_2$|⁠, |$y_3$|⁠, |$z_2$|⁠, |$z_1$|⁠, |$z_0$|⁠) |$\in $||$\mathbb {F}_2^{11}$|⁠, which satisfies Eq. (4). Hence, the probability of the differential pattern (⁠|$x_0$|⁠, |$x_1$|⁠, |$x_2$|⁠, |$x_3$|⁠) |$\to $| (⁠|$y_0$|⁠, |$y_1$|⁠, |$y_2$|⁠, |$y_3$|⁠) is |$2^{-(3 z_0+2 z_1+1.415 z_2)}$|⁠, and our objective function is updated to minimize |$\sum (3\times z_0+2\times z_1+1.415 \times z_2)$|⁠. $$\begin{equation} \left \{ \begin{aligned} (z_2,\, z_1,\, z_0)= (0,\, 0,\, 0), {\textrm{if Pr}}_S[(x_0,\, x_1,\, x_2,\, x_3)\\\to (y_0,\, y_1,\, y_2,\, y_3)]=\frac{16}{16}=2^{-0}\\ (z_2,\, z_1,\, z_0)= (0,\, 0,\, 1), {\textrm{if Pr}}_S[(x_0,\, x_1,\, x_2,\, x_3)\\\to (y_0,\, y_1,\, y_2,\, y_3)]=\frac{2}{16}=2^{-3}\\ (z_2,\, z_1,\, z_0)= (0,\, 1,\, 0), {\textrm{if Pr}}_S[(x_0,\, x_1,\, x_2,\, x_3)\\\to (y_0,\, y_1,\, y_2,\, y_3)]=\frac{4}{16}=2^{-2}\\ (z_2,\, z_1,\, z_0)= (1,\, 0,\, 0), {\textrm{if Pr}}_S[(x_0,\, x_1,\, x_2,\, x_3)\\\to (y_0,\, y_1,\, y_2,\, y_3)]=\frac{6}{16}=2^{-1.415}\\ \end{aligned} \right. \end{equation}$$ (6) We implement the method presented in this section to search the related-key rectangle distiguisher. The upper differential path for |$E_0$| and the lower differential path for |$E_1$| are $$ \begin{equation*} \begin{aligned} \alpha = 000000a000006000_x \ \xrightarrow{11r} \\ \beta = 00a2000080200044_x,\\ \gamma = 00000e0300000073_x \ \xrightarrow{10r} \\ \delta = 0000000100000000_x \end{aligned} \end{equation*} $$ with key difference |$\Delta _1$| and |$\Delta _2$| respectively, where |$\Delta _1$| and |$\Delta _2$| are shown in Table 6. A distinguisher of 19-round GITF-64 with probability |$2^{-50}\times 2^{-64}=2^{-118}$| is displayed in Table 5. Table 5. Differential paths of 19-round GIFT-64 Round Differentce |$\Delta k_i$| |$\Delta k_{i+1}$| Probability |$1r$| 0000 00|$a$|0 0000 6000 (4, 0, 0, 0) (0, 1, 0, 0) |$2^{-4}$| |$2r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$3r$| 0000 0000 0000 0000 (0, 0, 0, 2) (0, 0, 0, 0) |$1$| |$4r$| 0000 0000 0000 0010 (0, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$5r$| 0000 0008 0000 0000 (0, 0, 0, 4) (0, 0, 4, 0) |$2^{-2}$| |$6r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$7r$| 0000 0000 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$1$| |$8r$| 0000 0000 0010 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1^{-3}$| |$9r$| 0000 0080 0000 0000 (0, 0, 4, 0) (0, 0, 1, 0) |$1^{-2}$| |$10r$| 0100 0000 0102 0200 (0, 0, 0, 0) (0, 0, 0, 0) |$1^*$| |$11r$| 00|$a$|2 0000 8020 0044 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$10r$| 0000 0|$e$|03 0000 0073 (0, 0, 0, 1) (0, 0, 0, 0) |$1^*$| |$11r$| 0000 050|$c$| 0|$a$|00 0000 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$12r$| 0|$a$|00 0000 0000 0000 (0, 8, 0, 0) (0, 0, 0, 0) |$2^{-2}$| |$13r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$14r$| 0000 0000 0000 0000 (0, 0, 1, 0) (0, 0, 0, 0) |$1$| |$15r$| 0000 0000 0001 0000 (2, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$16r$| 0090 0000 0000 0000 (8, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$17r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$18r$| 0000 0000 0000 0000 (0, 1, 0, 0) (0, 0, 0, 0) |$1$| |$19r$| 0000 0001 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$2^{-3}$| Round Differentce |$\Delta k_i$| |$\Delta k_{i+1}$| Probability |$1r$| 0000 00|$a$|0 0000 6000 (4, 0, 0, 0) (0, 1, 0, 0) |$2^{-4}$| |$2r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$3r$| 0000 0000 0000 0000 (0, 0, 0, 2) (0, 0, 0, 0) |$1$| |$4r$| 0000 0000 0000 0010 (0, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$5r$| 0000 0008 0000 0000 (0, 0, 0, 4) (0, 0, 4, 0) |$2^{-2}$| |$6r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$7r$| 0000 0000 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$1$| |$8r$| 0000 0000 0010 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1^{-3}$| |$9r$| 0000 0080 0000 0000 (0, 0, 4, 0) (0, 0, 1, 0) |$1^{-2}$| |$10r$| 0100 0000 0102 0200 (0, 0, 0, 0) (0, 0, 0, 0) |$1^*$| |$11r$| 00|$a$|2 0000 8020 0044 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$10r$| 0000 0|$e$|03 0000 0073 (0, 0, 0, 1) (0, 0, 0, 0) |$1^*$| |$11r$| 0000 050|$c$| 0|$a$|00 0000 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$12r$| 0|$a$|00 0000 0000 0000 (0, 8, 0, 0) (0, 0, 0, 0) |$2^{-2}$| |$13r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$14r$| 0000 0000 0000 0000 (0, 0, 1, 0) (0, 0, 0, 0) |$1$| |$15r$| 0000 0000 0001 0000 (2, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$16r$| 0090 0000 0000 0000 (8, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$17r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$18r$| 0000 0000 0000 0000 (0, 1, 0, 0) (0, 0, 0, 0) |$1$| |$19r$| 0000 0001 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$2^{-3}$| 1*denotes the probability of the rounds that are evaluated for the ladder switch Open in new tab Table 5. Differential paths of 19-round GIFT-64 Round Differentce |$\Delta k_i$| |$\Delta k_{i+1}$| Probability |$1r$| 0000 00|$a$|0 0000 6000 (4, 0, 0, 0) (0, 1, 0, 0) |$2^{-4}$| |$2r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$3r$| 0000 0000 0000 0000 (0, 0, 0, 2) (0, 0, 0, 0) |$1$| |$4r$| 0000 0000 0000 0010 (0, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$5r$| 0000 0008 0000 0000 (0, 0, 0, 4) (0, 0, 4, 0) |$2^{-2}$| |$6r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$7r$| 0000 0000 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$1$| |$8r$| 0000 0000 0010 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1^{-3}$| |$9r$| 0000 0080 0000 0000 (0, 0, 4, 0) (0, 0, 1, 0) |$1^{-2}$| |$10r$| 0100 0000 0102 0200 (0, 0, 0, 0) (0, 0, 0, 0) |$1^*$| |$11r$| 00|$a$|2 0000 8020 0044 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$10r$| 0000 0|$e$|03 0000 0073 (0, 0, 0, 1) (0, 0, 0, 0) |$1^*$| |$11r$| 0000 050|$c$| 0|$a$|00 0000 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$12r$| 0|$a$|00 0000 0000 0000 (0, 8, 0, 0) (0, 0, 0, 0) |$2^{-2}$| |$13r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$14r$| 0000 0000 0000 0000 (0, 0, 1, 0) (0, 0, 0, 0) |$1$| |$15r$| 0000 0000 0001 0000 (2, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$16r$| 0090 0000 0000 0000 (8, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$17r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$18r$| 0000 0000 0000 0000 (0, 1, 0, 0) (0, 0, 0, 0) |$1$| |$19r$| 0000 0001 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$2^{-3}$| Round Differentce |$\Delta k_i$| |$\Delta k_{i+1}$| Probability |$1r$| 0000 00|$a$|0 0000 6000 (4, 0, 0, 0) (0, 1, 0, 0) |$2^{-4}$| |$2r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$3r$| 0000 0000 0000 0000 (0, 0, 0, 2) (0, 0, 0, 0) |$1$| |$4r$| 0000 0000 0000 0010 (0, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$5r$| 0000 0008 0000 0000 (0, 0, 0, 4) (0, 0, 4, 0) |$2^{-2}$| |$6r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$7r$| 0000 0000 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$1$| |$8r$| 0000 0000 0010 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1^{-3}$| |$9r$| 0000 0080 0000 0000 (0, 0, 4, 0) (0, 0, 1, 0) |$1^{-2}$| |$10r$| 0100 0000 0102 0200 (0, 0, 0, 0) (0, 0, 0, 0) |$1^*$| |$11r$| 00|$a$|2 0000 8020 0044 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$10r$| 0000 0|$e$|03 0000 0073 (0, 0, 0, 1) (0, 0, 0, 0) |$1^*$| |$11r$| 0000 050|$c$| 0|$a$|00 0000 (0, 2, 0, 0) (0, 0, 0, 0) |$1^*$| |$12r$| 0|$a$|00 0000 0000 0000 (0, 8, 0, 0) (0, 0, 0, 0) |$2^{-2}$| |$13r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$14r$| 0000 0000 0000 0000 (0, 0, 1, 0) (0, 0, 0, 0) |$1$| |$15r$| 0000 0000 0001 0000 (2, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$16r$| 0090 0000 0000 0000 (8, 0, 0, 0) (0, 0, 0, 0) |$2^{-3}$| |$17r$| 0000 0000 0000 0000 (0, 0, 0, 0) (0, 0, 0, 0) |$1$| |$18r$| 0000 0000 0000 0000 (0, 1, 0, 0) (0, 0, 0, 0) |$1$| |$19r$| 0000 0001 0000 0000 (0, 0, 2, 0) (0, 0, 0, 0) |$2^{-3}$| 1*denotes the probability of the rounds that are evaluated for the ladder switch Open in new tab Table 6. Master key differences for distinguishers of GIFT-64 |$\Delta _1$| |$0x20000000000000004000010000000000$| |$\Delta _2$| |$0x$|00000000010000000002000000080000 |$\Delta _1$| |$0x20000000000000004000010000000000$| |$\Delta _2$| |$0x$|00000000010000000002000000080000 Open in new tab Table 6. Master key differences for distinguishers of GIFT-64 |$\Delta _1$| |$0x20000000000000004000010000000000$| |$\Delta _2$| |$0x$|00000000010000000002000000080000 |$\Delta _1$| |$0x20000000000000004000010000000000$| |$\Delta _2$| |$0x$|00000000010000000002000000080000 Open in new tab 3.3. Key recovery attack against 23-round GIFT-64 In Table 7, we depict an attack of 23-round GIFT-64 using the 19-round related-key rectangle distinguisher. We extend two rounds in the backward and forward directions of the distinguisher, respectively. It is suggested that the cipher is divided into four parts: |$E=E_f\circ E_1\circ E_0\circ E_b$|⁠. Four different related keys are involved in the distinguisher: |$K_1$|⁠, |$K_2=K_1\oplus \Delta _1$|⁠, |$K_3=K_1 \oplus \Delta _2$|⁠, |$K_4=K_1 \oplus \Delta _1 \oplus \Delta _2$|⁠. |$\Delta _1$| and |$\Delta _2$| are shown in Table 6. In order to describe this attack more concretely, we introduce the following notations: $$ \begin{eqnarray*} \left. \begin{array}{ll} \Delta P& \textrm{the differential in the plaintext;}\\ \Delta X_S^i& \textrm{the output difference of the $i$-th round's}\\ &\textrm{S-box};\\ \Delta X_P^i& \textrm{the output difference of the $i$-th round's}\\ &{\rm Permutation};\\ \Delta X_K^i& \textrm{the output difference of the $i$-th round's}\\ & {\rm AddRoundKey;} \end{array} \right. \end{eqnarray*} $$ $$ \begin{eqnarray*} \left. \begin{array}{ll} "?"&\textrm{represents an unknown difference;}\\ U_b& \textrm{the set of plaintext differences that may}\\ &\textrm{cause a difference $\alpha$ after $E_b$ under the}\\ &\textrm{key difference $\Delta_1$;}\\ U_f& \textrm{the set of ciphertext differences that may}\\ &\textrm{cause a difference $\delta$ before $E_f$ under the}\\ &\textrm{key difference $\Delta_2$;}\\ k_j& \textrm{The master key $K = k_7||k_6||\dots||k_0,$ the}\\ &\text{size of $k_j$ is 16 bits;}\\ k_j^i& \textrm{the $i$-th bit of the subkey $k_j$, where}\\ &j = 0, 1, 2, 3, 4, 5, 6, 7. \end{array} \right. \end{eqnarray*} $$ Accoring to Table 7, the input difference of the first round and the output difference of the last round are |$\Delta P=(????????????????11???????????????????????$| |$???????0000000000000000),$| |$\Delta X_K^{23}=(??000?000?000?000??000?000?000?000??$| |$000?000?000??00??000?000?000).$| We can find out the plaintext differences that can possibly lead to difference |$\alpha $| in |$E_b$|⁠. Each output difference of the S-box leads to particular possible input differences according to DDT and thus there are |$2^{41.1}$| kinds of plaintext differences that lead to difference |$\alpha $| in |$E_b$|⁠. Note that the number of the plaintext differences in |$U_b$| is |$|U_b|=2^{41.1}$|⁠. Similarly, we can get the number of the ciphertext differences in |$U_f$| is |$|U_f|=2^{13.5}$|⁠. The key recovery algorithm proceeds as follows: Table 7. Related-key rectangle attack of 23-round GIFT-64 |$\Delta P$| ???? ???? ???? ???? 11?? ???? ???? ???? ???? ???? ???? ???? 0000 0000 0000 0000 |$\Delta X_S^1$| 000? ?000 0?00 00?0 0100 00?0 000? 1000 0?0? ?0?0 0?0? ?0?0 0000 0000 0000 0000 |$\Delta X_P^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_K^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_S^2$| 0000 0100 0010 0000 0000 0000 0000 0000 0010 0000 1000 0000 0000 0000 0000 0000 |$\Delta X_P^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\Delta X_K^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\vdots $| Distinguisher of 19-round GIFT-64 |$\Delta X_K^{21}$| 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_S^{22}$| 0000 ??11 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_P^{22}$| 0010 0000 0000 0000 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_K^{22}$| 0010 0000 0000 0001 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_S^{23}$| ???? 0000 0000 ???? ???? 0000 0000 0000 ???? 0000 0000 0000 ???? 0000 0000 0000 |$\Delta X_P^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 |$\Delta X_K^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 |$\Delta P$| ???? ???? ???? ???? 11?? ???? ???? ???? ???? ???? ???? ???? 0000 0000 0000 0000 |$\Delta X_S^1$| 000? ?000 0?00 00?0 0100 00?0 000? 1000 0?0? ?0?0 0?0? ?0?0 0000 0000 0000 0000 |$\Delta X_P^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_K^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_S^2$| 0000 0100 0010 0000 0000 0000 0000 0000 0010 0000 1000 0000 0000 0000 0000 0000 |$\Delta X_P^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\Delta X_K^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\vdots $| Distinguisher of 19-round GIFT-64 |$\Delta X_K^{21}$| 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_S^{22}$| 0000 ??11 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_P^{22}$| 0010 0000 0000 0000 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_K^{22}$| 0010 0000 0000 0001 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_S^{23}$| ???? 0000 0000 ???? ???? 0000 0000 0000 ???? 0000 0000 0000 ???? 0000 0000 0000 |$\Delta X_P^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 |$\Delta X_K^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 Open in new tab Table 7. Related-key rectangle attack of 23-round GIFT-64 |$\Delta P$| ???? ???? ???? ???? 11?? ???? ???? ???? ???? ???? ???? ???? 0000 0000 0000 0000 |$\Delta X_S^1$| 000? ?000 0?00 00?0 0100 00?0 000? 1000 0?0? ?0?0 0?0? ?0?0 0000 0000 0000 0000 |$\Delta X_P^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_K^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_S^2$| 0000 0100 0010 0000 0000 0000 0000 0000 0010 0000 1000 0000 0000 0000 0000 0000 |$\Delta X_P^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\Delta X_K^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\vdots $| Distinguisher of 19-round GIFT-64 |$\Delta X_K^{21}$| 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_S^{22}$| 0000 ??11 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_P^{22}$| 0010 0000 0000 0000 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_K^{22}$| 0010 0000 0000 0001 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_S^{23}$| ???? 0000 0000 ???? ???? 0000 0000 0000 ???? 0000 0000 0000 ???? 0000 0000 0000 |$\Delta X_P^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 |$\Delta X_K^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 |$\Delta P$| ???? ???? ???? ???? 11?? ???? ???? ???? ???? ???? ???? ???? 0000 0000 0000 0000 |$\Delta X_S^1$| 000? ?000 0?00 00?0 0100 00?0 000? 1000 0?0? ?0?0 0?0? ?0?0 0000 0000 0000 0000 |$\Delta X_P^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_K^1$| 0000 11?? ???? 0000 0000 0000 0000 0000 ???? 0000 ???? 0000 0000 0000 0000 0000 |$\Delta X_S^2$| 0000 0100 0010 0000 0000 0000 0000 0000 0010 0000 1000 0000 0000 0000 0000 0000 |$\Delta X_P^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\Delta X_K^2$| 0000 0000 0000 0000 0000 0000 1010 0000 0000 0000 0000 0000 0110 0000 0000 0000 |$\vdots $| Distinguisher of 19-round GIFT-64 |$\Delta X_K^{21}$| 0000 1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_S^{22}$| 0000 ??11 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 |$\Delta X_P^{22}$| 0010 0000 0000 0000 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_K^{22}$| 0010 0000 0000 0001 0001 0000 0000 0000 ?000 0000 0000 0000 0?00 0000 0000 0000 |$\Delta X_S^{23}$| ???? 0000 0000 ???? ???? 0000 0000 0000 ???? 0000 0000 0000 ???? 0000 0000 0000 |$\Delta X_P^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 |$\Delta X_K^{23}$| ??00 0?00 0?00 0?00 0??0 00?0 00?0 00?0 00?? 000? 000? 000? ?00? ?000 ?000 ?000 Open in new tab Create |$y = 2^{12}$| structures of |$2^{46}$| plaintexts each, encrypt these plaintexts under the keys |$K_1$|⁠, |$K_2$| respectively. Use |$L_1$| = {|$L_1^1, L_1^2, \dots , L_1^y$|} and |$L_2$| = {|$L_2^1, L_2^2, \dots , L_2^y$|} to denote the structure groups of ciphertexts under |$K_1$| and |$K_2$|⁠. Similarly, create |$2^{12}$| structures of |$2^{46}$| plaintexts each and encrypt those plaintexts under the key |$K_3$|⁠, |$K_4$|⁠. Use |$L_3$| = {|$L_3^1, L_3^2, \dots , L_3^y$|} and |$L_4$| = {|$L_4^1, L_4^2, \dots , L_4^y$|} to denote the structure groups of ciphertexts under |$K_3$| and |$K_4$|⁠. Step 1 takes |$D$| chosen plaintexts, where |$D=4\times 2^{12} \times 2^{46}=2^{60}$| and the time complexity is |$2^{60}$| encryptions. Initialize |$2^{33}$| counters. Each counter corresponds to a different guess in the set of |$set_{guesskey}$| i.e. |$set_{guesskey}$| = {|$\,k_0^5, k_0^7, k_0^{13}, k_0^{14}, k_1^5, k_1^7, k_1^{13}, k_1^{14}, k_2^3, k_2^7, k_2^8, k_2^9, k_2^{11},\, k_2^3,\, k_3^3, k_3^5, k_3^6, k_3^9, k_4^{0}, k_4^{1}, k_4^{2}, k_4^{3}, k_4^{4}, k_4^{5}, k_4^{6}, k_4^{7}, k_4^{15}, k_5^{0}, k_5^{1}, k_5^{2}, k_5^{3}, k_5^{4}, k_5^{5}, k_5^{13}, k_5^{14}, k_5^{15}$|}. Step 2 require |$2^{33}$| time complexity for memory accesses. Insert the |$2^{58}$| ciphertexts of |$L_1$| into a hash table |$H_1$| according to the |$64-20=44$| ciphertext bits, which are set to 0 in |$\Delta X_K^{23}$|⁠. Then for each ciphertext in |$L_3$|⁠, we try to find the collision ciphertext pairs (one ciphertext from |$L_3$| and the other from |$H_1$|⁠). For each such collision pair, ensure that the collision pair form |$L_1$| and |$L_3$| agrees on the 44 bits, and check the difference of the collision pairs are in |$U_f$|⁠. Do the same for |$L_2$| and |$L_4$|⁠. Step 3 takes about |$4\times 2^{58}+2\times (2^{12} \times 2^{46})^2 \times 2^{-44}\approx 2^{73}$| memory accesses. There are |$2^{13.5}$| differences in |$U_f$|⁠. Hence, about |$2\times (2^{12} \times 2^{46})^2 \times 2^{13.5-64}\approx 2^{66.5}$| colliding pairs are remained. For each collision ciphertext pair (⁠|$C_1, C_3$|⁠) |$\in L_1\times L_3$| that is obtained from Step 3, denote the |$C_i$|’s structure by |$S_{C_i}$| and attach to |$C_1$| the index of |$S_{C_3}$| (that is to say |$C_1$| is related to |$C_3$|⁠) and vice versa. Similarly, for each collision ciphertext pair (⁠|$C_2$|⁠, |$C_4$|⁠) |$\in L_2\times L_4$|⁠, attach to |$C_2$| the index of |$S_{C_4}$|⁠. Step 4 takes one memory access for each remaining colliding pair. So we need to do |$2^{66.5}$| memory accesses. In each structure |$L$| under |$K_1$| and |$K_2$|⁠, we seach for a ciphertext pair (⁠|$C_1$|⁠, |$C_2$|⁠)|$\in L_1^i\times L_2^i$| (⁠|$i=1,2,\dots ,y$|⁠) that is related to some other structure pair (⁠|$C_3$|⁠, |$C_4$|⁠) |$\in L_3^j\times L_4^j$| (⁠|$j=1,2,\dots ,y$|⁠). That means |$C_1$| is related to |$C_3$| and |$C_2$| is related to |$C_4$|⁠. When we find such a pair, we first check the corresponding plaintext difference |$P_1\oplus P_2$| is in |$U_b$| and check the difference of the plaintexts, which |$C_1$| and |$C_2$| are related to. In Step 5, we can find |$(2^{65.5}/2^{12})^2\approx 2^{107}$| possible quartets (⁠|$C_1$|⁠, |$C_2$|⁠, |$C_3$|⁠, |$C_4$|⁠). After the filtering process, the number of remaining quartets is about |$2^{107}\times 2^{(41.1-46)\times 2}\approx 2^{97.2}$|⁠. In total, it takes about |$2^{107}+2^{107}\times 2^{41.1-46}\approx 2^{107}$| memory accesses. For all the quartets that are obtained from Step 5, denoted the plaintexts of the quartet by (⁠|$P_1$|⁠, |$P_2$|⁠, |$P_3$|⁠, |$P_4$|⁠) and the corresponding ciphertexts by (⁠|$C_1$|⁠, |$C_2$|⁠, |$C_3$|⁠, |$C_4$|⁠) under (⁠|$K_1$|⁠, |$K_2$|⁠, |$K_3$|⁠, |$K_4$|⁠). Add one to the corresponding subkey counter if $$ \begin{equation*} \begin{aligned} &E_b^{K_1}(P_1)\oplus E_b^{K_2}(P_2)\\[-5pt]&=E_b^{K_3}(P_3)\oplus E_b^{K_4}(P_4) \\[-5pt]&= \alpha\\[-2pt] \end{aligned} \end{equation*} $$ and $$ \begin{equation*} \begin{aligned} &(E_f^{K_1})^{-1}(C_1)\oplus (E_f^{K_3})^{-1}(C_3)\\[-3pt]&=(E_f^{K_2})^{-1}(C_2)\oplus (E_f^{K_4})^{-1}(C_4) \\[-3pt]&= \delta.\end{aligned} \end{equation*} $$ Output the key with maximal counter. For the remaining subkey bits perform the exhaustive search. Step 6 takes about |$2\times 2^{97.2}\times (2^{10-41.1}+2^{13-13.5})\approx 2^{97.7}$| memory accesses. For the right key there are 4 hits, while for a wrong key there are |$2^{-12} $| hits. Overall, the complexities of this attack are as follows. The data complexity is |$2^{60}$| chosen plaintexts, the time complexity is about |$2^{107}$| memory accesses and the memory complexity is |$2^{60}$| bytes. In general, we apply the ladder switch techique in the middle of the switching point to find a distinguisher with high probability. As we known, the power of the BCT-based analysis only take effect when there is existing active S-boxes in the middle rounds. Conversely, in this distinguisher, there is no active S-boxes in the middle two rounds. In other words, we can find the distinguisher without using the BCT in this attack. This idea is also valid for the following analysis in the Sections 4 and 5. 4. Related-key Rectangle Attack against 17-round Khudra 4.1. Specification Khudra [31] is a block cipher with 64-bit block size and 80-bit key length. The master key |$K=k_0||k_1||k_2||k_3||k_4$|⁠, where |$k_i$| is 16 bits word. 16-bit round keys |$rk_i (i\in \{0,1,\dots ,35\})$| and 16-bit whitening keys |$WK_i (i\in \{0,1,2,3\})$| are all generated from the master key |$K$|⁠. They are defined as follows: $$ \begin{eqnarray*} &WK_0=k_0,WK_1=k_1,WK_2=k_3,WK_3=k_4,\\[-2pt] &rk_i=k_{i\ mod\ 5}\oplus RC_i, i \in \{0,1,\dots,35\}. \end{eqnarray*} $$ The value of |$RC_i$| can be ignored where we just focus on the difference between the round keys. Khudra employs a classical Feistel structure to encrypt a 64-bit plaintext block using a 80-bit key with four branches in one round. The input of the first round is calculated as |$X_0= (P_{1} \oplus WK_0)||P_{2}||(P_{3}\oplus WK_1 )||P_{4}$|⁠, where plaintext |$P=P_1||P_2||P_3||P_4$|⁠. Next, |$X_0$| is encrypted by round function. The input of the |$i$|-th round is denoted as |$X_{i-1}$|⁠. The output of the F-function XORs with the next branch and the round key and then passes through the Feistel permutation. Last, the ciphertext C is calculated as |$C = X_{18,0}||(X_{18,1} \oplus WK_2)||X_{18,2}||(X_{18,3} \oplus WK_3)$|⁠, where |$X_{18}$| is the output of the |$18$|-th round function and |$X_{18}= X_{18,0}||X_{18,1}||X_{18,2}||X_{18,3}$|⁠. The details of encryption process and the F-function are shown in Fig. 4. In each round, The F-function on the left is marked as the first F-function and the F-function on the right is marked as the second F-function. The S-box of Khudra is the same as Present [40] and given in Table 8. FIGURE 4. Open in new tabDownload slide The outline of Khudra FIGURE 4. Open in new tabDownload slide The outline of Khudra 4.2. Related-key rectangle distinguisher of 14-round Khudra Observation 1. The maximum differential probability of the F-function is |$2^{-9.475}$|⁠, i.e. |$Pr_{max}=2^{-9.475}$|⁠. Let |$i$| denotes the input difference of the F-function and |$o=F(i)$| denotes the output difference of the F-function. There are four difference pairs (⁠|$i, o$|⁠) holding with probability |$Pr_{max}$|⁠, where (⁠|$i, o$|⁠) |$\in $| {(⁠|$0001_{\!x}, 0001_{\!x}$|⁠), (⁠|$0010_x, 0010_x$|⁠), (⁠|$0100_x, 0100_x$|⁠), (⁠|$1000_x, 1000_x$|⁠)}. We construct a 13-round related-key rectangle distinguisher. It is divided into upper six rounds and lower seven rounds. The upper differential path for |$E_0$| and the lower differential path for |$E_1$| are $$ \begin{equation*} \begin{aligned} \alpha = (0, 0, 0, a) \ \xrightarrow{\Delta K_{1,2}=(0,\ a,\ 0,\ 0,\ b)} \ \beta = (0, a, F(a), 0),\\[-4pt] \gamma = (a, a, 0, b) \ \xrightarrow{\Delta K_{1,3}=(0,\ b,\ 0,\ a,\ 0)} \ \delta = (0, a, a, 0). \end{aligned} \end{equation*} $$ According to Observation 1, we need to select the specified input difference |$i$| of the F-function to get the maximum differential probability of the F-function, where |$i\in \{0001_x,\ 0010_x,\ 0100_x,\ 1000_x\}$|⁠. In this distinguisher, the value of |$a$| is |$0001_x$| and the value of |$b$| is |$0001_x$| and thus we have the maximum differential probability of the F-function. Then we consider to apply |$ladder$||$switch$| to decrease the number of active S-boxes in the middle round. For nibble 11 which is only active in |$E_0$|⁠, we can apply the switch after the S-Box operation, since this nibble in the first round of |$E_1$| is not active which can help us gain a free round with probability 1 in round 7. All in all, we do not have to calculate the probability in round 7. So the probability to find a right quartet is |$2^{-n}\hat {p}^2\hat {q}^2=2^{-120.85}$|⁠, where |$\hat {p}=\sqrt {(2^{-9.475})^2}=2^{-9.475}, \hat {q}=\sqrt {(2^{-9.475})^2\times (2^{-9.475})^2}=2^{-18.95}$|⁠. The upper 6-round and lower 7-round paths are displayed in Table 9. Table 8. Specifications of Khudra S-box |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| c 5 6 b 9 0 a d 3 e f 8 4 7 1 2 |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| c 5 6 b 9 0 a d 3 e f 8 4 7 1 2 Open in new tab Table 8. Specifications of Khudra S-box |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| c 5 6 b 9 0 a d 3 e f 8 4 7 1 2 |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| c 5 6 b 9 0 a d 3 e f 8 4 7 1 2 Open in new tab Table 9. Differential paths of 13-round Khudra Round Difference Subkey difference Probability |$0$| (0, 0, 0, a) (0, a) |$1$| (0, 0, 0, 0) (0, 0) |$1$| |$2$| (0, 0, 0, 0) (b, 0) |$1$| |$3$| (b, 0, 0, 0) (a, 0) |$1$| |$4$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$5$| (0, 0, 0, 0) (0, a) |$1$| |$6$| (0, 0, a, 0) (0, 0) |$1$| |$7$| (0, a, *, 0) (b, 0) |$1^*$| |$6$| (a, a, 0, b) (0, b) |$7$| (0, 0, 0, a) (0, a) |$1^*$| |$8$| (0, 0, 0, 0) (0, 0) |$1$| |$9$| (0, 0, 0, 0) (b, 0) |$1$| |$10$| (b, 0, 0, 0) (a, 0) |$1$| |$11$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$12$| (0, 0, 0, 0) (0, a) |$1$| |$13$| (0, 0, a, 0) (0, 0) |$1$| |$14$| (0, a, a, 0) (b, 0) |$2^{-9.475}$| Round Difference Subkey difference Probability |$0$| (0, 0, 0, a) (0, a) |$1$| (0, 0, 0, 0) (0, 0) |$1$| |$2$| (0, 0, 0, 0) (b, 0) |$1$| |$3$| (b, 0, 0, 0) (a, 0) |$1$| |$4$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$5$| (0, 0, 0, 0) (0, a) |$1$| |$6$| (0, 0, a, 0) (0, 0) |$1$| |$7$| (0, a, *, 0) (b, 0) |$1^*$| |$6$| (a, a, 0, b) (0, b) |$7$| (0, 0, 0, a) (0, a) |$1^*$| |$8$| (0, 0, 0, 0) (0, 0) |$1$| |$9$| (0, 0, 0, 0) (b, 0) |$1$| |$10$| (b, 0, 0, 0) (a, 0) |$1$| |$11$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$12$| (0, 0, 0, 0) (0, a) |$1$| |$13$| (0, 0, a, 0) (0, 0) |$1$| |$14$| (0, a, a, 0) (b, 0) |$2^{-9.475}$| 1*denotes the probability of the rounds that are evaluated for the boomerang switch. Open in new tab Table 9. Differential paths of 13-round Khudra Round Difference Subkey difference Probability |$0$| (0, 0, 0, a) (0, a) |$1$| (0, 0, 0, 0) (0, 0) |$1$| |$2$| (0, 0, 0, 0) (b, 0) |$1$| |$3$| (b, 0, 0, 0) (a, 0) |$1$| |$4$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$5$| (0, 0, 0, 0) (0, a) |$1$| |$6$| (0, 0, a, 0) (0, 0) |$1$| |$7$| (0, a, *, 0) (b, 0) |$1^*$| |$6$| (a, a, 0, b) (0, b) |$7$| (0, 0, 0, a) (0, a) |$1^*$| |$8$| (0, 0, 0, 0) (0, 0) |$1$| |$9$| (0, 0, 0, 0) (b, 0) |$1$| |$10$| (b, 0, 0, 0) (a, 0) |$1$| |$11$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$12$| (0, 0, 0, 0) (0, a) |$1$| |$13$| (0, 0, a, 0) (0, 0) |$1$| |$14$| (0, a, a, 0) (b, 0) |$2^{-9.475}$| Round Difference Subkey difference Probability |$0$| (0, 0, 0, a) (0, a) |$1$| (0, 0, 0, 0) (0, 0) |$1$| |$2$| (0, 0, 0, 0) (b, 0) |$1$| |$3$| (b, 0, 0, 0) (a, 0) |$1$| |$4$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$5$| (0, 0, 0, 0) (0, a) |$1$| |$6$| (0, 0, a, 0) (0, 0) |$1$| |$7$| (0, a, *, 0) (b, 0) |$1^*$| |$6$| (a, a, 0, b) (0, b) |$7$| (0, 0, 0, a) (0, a) |$1^*$| |$8$| (0, 0, 0, 0) (0, 0) |$1$| |$9$| (0, 0, 0, 0) (b, 0) |$1$| |$10$| (b, 0, 0, 0) (a, 0) |$1$| |$11$| (0, 0, 0, b) (0, b) |$2^{-9.475}$| |$12$| (0, 0, 0, 0) (0, a) |$1$| |$13$| (0, 0, a, 0) (0, 0) |$1$| |$14$| (0, a, a, 0) (b, 0) |$2^{-9.475}$| 1*denotes the probability of the rounds that are evaluated for the boomerang switch. Open in new tab 4.3. Key recovery attack against 17-round Khudra In this section, we propose the key recovery attack on Khudra. Under the attack, Four related keys are involved: |$K_1$|⁠, |$K_2=K_1\oplus \Delta _1$|⁠, |$K_3=K_1 \oplus \Delta _2$|⁠, |$K_4=K_1 \oplus \Delta _1 \oplus \Delta _2$|⁠, where |$\Delta _1$| = (0, 1, 0, 1, 0) and |$\Delta _2$| = (1, 0, 0, 1, 0). We add one round before the distinguisher and two rounds after the distinguisher. It is suggested that the cipher is divided into four parts: |$E=E_f\circ E_1\circ E_0\circ E_b$|⁠. The related-key rectangle attack on 17-round Khudra is shown in Fig. 5. We have $$ \begin{equation*} \begin{aligned} (1, \delta_1, 1, 1) \ \xrightarrow{17r} \ (1, \delta_2, z, 1), \end{aligned} \end{equation*} $$ where |$z$| is an unknown difference, |$\delta _1$| and |$\delta _2$| are in an output difference of F-function set, which is defined as follows: $$ \begin{equation*} \begin{aligned} {\rm Set_{1}} = \{F(x_1)\oplus F(x_2)\ |\ x_1\oplus x_2=0001_x,\ x_1,\,x_2\in \mathbb{F}^{16}_2\}. \end{aligned} \end{equation*} $$ The number of the output difference of F-function in Se|$t_1$| is 17984 (=|$2^{14.13}$|⁠). Hence, the probability that a random difference in Se|$t_1$| is |$\frac {17984}{2^{16}}\approx 2^{-1.87}$|⁠. First we define a structure of plaintext pairs: $$ \begin{equation*} \begin{aligned} {\rm Set_{ab}}=\{(P_a,\ P_b)\ |\ P_a=(a_0,\ x,\ a_1,\ a_2),\\ P_b=(a_0\oplus 1,\ y,a_1\oplus 1,\ a_2\oplus 1)\},\\ {\rm Set_{cd}}=\{(P_c,\ P_d)\ |\ P_c=(c_0,\ x,\ c_1,\ c_2),\\ P_b=(c_0\oplus 1,\ y,c_1\oplus 1,\ c_2\oplus 1)\}, \end{aligned} \end{equation*} $$ where |$a_0, a_1, a_2, c_0, c_1$| and |$c_2$| are 16-bit words, which are fixed, and |$x$| and |$y$| traverse all possible values. That means, each structure contains |$2^{32}$| plaintext pairs. Then we can find out the plaintext differences that can possible lead to difference |$\alpha $| in |$E_b$| and thus a structure satisfied the input difference |$\alpha $| contains |$2^{32}\times 2^{-1.87}=2^{30.13}$| pairs. The procedure of the key recovery is performed as follows: FIGURE 5. Open in new tabDownload slide The related-key rectangle attack on Khudra FIGURE 5. Open in new tabDownload slide The related-key rectangle attack on Khudra Choose $$2^{44.9}$$ structures of plaintext pairs in Se$$t_{ab}$$⁠, encrypt all the plaintext pairs with the keys $$K_1$$ and $$K_2$$⁠, and the corresponding ciphertext pairs are denoted by $$C_a$$ and $$C_b$$⁠, respectively. Choose another $$2^{44.9}$$ structures of plaintext pairs in Se$$t_{cd}$$⁠, encrypt all the plaintext pairs with the keys $$K_3$$ and $$K_4$$⁠, and the corresponding ciphertext pairs are denoted by $$C_c$$ and $$C_d$$⁠, respectively. Totally, $${(2^{44.9})}^2\times {(2^{30.13})}^2=2^{150.06}$$ quartets (⁠$$P_a, P_b, P_c, P_d$$⁠) satisfied the input difference $$\alpha $$ are remained. In the above two steps, we require $$2\times 2^{44.9}\times 2^{17}=2^{62.9}$$ encryptions. Guess the key $$WK_0=k_0$$⁠, encrypt all the $$2^{62.9} $$ data partially. Check if the output differences of the first F-function in the first round is $$\delta _1$$⁠. If not, remove the quartets. After this step, the number of remaining quartets is about $$2^{150.06}\times (2^{-14.13})^2=2^{121.8}$$⁠. This step takes $$2^{16}\times 2^{62.9}\times \frac {1}{16}\times \frac {1}{2}=2^{73.9}$$ encrptions. For all the ciphertext quartets (⁠$$C_a, C_b, C_c, C_d$$⁠), check if the difference between $$C_a$$ and $$C_c$$ denoted $$\Delta _{ac}, C_b$$ and $$C_d$$ denoted $$\Delta _{bd}$$ is (1, $$\delta _2, z$$⁠, 1) respectively. If not, remove the quartets. Hence, the number of remaining quartets after this step is about $$2^{121.8}\times (2^{-48})^2\times (2^{-1.87})^4=2^{22.06}$$⁠. Guess the key $$WK_2=k_3$$⁠, decrypt the ciphertext quartets partially. Check if the output difference of the second F-function in the 16th round is $$\delta _2$$⁠. If not, remove the quartets. After this step, the number of remaining quartets is about $$2^{22.06}\times (2^{-14.13})^2=2^{-6.2}$$⁠. This step takes $$4\times 2^{16}\times 2^{22.06}\times 2^{16}\times \frac {1}{16}\times \frac {1}{2}=2^{51.06}$$ encryptions. Exhaustively search the rest 32-bit keys $$k_1$$ and $$k_2$$⁠, which are not guess in the previous steps. All in all, we expect to remain two quartets for the right key. The data of the attack is |$2^{62.9}$| chosen plaintexts, and the time complexity is |$2^{62.9}+2^{73.9}+2^{51.06}\approx 2^{73.9}$| encrptions. 5. Related-key Rectangle Attack against 15-round MIBS 5.1. Specification The MIBS block cipher is a lightweight cipher, proposed by Izadi et al. [33] in 2009. And we refer the reader to [33] for more detailed description. MIBS is a Feistel cipher with 64-bit block size. It uses keys of 64 or 80 bits and interates 32 rounds. The round function of MIBS is shown in Fig. 6. It has an SPN structure which consists of 4 stages: key addtion, non-linear substitution layer of 4 |$\times $|4 S-boxes, linear mixing layer and a nibble-wise linear permutation. Table 10. Specifications of MIBS S-box |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 4 f 3 8 d a c 0 b 5 7 e 2 6 1 9 |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 4 f 3 8 d a c 0 b 5 7 e 2 6 1 9 Open in new tab Table 10. Specifications of MIBS S-box |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 4 f 3 8 d a c 0 b 5 7 e 2 6 1 9 |$x$| 0 1 2 3 4 5 6 7 8 9 a b c d e f |$GS(X)$| 4 f 3 8 d a c 0 b 5 7 e 2 6 1 9 Open in new tab FIGURE 6. Open in new tabDownload slide The round function of MIBS FIGURE 6. Open in new tabDownload slide The round function of MIBS Key addition. Current state |$l_{31}, l_{30}, \dots , l_0$|⁠, which is input to the F-function, is combined with a round subkey |$k^i=k^i_{31}, k^i_{31}\dots k^i_0$| for 0 |$\le $||$i$||$\le $| 31. $$ \begin{eqnarray*} l_j\gets l_j\oplus k^i_j,\ j \in \{0, 1, \dots, 31\}. \end{eqnarray*} $$Substitution layer S. After adding subkey, the block is divided into eight nibbles |$x_8, x_7, \dots , x_1$|⁠, before processing by the S-boxes. The 4 |$\times $| 4 S-box used in our cipher is shown in Table 10. $$ \begin{eqnarray*} y_i\gets S(x_i),\ i \in \{1, 2, \dots, 8\}. \end{eqnarray*} $$Mixing layer. The linear transformation mixes eight nibbles as follows: $$ \begin{eqnarray*} \left. \begin{array}{ll} (y^{\prime}_8,y^{\prime}_7\dots, y^{\prime}_1)\gets (y_8,y_7\dots, y_1),\\[3pt] y^{\prime}_8=y_2\oplus y_3 \oplus y_4 \oplus y_5 \oplus y_6 \oplus y_7,\\[3pt] y^{\prime}_7=y_1\oplus y_3 \oplus y_4 \oplus y_6 \oplus y_7 \oplus y_8,\\[3pt] y^{\prime}_6=y_1\oplus y_2 \oplus y_4 \oplus y_5 \oplus y_7 \oplus y_8, \\[3pt] y^{\prime}_5=y_1\oplus y_2 \oplus y_3 \oplus y_5 \oplus y_6 \oplus y_8, \\[3pt] y^{\prime}_4=y_1\oplus y_2 \oplus y_4 \oplus y_5 \oplus y_6,\\[3pt] y^{\prime}_3=y_1\oplus y_2 \oplus y_3 \oplus y_6 \oplus y_7,\\[3pt] y^{\prime}_2=y_2\oplus y_3 \oplus y_4 \oplus y_7 \oplus y_8,\\[3pt] y^{\prime}_1=y_1\oplus y_3 \oplus y_4 \oplus y_5 \oplus y_8. \end{array} \right. \end{eqnarray*} $$Permutation layer. The eight nibble outputs from the mixing layer are arranged according to Fig. 6. Key schedule for 64-bit key. In the key schedule, it generates 32-bit round key |$k^i$|⁠, where |$0\leq i \leq 31$|⁠, from the user key |$K=K_{63}||K_{62}||\dots ||K_1||K_0$|⁠. Let |$state^i$| denote the key state of the |$i$|-th round and update as follows: $$ \begin{equation*} \begin{array}{ll} state^0 = \text{user-key}\\[5pt] state^i \gets state^i\ggg 15\\[5pt] state^i \gets \text{S-box}(state^i_{[63:60]})||state^i_{[59:0]}\\[6pt] state^i \gets state^i_{[63:16]}||state^i_{[15:11]}\oplus \text{RC}||state^i_{[10:0]} \\[5pt] k^i \gets state^i_{[63:32]}, \end{array} \end{equation*} $$ where |$\ggg $| denotes rotation to right, [|$i:j$|] means the |$i$|-th to the |$j$|-th bit positions of the sequence, RC denotes round counter and || indicates concatenation. Key schedule for 80-bit key. The user key is |$K=K_{79}||K_{78}||\dots ||K_1||K_0$|⁠, and the key state of each round update as follows: $$ \begin{eqnarray*} \left. \begin{array}{ll} state^0 = \text{user-key}\\ state^i \gets state^i\ggg 19\\ state^i \gets \text{S-box}(state^i_{[79:76]})||{\text{S-box}}(state^i_{[75:72]})||state^i_{[71:0]}\\[2pt] state^i \gets state^i_{[79:19]}||state^i_{[18:14]}\oplus \text{RC}||state^i_{[13:0]}\\ k^i \gets state^i_{[79:48]}. \end{array} \right. \end{eqnarray*} $$ The S-box of key schedule is the same as the S-box of F-function, and is given in Table 10. 5.2. Related-key rectangle distinguisher of 13-round MIBS-64 In this section, we find a 13-round MIBS-64 distinguisher on |$E= E_1\circ E_0$| where |$E_0$| is composed of rounds 1-8, and |$E_1$| is composed of rounds 7–13. Since the key schedule has a non-linear operation, we need to add extra constraints on key differences to ensure that no active S-box is involved in the key schedule. According to the difference distribution table of the S-box in Table 11, we have the following observation. Observation 2. Each input difference of the S-box leads to seven possible output differences. Table 11. Difference distribution table of the S-box of MIBS |$0_x$| |$1_x$| |$2_x$| |$3_x$| |$4_x$| |$5_x$| |$6_x$| |$7_x$| |$8_x$| |$9_x$| |$A_x$| |$B_x$| |$C_x$| |$D_x$| |$E_x$| |$F_x$| |$0_x$| 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |$1_x$| 0 0 0 0 2 0 0 2 2 2 0 4 2 0 2 0 |$2_x$| 0 2 0 2 0 0 0 4 0 0 2 2 2 0 0 2 |$3_x$| 0 0 2 0 0 2 2 2 0 0 0 2 4 2 0 0 |$4_x$| 0 0 0 2 0 2 2 2 2 4 0 0 0 0 0 2 |$5_x$| 0 0 2 2 2 0 0 2 0 0 0 0 0 2 4 2 |$6_x$| 0 0 2 0 0 2 0 0 4 0 2 0 2 0 2 2 |$7_x$| 0 2 2 2 4 2 0 0 0 2 0 0 2 0 0 0 |$8_x$| 0 0 0 0 2 0 2 0 0 2 2 0 2 2 0 4 |$9_x$| 0 4 0 0 2 2 0 0 2 0 0 2 0 2 0 2 |$A_x$| 0 2 0 4 0 0 2 0 2 0 0 0 2 2 2 0 |$B_x$| 0 0 2 2 2 0 2 0 2 0 4 2 0 0 0 0 |$C_x$| 0 2 2 0 0 0 4 0 0 2 0 2 0 0 2 2 |$D_x$| 0 2 4 0 0 0 0 2 2 2 2 0 0 2 0 0 |$E_x$| 0 2 0 0 2 4 2 2 0 0 2 0 0 0 2 0 |$F_x$| 0 0 0 2 0 2 0 0 0 2 2 2 0 4 2 0 |$0_x$| |$1_x$| |$2_x$| |$3_x$| |$4_x$| |$5_x$| |$6_x$| |$7_x$| |$8_x$| |$9_x$| |$A_x$| |$B_x$| |$C_x$| |$D_x$| |$E_x$| |$F_x$| |$0_x$| 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |$1_x$| 0 0 0 0 2 0 0 2 2 2 0 4 2 0 2 0 |$2_x$| 0 2 0 2 0 0 0 4 0 0 2 2 2 0 0 2 |$3_x$| 0 0 2 0 0 2 2 2 0 0 0 2 4 2 0 0 |$4_x$| 0 0 0 2 0 2 2 2 2 4 0 0 0 0 0 2 |$5_x$| 0 0 2 2 2 0 0 2 0 0 0 0 0 2 4 2 |$6_x$| 0 0 2 0 0 2 0 0 4 0 2 0 2 0 2 2 |$7_x$| 0 2 2 2 4 2 0 0 0 2 0 0 2 0 0 0 |$8_x$| 0 0 0 0 2 0 2 0 0 2 2 0 2 2 0 4 |$9_x$| 0 4 0 0 2 2 0 0 2 0 0 2 0 2 0 2 |$A_x$| 0 2 0 4 0 0 2 0 2 0 0 0 2 2 2 0 |$B_x$| 0 0 2 2 2 0 2 0 2 0 4 2 0 0 0 0 |$C_x$| 0 2 2 0 0 0 4 0 0 2 0 2 0 0 2 2 |$D_x$| 0 2 4 0 0 0 0 2 2 2 2 0 0 2 0 0 |$E_x$| 0 2 0 0 2 4 2 2 0 0 2 0 0 0 2 0 |$F_x$| 0 0 0 2 0 2 0 0 0 2 2 2 0 4 2 0 Open in new tab Table 11. Difference distribution table of the S-box of MIBS |$0_x$| |$1_x$| |$2_x$| |$3_x$| |$4_x$| |$5_x$| |$6_x$| |$7_x$| |$8_x$| |$9_x$| |$A_x$| |$B_x$| |$C_x$| |$D_x$| |$E_x$| |$F_x$| |$0_x$| 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |$1_x$| 0 0 0 0 2 0 0 2 2 2 0 4 2 0 2 0 |$2_x$| 0 2 0 2 0 0 0 4 0 0 2 2 2 0 0 2 |$3_x$| 0 0 2 0 0 2 2 2 0 0 0 2 4 2 0 0 |$4_x$| 0 0 0 2 0 2 2 2 2 4 0 0 0 0 0 2 |$5_x$| 0 0 2 2 2 0 0 2 0 0 0 0 0 2 4 2 |$6_x$| 0 0 2 0 0 2 0 0 4 0 2 0 2 0 2 2 |$7_x$| 0 2 2 2 4 2 0 0 0 2 0 0 2 0 0 0 |$8_x$| 0 0 0 0 2 0 2 0 0 2 2 0 2 2 0 4 |$9_x$| 0 4 0 0 2 2 0 0 2 0 0 2 0 2 0 2 |$A_x$| 0 2 0 4 0 0 2 0 2 0 0 0 2 2 2 0 |$B_x$| 0 0 2 2 2 0 2 0 2 0 4 2 0 0 0 0 |$C_x$| 0 2 2 0 0 0 4 0 0 2 0 2 0 0 2 2 |$D_x$| 0 2 4 0 0 0 0 2 2 2 2 0 0 2 0 0 |$E_x$| 0 2 0 0 2 4 2 2 0 0 2 0 0 0 2 0 |$F_x$| 0 0 0 2 0 2 0 0 0 2 2 2 0 4 2 0 |$0_x$| |$1_x$| |$2_x$| |$3_x$| |$4_x$| |$5_x$| |$6_x$| |$7_x$| |$8_x$| |$9_x$| |$A_x$| |$B_x$| |$C_x$| |$D_x$| |$E_x$| |$F_x$| |$0_x$| 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |$1_x$| 0 0 0 0 2 0 0 2 2 2 0 4 2 0 2 0 |$2_x$| 0 2 0 2 0 0 0 4 0 0 2 2 2 0 0 2 |$3_x$| 0 0 2 0 0 2 2 2 0 0 0 2 4 2 0 0 |$4_x$| 0 0 0 2 0 2 2 2 2 4 0 0 0 0 0 2 |$5_x$| 0 0 2 2 2 0 0 2 0 0 0 0 0 2 4 2 |$6_x$| 0 0 2 0 0 2 0 0 4 0 2 0 2 0 2 2 |$7_x$| 0 2 2 2 4 2 0 0 0 2 0 0 2 0 0 0 |$8_x$| 0 0 0 0 2 0 2 0 0 2 2 0 2 2 0 4 |$9_x$| 0 4 0 0 2 2 0 0 2 0 0 2 0 2 0 2 |$A_x$| 0 2 0 4 0 0 2 0 2 0 0 0 2 2 2 0 |$B_x$| 0 0 2 2 2 0 2 0 2 0 4 2 0 0 0 0 |$C_x$| 0 2 2 0 0 0 4 0 0 2 0 2 0 0 2 2 |$D_x$| 0 2 4 0 0 0 0 2 2 2 2 0 0 2 0 0 |$E_x$| 0 2 0 0 2 4 2 2 0 0 2 0 0 0 2 0 |$F_x$| 0 0 0 2 0 2 0 0 0 2 2 2 0 4 2 0 Open in new tab The related-key differential characteristics for the sub-cipher |$E_0$| and |$E_1$| are presented in Table 12. The upper differential path for |$E_0$| is $$ \begin{equation*} \begin{aligned} \alpha = 00000008fffb0f0f_x \ \xrightarrow{\Delta K_1} \beta = 0040044099180110_x, \end{aligned} \end{equation*} $$ where |$\Delta K_1 = 0000400000010000_x$|⁠. And the lower differential path for |$E_1$| is $$ \begin{equation*} \begin{aligned} \gamma = 4000b04f8bb88ab8_x \ \xrightarrow{\Delta K_2} \delta = 0200000000000400_x, \end{aligned} \end{equation*} $$ where |$\Delta K _2 = 0000200000008000_x$|⁠. There are one and two active S-boxes in round 1 and round 6 of the upper path, respectively, which makes |$p = 2^{-2}\times 2^{-5}=2^{-7}$|⁠. And there are one and two active S-boxes in round 7 and round 9 of the lower path, respectively, which makes |$q = 2^{-3}\times 2^{-4}=2^{-7}$|⁠. Thus, the probability of the right quartet is |$2^{-64}\times (2^{-7})^2\times 2^{-3}\times (2^{-4})^2 = 2^{-64}\times 2^{-25} = 2^{-89}$|⁠. Table 12. Differential paths of 13-round MIBS-64 Round Input Differences Subkey differences Probability |$1$| |$00000008fffb0f0f_x$| |$00000000_x$| |$2^{-2}$| |$2$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$3$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$4$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$5$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$6$| |$0004000000000008_x$| |$00400000_x$| |$2^{-5}$| |$7$| |$9918011000040000_x$| |$00000080_x$| |$1^*$| |$8$| |$0040044099180110_x$| |$00400000_x$| |$1^*$| |$7$| |$4000b04f8bb88ab8_x$| |$00000040_x$| |$2^{-3*}$| |$8$| |$929900094000b04f_x$| |$00200000_x$| |$1^*$| |$9$| |$0000040092990009_x$| |$00000040_x$| |$2^{-4}$| |$10$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$11$| |$0000040002000000_x$| |$00000400_x$| |$1$| |$12$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$13$| |$0000040002000000_x$| |$00000400_x$| |$1$| Round Input Differences Subkey differences Probability |$1$| |$00000008fffb0f0f_x$| |$00000000_x$| |$2^{-2}$| |$2$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$3$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$4$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$5$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$6$| |$0004000000000008_x$| |$00400000_x$| |$2^{-5}$| |$7$| |$9918011000040000_x$| |$00000080_x$| |$1^*$| |$8$| |$0040044099180110_x$| |$00400000_x$| |$1^*$| |$7$| |$4000b04f8bb88ab8_x$| |$00000040_x$| |$2^{-3*}$| |$8$| |$929900094000b04f_x$| |$00200000_x$| |$1^*$| |$9$| |$0000040092990009_x$| |$00000040_x$| |$2^{-4}$| |$10$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$11$| |$0000040002000000_x$| |$00000400_x$| |$1$| |$12$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$13$| |$0000040002000000_x$| |$00000400_x$| |$1$| 1*denotes the probability of the rounds that are evaluated for the boomerang switch. Open in new tab Table 12. Differential paths of 13-round MIBS-64 Round Input Differences Subkey differences Probability |$1$| |$00000008fffb0f0f_x$| |$00000000_x$| |$2^{-2}$| |$2$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$3$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$4$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$5$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$6$| |$0004000000000008_x$| |$00400000_x$| |$2^{-5}$| |$7$| |$9918011000040000_x$| |$00000080_x$| |$1^*$| |$8$| |$0040044099180110_x$| |$00400000_x$| |$1^*$| |$7$| |$4000b04f8bb88ab8_x$| |$00000040_x$| |$2^{-3*}$| |$8$| |$929900094000b04f_x$| |$00200000_x$| |$1^*$| |$9$| |$0000040092990009_x$| |$00000040_x$| |$2^{-4}$| |$10$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$11$| |$0000040002000000_x$| |$00000400_x$| |$1$| |$12$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$13$| |$0000040002000000_x$| |$00000400_x$| |$1$| Round Input Differences Subkey differences Probability |$1$| |$00000008fffb0f0f_x$| |$00000000_x$| |$2^{-2}$| |$2$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$3$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$4$| |$0004000000000008_x$| |$00040000_x$| |$1$| |$5$| |$0000000800040000_x$| |$00000008_x$| |$1$| |$6$| |$0004000000000008_x$| |$00400000_x$| |$2^{-5}$| |$7$| |$9918011000040000_x$| |$00000080_x$| |$1^*$| |$8$| |$0040044099180110_x$| |$00400000_x$| |$1^*$| |$7$| |$4000b04f8bb88ab8_x$| |$00000040_x$| |$2^{-3*}$| |$8$| |$929900094000b04f_x$| |$00200000_x$| |$1^*$| |$9$| |$0000040092990009_x$| |$00000040_x$| |$2^{-4}$| |$10$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$11$| |$0000040002000000_x$| |$00000400_x$| |$1$| |$12$| |$0200000000000400_x$| |$02000000_x$| |$1$| |$13$| |$0000040002000000_x$| |$00000400_x$| |$1$| 1*denotes the probability of the rounds that are evaluated for the boomerang switch. Open in new tab 5.3. Key recovery attack against 15-round MIBS-64 In our attack, we treat the 15-round MIBS-64 as |$E = E_f\circ E_1\circ E_0\circ E_b$| where |$E_b$| is the first round, |$E_0$| is composed of rounds 2–9, |$E_1$| is composed of rounds 8-14 and |$E_f$| is round 15. The attack begins with constructing of plaintexts (⁠|$L_1, L_2, L_3, L_4$|⁠) with required differences and then encrypts them under keys (⁠|$K_1, K_2, K_3, K_4$|⁠). The differences of the master keys are |$\Delta K_0 = K_1\oplus K_2 = K_3\oplus K_4 = 2000000080000000_x$| and |$\Delta K_1 = K_1\oplus K_3 = K_2\oplus K_4 = 1000000040000000_x$|⁠. In order to describe this attack more concretely, we introduce the following notations: $$ \begin{eqnarray*} \left. \begin{array}{ll} U_b& \text{the set of plaintext differences that may}\\ &\text{cause a difference {$\alpha$} after {$E_b$} under the}\\ &\text{key difference {$\Delta K_0$};}\\ U_f& \text{the set of ciphertext differences that may}\\ &\text{cause a difference {$\delta$} before {$E_f$} under the}\\ &\text{key difference {$\Delta K_1$};}\\ k_j^i& \text{the subkey in round {$i$} derived from the} \\ &\text{user key {$K_j$}, where {$j$} = 1, 2, 3, 4};\\k_{j[m:n]}^i& \text{the {$m$}-th to the {$n$}-th bit positions of the}\\ &\text{subkey in round {$i$} derived from the user} \\ &\text{key {$K_j$}, where {$j$} = 1, 2, 3, 4};\\[-16.5pt]\end{array} \right. \end{eqnarray*} $$ $$ \begin{eqnarray*} \left. \begin{array}{ll} \Delta k_j^i&\text{the subkey difference in round {$i$} derived} \\ &\text{from {$\Delta K_j$}, where {$j$} = 0, 1};\\ \Delta k_{j[m:n]}^i&\text{the {$m$}-th to the {$n$}-th bit positions of the} \\ &\text{subkey difference in round {$i$} derived from} \\ &\text{{$\Delta K_j$}, where {$j$} = 0, 1}. \end{array} \right. \end{eqnarray*} $$ First, we find out the plaintext differences that can possibly lead to difference |$\alpha $| in |$E_b$|⁠. According to Obervation 2, there are |$7^6 \approx 2^{16.8441}$| kinds of plaintext differences that lead to difference |$\alpha $| in |$E_b$|⁠. Note that |$U_b\subsetneqq \{\,fffb0f0f||m, m\in \{0,1\}^{32}\}$|⁠, the number of the plaintext differences in |$U_b$| is |$|U_b| \approx 2^{16.8441}$|⁠. The subkey bits used in |$E_b$| that can affect difference |$\alpha $| are bits 31 to 8 and 3 to 0, and the corresponding related-key difference is |$\Delta k_{0[31:8,3:0]}^1 = 0000400_x$|⁠. We also can obtain |$\Delta k_{0[31:24]}^{15} = *0_x$|⁠, which will be used in the partial decryption of the ciphertexts in this attack where * denotes the seven possible output differences of the S-box with the input difference |$4_x$|⁠. Similarly, note that |$U_f\subsetneqq \{m||02000000, m\in \{0,1\}^{32}\}$|⁠, the number of the ciphertext differences in |$U_f$| is |$|U_f| = 15\times 7 \approx 2^{6.7142}$|⁠. The subkey bits used in |$E_f$| that can affect |$\delta $| are bits 31 to 24 and the corresponding related-key difference is |$\Delta k_{1[31:24]}^{15} = *0_x$|⁠. We also have |$\Delta k_{1[31:8,3:0]}^1 = 0000200_x$|⁠, which will be used in partial encryption of the plaintexts in this attack. The key recovery algorithm proceeds as follows: Create |$y = 2^{13}$| structures of |$2^{32}$| plaintexts each, encrypt these plaintexts under the keys |$K_1$|⁠, |$K_2$|⁠, respectively. Use |$L_1$| = {|$L_1^1, L_1^2, \dots , L_1^y$|} and |$L_2$| = {|$L_2^1, L_2^2, \dots , L_2^y$|} to denote the structure groups of ciphertexts under |$K_1$| and |$K_2$|⁠. Then, XOR each plaintext in all the |$y$| structures with |$fffb0f0f00000000_x$| and encrypt those plaintexts under the key |$K_3, K_4$|⁠. Use |$L_3$| = {|$L_3^1, L_3^2, \dots , L_3^y$|} and |$L_4$| = {|$L_4^1, L_4^2, \dots , L_4^y$|} to denote the structure groups of ciphertexts under |$K_3$| and |$K_4$|⁠. Step 1 takes |$D$| chosen plaintexts, where |$D= 2^{13} \times 2^{32}=2^{45}$| and the time complexity is |$2^{45}$| encryptions. Initialize |$2^{36}$| counters. Each counter corresponds to a different guess of |$k_{1[31:8,3:0]}^1$| and |$k_{1[31:24]}^{15}$|⁠. Step 2 require |$2^{36}$| time complexity for memory accesses. Insert the |$2^{45}$| ciphertexts of |$L_1$| into a hash table |$H_1$| according to the 32 right most ciphertext bits. Then for each ciphertext in |$L_3$|⁠, we try to find the collision ciphertext pairs (one ciphertext from |$L_3$| and the other from |$H_1$|⁠). For each such collision pair, ensure that the collision pair form |$L_1$| and |$L_3$| agrees on the 32 bits, and check the difference of the collision pairs are in |$U_f$|⁠. Do the same for |$L_2$| and |$L_4$|⁠. Step 3 takes about |$4\times 2^{45}+2\times (2^{13} \times 2^{32})^2 \times 2^{-32}\approx 2^{59}$| memory accesses. There are |$2^{6.7142}$| differences in |$U_f$|⁠. Hence, about |$2\times (2^{13} \times 2^{32})^2 \times 2^{6.7142-64}\approx 2^{33.7142}$| colliding pairs are remained. For each collision ciphertext pair (⁠|$C_1, C_3$|⁠) |$\in L_1\times L_3$| that is obtained from Step 3, denote the |$C_i$|’s structure by |$S_{C_i}$| and attach to |$C_1$| the index of |$S_{C_3}$| (that is to say |$C_1$| is related to |$C_3$|⁠) and vice versa. Similarly, for each collision ciphertext pair (⁠|$C_2, C_4$|⁠) |$\in L_2\times L_4$|⁠, attach to |$C_2$| the index of |$S_{C_4}$|⁠. Step 4 takes one memory access for each remaining colliding pair. So we need to do |$2^{33.7142}$| memory accesses. In each structure |$L$| under |$K_1$| and |$K_2$|⁠, we seach for a ciphertext pair (⁠|$C_1, C_2$|⁠) |$\in L_1^i\times L_2^i$| (⁠|$i=1,2,\dots ,y$|⁠) that is related to some other structure pair (⁠|$C_3, C_4$|⁠) |$\in L_3^{j}\times L_{4}^{j}$| (⁠|$j=1,2,\dots ,y$|⁠). That means |$C_1$| is related to |$C_3$| and |$C_2$| is related to |$C_4$|⁠. When we find such a pair, we first check the corresponding plaintext difference |$P_1\oplus P_2$| is in |$U_b$|⁠, and check the difference of the plaintexts which |$C_1$| and |$C_2$| are related to. In Step 5, we can find |$(2^{32.7142}/2^{13})^2\approx 2^{41.4284}$| possible quartets (⁠|$C_1$|⁠, |$C_2$|⁠, |$C_3$|⁠, |$C_4$|⁠). After the filtering process, the number of remaining quartets is about |$2^{41.4284}\times 2^{(16.8441-32)\times 2}\approx 2^{11.1166}$|⁠. In total, it takes about |$2^{41.4284}+2^{41.4284}\times 2^{16.8441-32}\approx 2^{41.4284}$| memory accesses. For all the quartets that are obtained from Step 5, we denote the plaintexts of the quartet by (⁠|$P_1, P_2, P_3, P_4$|⁠) and the corresponding ciphertexts by (⁠|$C_1, C_2, C_3, C_4$|⁠) under (⁠|$K_1, K_2, K_3, K_4$|⁠). For each guess of the 28 bits of |$k_{1[31:8,3:0]}^1$| and 8 bits of |$k_{1[31:24]}^{15}$|⁠, we can get $$ \begin{equation*} \begin{aligned} &k_{2[31:8,3:0]}^1 = k_{1[31:8,3:0]}^1 \oplus \Delta k_{0[31:8,3:0]}^1,\\[3pt] &k_{3[31:8,3:0]}^1 = k_{1[31:8,3:0]}^1 \oplus \Delta k_{1[31:8,3:0]}^1,\\[3pt] &k_{4[31:8,3:0]}^1 = k_{3[31:8,3:0]}^1 \oplus \Delta k_{0[31:8,3:0]}^1,\\ \end{aligned} \end{equation*} $$ and $$ \begin{equation*} \begin{aligned} &k_{2[31:24]}^{15} = k_{1[31:24]}^{15} \oplus \Delta k_{0[31:24]}^{15},\\[3pt] &k_{3[31:24]}^{15} = k_{1[31:24]}^{15} \oplus \Delta k_{1[31:24]}^{15},\\[3pt] &k_{4[31:24]}^{15} = k_{3[31:24]}^{15} \oplus \Delta k_{0[31:24]}^{15}.\\[3pt] \end{aligned} \end{equation*} $$ Notice that |$\Delta k_{0[31:24]}^{15}$| and |$\Delta k_{1[31:24]}^{15}$| need to take seven differential values each. Then add one to the corresponding subkey counter if $$ \begin{equation*} \begin{aligned} &E_b^{K_1}(P_1)\oplus E_b^{K_2}(P_2)\\&=E_b^{K_3}(P_3)\oplus E_b^{K_4}(P_4) \\&= \alpha\\ \end{aligned} \end{equation*} $$ and $$ \begin{equation*} \begin{aligned} &(E_f^{K_1})^{-1}(C_1)\oplus (E_f^{K_3})^{-1}(C_3)\\&=(E_f^{K_2})^{-1}(C_2)\oplus (E_f^{K_4})^{-1}(C_4) \\&= \delta.\\ \end{aligned} \end{equation*} $$ Output the key with maximal counter. For the remaining subkey bits perform the exhaustive search. In Step 6, it takes about |$2\times 2^{11.1166}\times (2^{28-16.8441}+2^{8-6.7142})\times 7^3\approx 2^{21.6946}$| memory accesses. For the right key there are 2 hits, while for the wrong key there are |$2^{-38}$| hits. Overall, the complexities of this attack are as follows. The data complexity is |${2^{45}}$| chosen plaintexts, the time complexity is about |${2^{59}}$| memory accesses and the memory complexity is |${2^{45}}$| bytes. 6. Conclusion In this papaer, the security of the lightweight block ciphers GIFT, Khudra and MIBS are examined. We use the MILP-aided cryptanalysis to search related-key rectangle distinguishers. First, we try to convert the differential propagations and the ladder switch technique into MILP instance, and then we obtain the related-key rectangle distinguishers. Finaly, we try to do key recovery attacks based on the corresponding distinguishers, respectively. For GIFT, Khudra and MIBS, we construct a new 19-/14-/13-round related-key rectangle distinguishers respectively. With the corresponding distinguishers, we present a 23-/17-/15-round related-key rectangle attack, respectively. We get the first 23-round related-key rectangle attack on GIFT-64. And our realted-key rectangle attacks on 17-round Khudra and 15-round MIBS-64 are both better than previously best realted-key rectangle attack in terms of the number of the attacked rounds. Funding National Natural Science Foundation of China (nos. 61572125 to L.C. and G.W. and 61602276 to G.Z.); National Cryptography Development Fund (no. MMJJ20180201 to L.C. and G.W.) and Shandong Natural Science Foundation of China (no. ZR2016FM22 to G.Z.). Acknowledgments We thank the anonymous reviewers for their insightful comments and suggestions. References 1 Biham , B. and Shamir , A. ( 1990 ) Differential Cryptanalysis of DES-like Cryptosystems . In Proc. CRYPTO 1990, Santa Barbara, USA, August 11–15 , pp. 2 – 21 . Springer , Berlin . Google Preview WorldCat COPAC 2 Kelsey , J. , Schneier , B. and Wagner , D. ( 1997 ) Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA . In Proc. International Conference on Information and Communications Security (ICICS 1997), Beijing, China, November 11–14 , pp. 233 – 246 . Springer , Berlin . Google Preview WorldCat COPAC 3 Wagner , D. ( 1999 ) The Boomerang Attack . In Proc. Fast Softeware Encryption (FSE 1999), Rome, Italy, March 24–26 , pp. 156 – 170 . Springer , Berlin . Google Preview WorldCat COPAC 4 Kelsey , J. , Kohno , T. and Schneier , B. ( 2000 ) Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent . In Proc. Fast Softeware Encryption (FSE 2000), New York, USA, April 10–12 , pp. 75 – 93 . Springer , Berlin . Google Preview WorldCat COPAC 5 Biham , E. , Dunkelman , O. and Keller , N. ( 2001 ) The Rectangle Attack - Rectangling the Serpent . In Proc. EUROCRYPT 2001, Innsbruck, Austria, May 6–10 , pp. 340 – 357 . Springer , Berlin . Google Preview WorldCat COPAC 6 Biham , E. , Dunkelman , O. and Keller , N. ( 2002 ) New Results on Boomerang and Rectangle Attacks . In Proc. Fast Softeware Encryption (FSE 2002), Leuven, Belgium, February 4–6 , pp. 1 – 16 . Springer , Berlin . Google Preview WorldCat COPAC 7 Murphy , S. ( 2011 ) The return of the cryptographic boomerang . IEEE Trans. Inf. Theory , 57 , 5217 – 2521 . WorldCat 8 Biryukov , A. , Canniere , D. and Dellkrantz , G. ( 2003 ) Cryptanalysis of SAFER++ . In Proc. CRYPTO 2003, Santa Barbara, USA, August 18–22 , pp. 195 – 211 . Springer , Berlin . Google Preview WorldCat COPAC 9 Biryukov , A. and Khovratovich , D. ( 2009 ) Related-Key Cryptanalysis of the Full AES-192 and AES-256 . In Proc. ASIACRYPT 2009, Tokyo, Japan, December 6–10 , pp. 1 – 18 . Springer , Berlin . Google Preview WorldCat COPAC 10 Dunkelman , O. , Keller , N. and Shamir , A. ( 2010 ) A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony . In Proc. CRYPTO 2010, Santa Barbara, USA, August 15–19 , pp. 393 – 410 . Springer , Berlin . Google Preview WorldCat COPAC 11 Dunkelman , O. , Keller , N. and Shamir , A. ( 2014 ) A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony . J. Cryptol. , 27 , 824 – 849 . Google Scholar Crossref Search ADS WorldCat 12 Cid , C. et al. ( 2018 ) Boomerang Connectivity Table: A New Cryptanalysis Tool . In Proc. EUROCRYPT 2018, Tel Aviv, Israel, April 29 –May 3 , pp. 683 – 714 . Springer , Cham . Google Preview WorldCat COPAC 13 Dunkelman , O. ( 2018 ) Efficient Construction of the Boomerang Connection Table . IACR Cryptology ePrint Archive, 2018/631, 2018 . Available online at https://eprint.iacr.org/2018/631. 14 Li , K. et al. ( 2019 ) New Results about the Boomerang Uniformity of Permutation Polynomials . IACR Cryptology ePrint Archive, 2019/079 , 2018 . Available online at https://eprint.iacr.org/2019/079. 15 Song , L. , Qin , X. and Hu , L. ( 2019 ) Boomerang connectivity table revisited application to SKINNY and AES . IACR Transactions on Symmetric Cryptology , 2019 , 84 – 117 . WorldCat 16 Wang , H. and Peyrin , T. ( 2019 ) Boomerang switch in multiple rounds. Application to AES variants and deoxys . IACR Transactions on Symmetric Cryptology , 2019 , 142 – 169 . WorldCat 17 Biham , E. , Dunkelman , O. and Keller , N. ( 2005 ) Related-Key Boomerang and Rectangle Attacks . In Proc. EUROCRYPT 2005, Aarhus, Denmark, May 22–26 , pp. 507 – 525 . Springer , Berlin . Google Preview WorldCat COPAC 18 Liu , G. , Ghosh , M. and Song , L. ( 2017 ) Security analysis of SKINNY under related-Tweakey settings . IACR Transactions on Symmetric Cryptology , 2017 , 37 – 72 . WorldCat 19 Mouha , N. et al. ( 2011 ) Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming . In Proc. Information Security and Cryptology (Inscypt 2011), Beijing, China, November 30–December 3 , pp. 57 – 76 . Springer , Berlin . Google Preview WorldCat COPAC 20 Sun , S. et al. ( 2014 ) Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers . In Proc. ASIACRYPT 2014, Taiwan, December 7–11 , pp. 158 – 178 . Springer , Berlin . Google Preview WorldCat COPAC 21 Sun , S. et al. ( 2014 ) Towards Finding the Best Characteristics of Some Bit-oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties . IACR Cryptology ePrint Archive, 2014/747, 2014 . Available online at https://eprint.iacr.org/2014/747. 22 Cui , T. et al. ( 2016 ) New Automatic Search Tool for Impossible Differentials and Zero-Correlation Linear Approximations . IACR Cryptology ePrint Archive, 2016/689, 2016 . Available online at https://eprint.iacr.org/2016/689. 23 Sasaki , Y. and Todo , Y. ( 2017 ) New Impossible Differential Search Tool from Design and Cryptanalysis Aspects . In Proc. EUROCRYPT 2017, Paris, France, April 30–May 4 , pp. 185 – 215 . Springer , Cham . Google Preview WorldCat COPAC 24 Cid , C. et al. ( 2017 ) A security analysis of Deoxys and its internal Tweakable block ciphers . IACR Transactions on Symmetric Cryptology , 2017 , 73 – 107 . WorldCat 25 Xiang , Z. et al. ( 2016 ) Applying MILP Method to Searching Integral Distinguishers Based on Division Property for 6 Lightweight Block Ciphers . In Proc. ASIACRYPT 2016, Hanoi, Vietnam, December 4–8 , pp. 648 – 678 . Springer , Berlin . Google Preview WorldCat COPAC 26 Todo , Y. et al. ( 2017 ) Cube attacks on non-blackbox polynomials based on division property . In Proc. CRYPTO 2017, Santa Barbara, USA, August 20–24 , pp. 250 – 279 . Springer , Cham . Google Preview WorldCat COPAC 27 Li , Z. et al. ( 2017 ) Improved conditional cube attacks on Keccak keyed modes with MILP method . In Proc. ASIACRYPT 2017, Hong Kong, China, December 3–7 , pp. 99 – 127 . Springer , Cham . Google Preview WorldCat COPAC 28 Banik , S. et al. ( 2017 ) Gift: A Small Present . In Proc. Cryptographic Hardware and Embedded Systems (CHES 2017), Taipei, Taiwan, September 25–28 , pp. 321 – 345 . Springer , Cham . Google Preview WorldCat COPAC 29 Zhu , B. , Dong , X. and Yu , H. ( 2019 ) MILP-based Differential Attack on Round-reduced GIFT . In Proc. Cryptographers’ Track at the RSA Conference (CT-RSA 2019), San Francisco, USA, March 4–8 , pp. 372 – 390 . Springer , Cham . Google Preview WorldCat COPAC 30 Sasaki , Y. ( 2018 ) Integer Linear Programming for Three-Subset Meet-in-the-Middle Attacks: Application to GIFT . In Proc. Inernational Workshop on Security (IWSEC 2018), Sendai, Japan, September 3–5 , pp. 227 – 243 . Springer , Cham . Google Preview WorldCat COPAC 31 Kolay , S. and Mukhopadhyay , D. ( 2014 ) Khudra: A New Lightweight Block Cipher for FPGAs . In Proc. Security, Privacy, and Applied Cryptography Engineering (SPACE 2014), Pune, India, October 18–22 , pp. 126 – 145 . Springer , Cham . Google Preview WorldCat COPAC 32 Dai , Y. and Chen , S. ( 2016 ) Security analysis of Khudra: A lightweight block cipher for FPGAs . Secur. Commun. Netw. , 9 , 1173 – 1185 . Google Scholar Crossref Search ADS WorldCat 33 Izadi , M. et al. ( 2009 ) MIBS: A New Lightweight Block Cipher . In Proc. Cryptology and Network Security (CANS 2009), Kanazawa, Japan, December 12–14 , pp. 334 – 348 . Springer , Berlin . Google Preview WorldCat COPAC 34 Dai , Y. , Tian , Y. and Chen , S. ( 2017 ) Cryptanalysis of reduced-round MIBS block cipher . Joumal of Infomation Engineering University , 18 , 87 – 92 . WorldCat 35 Ma , X. and Qiao , K. ( 2015 ) Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher . In Proc. Network and System Security (NSS 2015), New York, USA, November 3–5 , pp. 331 – 344 . Springer , Cham . Google Preview WorldCat COPAC 36 Bay , A. , Nakahara , J. and Vaudenay , S. ( 2010 ) Cryptanalysis of Reduced-Round MIBS Block Cipher . In Proc. Cryptology and Network Security (CANS 2010), Kuala Lumpur, Malaysia, December 12–14, pp. 1 – 19 . Springer , Berlin . Google Preview WorldCat COPAC 37 Qiao , K. , Hu , L. , Sun , S. and Ma , X. ( 2015 ) Related-key rectangle cryptanalysis of reduced-round block cipher MIBS. In Proc. International Conference on Application of Information and Communication Technologies (AICT 2015), Rostov on Don, Russia, Octorber 14–16, pp. 2116-220, IEEE . 38 Biham , E. , Dunkelman , O. and Keller , N. ( 2005 ) A Related-Key Rectangle Attack on the Full KASUMI . In Proc. ASIACRYPT 2005, Chennai, India, December 4–8 , pp. 443 – 461 . Springer , Berlin . Google Preview WorldCat COPAC 39 Sasaki , Y. and Todo , Y. ( 2017 ) New Algorithm for Modeling S-box in MILP Based Differential and Division Trail Search . In Proc. Innovative Security Solutions for Information Technology and Communications (SecITC 2017), Bucharest, Romania, June 8–9 , pp. 150 – 165 . Springer , Cham . Google Preview WorldCat COPAC 40 ( 2007 ) PRESENT: An Ultra-Lightweight Block Cipher . In Proc. Cryptographic Hardware and Embedded Systems (CHES 2007), Vienna, Austria, September 10–13 , pp. 450 – 466 . Springer , Berlin . WorldCat COPAC © The British Computer Society 2019. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
TI - MILP-based Related-Key Rectangle Attack and Its Application to GIFT, Khudra, MIBS
JO - The Computer Journal
DO - 10.1093/comjnl/bxz076
DA - 2011-06-01
UR - https://www.deepdyve.com/lp/oxford-university-press/milp-based-related-key-rectangle-attack-and-its-application-to-gift-C0rDH0p5BU
SP - 1
VL - Advance Article
IS - 
DP - DeepDyve
ER -