Unveiling the Neutral Difference and Its Automated Search

Lv, Guangqiu; Jin, Chenhui; Shi, Zhen; Cui, Ting

doi:https://doi.org/10.1049/2024/2939486

IET Information Security

On this page

Abstract Introduction Preliminaries Conclusion Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2024 | Article ID 2939486 | https://doi.org/10.1049/2024/2939486

Unveiling the Neutral Difference and Its Automated Search

Guangqiu Lv,¹Chenhui Jin,¹Zhen Shi,¹and Ting Cui¹

Academic Editor: Qichun Wang

Received15 Feb 2024

Revised24 Apr 2024

Accepted26 Apr 2024

Published14 May 2024

Abstract

Given a differential characteristic and an existing plaintext pair that satisfies it (referred to as a right pair), generating additional right pairs at a reduced cost is an appealing prospect. The neutral bit technique, referred to as neutral differences throughout this paper, provides a solution to this challenge. Traditionally, the search for neutral differences has heavily depended on experimental testing, leading to limitations in the search range. In this work, we propose the neutral difference table and establish a link between boomerang cryptanalysis and neutral differences. Furthermore, we propose an automated search for neutral differences to address the problem of a limited search range of neutral differences, as previous approaches relied on experimental testing. This approach provides a basis for the subspace spanned by the neutral differences, and we apply this technique to both SPECK32 and LEA, where the predicted results closely match the experimental ones. Consequently, we present the improved differential-linear distinguishers for SPECK32 and LEA, along with the 18-round attacks on LEA192 and LEA256 with the lowest time complexity up to date.

1. Introduction

Differential cryptanalysis, proposed by Biham and Shamir [1], is one of the most powerful cryptanalysis techniques nowadays. As cryptanalysis progresses, an intriguing phenomenon related to differentials has captured the attention of researchers. For a differential , when flipping a single bit or a set of bits simultaneously for an input , the resulted input makes the differential established if and only if makes it satisfied. In this paper, is referred to as a neutral difference. Previous literatures [2, 3] referred to it as a neutral bit when the Hamming weight of is 1 and a neutral set otherwise. The neutral difference technique holds significant prominence today, having contributed to the advancement of numerous cryptanalysis records [3–8].

However, the search for neutral differences of a differential lacks elegant methods except for exhaustion with experiments based on its definition [3–5, 9, 10]. This has led to the difficulty in finding more neutral differences. Therefore, there is an urgent need to develop automatic tools for searching neutral differences. We aim to dedicate ourselves to this problem and related cryptanalysis. The neutral probability of a neutral difference for a differential is defined as follows:where represents the size of the set and is a substitution.

1.1. Contribution

We establish links between neutral differences and boomerang cryptanalysis, thereby providing a theoretical foundation for the search of neutral differences. Based on this, we introduce an automatic search method for linearly independent neutral differences. As for applications, we present the neutral spaces for two differentials of SPECK32, which are spanned by all neutral differences with non-zero neutral probabilities. Experimental results confirm the validity of our method. Furthermore, we present improved differential-linear distinguishers for 11-round SPECK32 and 17-round LEA (illustrated in Table 1), as well as the 18-round attacks on LEA192 and LEA256 with the lowest time complexity (outlined in Table 2) up to date.

1.2. Organization

The remainder of this paper is organized as follows: Section 2 introduces the notations and concepts that will be used throughout the paper. Section 3 establishes the links between boomerang cryptanalysis and neutral differences and presents an automatic method for discovering neutral differences. Sections 4 and 5 apply the automatic search method to the SPECK32 and LEA ciphers. Finally, Section 6 concludes this paper.

2. Notations and Preliminaries

The notations we use in this paper are summarized in Table 3.

2.1. Preliminaries

Definition 1 (Differential Probability [1]). The probability of a differential for function is defined by the following:

Definition 2 (DDT). Let be a substitution. The value of differential distribution table (DDT) at is defined as follows:

Definition 3 (NDT). Let be a substitution. The value of neutral difference table (NDT) at is defined as follows:Here, is called a neutral difference throughout this paper.

Definition 4 (Neutral Probability). Let be a substitution. For a differential of , denoted by , is called a neutral difference for this differential, and the corresponding neutral probability is defined as follows:

In general, the higher the neutral probability becomes, the more useful a neutral difference is for an attack. Bao et al. [3] have further suggested a way to amplify the neutral probability by introducing conditional neutral differences, which necessitate specific conditions to be met by input pairs. These proposed conditions are evaluated through experiments in [3].

Definition 5 (Plaintext Pair Structure). Denote linearly independent neutral differences of a differential by . Let be the linear subspace spanned by . Given a plaintext , we define the plaintext pair structure as the set .

Definition 6 (BCT [17]). Let be a substitution and be its inverse. The value of boomerang connectivity table (BCT) at is defined as follows:

Definition 7 (UBCT/LBCT/EBCT [18]). Let be a substitution and be its inverse. The values of three variants of BCT, namely upper BCT, lower BCT, and extended BCT, are defined, respectively, as follows:

If the substitution can be known from the context, the symbol will be omitted. For example, will be abbreviated as .

3. Links to Boomerang Cryptanalysis and the Automated Search for Neutral Differences

In this section, we prove that the NDT is the LBCT in Boomerang cryptanalysis, which provides a foundation for automated search of neutral differences. Furthermore, we introduce an automatic search method for linearly independent neutral differences.

3.1. Links between Boomerang Cryptanalysis and Neural Difference

In this section, we present the links between neutral difference and boomerang cryptanalysis in Theorem 1 and how to calculate the neutral probability of neutral differences through LBCT in Corollary 1.

Theorem 1. Let be a substitution. There holds

Proof. It is obvious that if and only if . If satisfies that , then we have the following:Therefore, there holds .

Theorem 2. Let be a substitution and be its inverse. There holds

Proof. We haveAccording to Theorem 1, we have .

Theorem 1 demonstrates that the NDT entries of a substitution are the entries of LBCT. A similar result connecting the NDT with the UBCT is provided in Theorem 2. For notational simplicity, we shall primarily focus on LBCT in our subsequent theoretical developments. Consequently, one can identify neutral differences with a high neutral probability by concurrently constructing models/programs for LBCT and DDT, as presented in Section 3.2, where an automated method of searching for neutral differences is introduced.

Corollary 1. For a differential of a substitution , the neutral probability of a neutral difference can be calculated as follows:

Lemma 1. Let be a bijection. For a neutral difference of a differential with a non-zero probability, if or , then the corresponding neutral probability is 1.

Proof. Let . For each , it holds that . Hence, we have , which indicates by Definition 4.
Let . For each , it holds . By Theorem 1, we have . Hence, by Definition 4.

By constraining the input variable to a small set instead of , we can increase the neutral probability . In this case, the neutral difference is referred to as a conditional neutral difference, which was first proposed in [3]. Lemma 2 provides sufficient conditions, under which the neutral probability is 1, by imposing restrictions on the input variable .

Lemma 2. Let be a bijection. For a non-zero probability differential , the neutral probability of a conditional neutral difference , which requires the input of limited to a set , will be 1 if or .

Proof. The proof process is similar to that of Lemma 1.

3.2. Basic Framework for Automated Search of Neutral Differences

In this section, we aim to merge the automated search for differentials and EBCT characteristics in order to effectively find neutral differences with a higher probability for a given differential . Experimental results in Section 4 confirm the validity of our method, with the predicted neural probabilities being close to the experimental ones.

First, we introduce the notations that will be used in this discussion. Let the cipher be a composition of . Throughout this paper, the term “characteristic” refers to a differential/boomerang path, which not only specifies the input and output differences but also specifies the intermediate differences. For clarity, we will use , , and to refer to , , and , respectively.

Assuming that the cipher is a Markov cipher and the characteristic with the largest probability for a differential determines the differential probability, it is well-known [19] that:

Delaune et al. [18] used Equation (16) to estimate .

In other words, LBCT characteristics can be approximated by a cluster of EBCT characteristics. According to Definitions 1 and 2, there holds . Based on Equations (15) and (16), the neutral probability of the neutral difference for a differential can be calculated by the following:

Here, refers to the differential characteristic that dominantly determines the probability of the differential , and also partially determines the EBCT characteristics.

The objective of the automated search is to identify a set of differences that maximizes the neutral probability, as defined by Equation (17). This neutral probability serves as the objective function for this automated search problem. By leveraging Equation (17), we can integrate the automated search for differential characteristics and extended boomerang characteristics to uncover a neural difference . The problem of automatically finding differential characteristics has been effectively addressed in previous works such as [11, 19–23]. Similarly, the automatic search for boomerang characteristics has been successfully tackled in [14, 17, 18]. Since this paper does not focus on facilitating the automatic search for boomerang or differential cryptanalysis, we will omit the specific details related to these methods.

Let be the differential characteristic that dominantly determines the probability of the differential . Additionally, let be linearly independent neutral differences for this differential and . The following framework outlines the process for searching for a new neutral difference that is linearly independent of .

Step 1: In the search model, specify the differences used in the EBCT trail, namely . To ensure the expected propagation of differences, set as known values.

Step 2: Introduce constraints to prevent from being selected in . This ensures that the newly discovered neutral difference will be linearly independent of . An efficient approach for achieving this is presented in Section 3.3.

Step 3: Characterize the relationships between differences in the EBCT trails and differential trails. Using this search model, the solvers will return a solution of with the maximum neutral probability.

Upon completion of the above process, a new neutral difference for the differential , denoted by , will be obtained. The neutral probability is estimated through an EBCT trail, and Equation (17) suggests that intermediate differences should be enumerated. Consequently, to obtain a more precise estimation of the neutral probability, one can iterate the aforementioned process to discover additional EBCT trails. In such cases, Step 2 is modified as follows:

Step 2: Set and introduce constraints to exclude the previously found EBCT trails.

We constructed an automatic search model based on the Boolean satisfiability problem (SAT), and the source code of this paper is publicly available at https://github.com/PigInTheSky1234/Unveiling-the-Neutral-Difference-and-Its-Automated-Search.

Remark 1. It is possible to calculate the probability of LBCT by directly connecting a single LBCT trail for one round with a differential trail for the remaining rounds. However, at FSE 2022, Kidmose and Tiessen [24] pointed out a crucial issue with this approach: when calculating boomerang probabilities, directly connecting differential trails may result in trails with a zero probability. To address this, they introduced the concept of 3-difference trails. Notably, a 3-difference trail can be viewed as a manifestation of an EBCT trail. Therefore, to achieve a more precise probability estimation, we use EBCT trails to calculate the probabilities of LBCT trails.

3.3. The Method of Excluding a Linear Space from

As far as we know, in differential-linear/neural cryptanalysis, it is common to use multiple neutral differences simultaneously, which forms a neutral space spanned by these differences. If one wants to exclude all neutral differences point by point with constraints to find a neutral difference, the computational burden of the solver would be greatly increased. Next, we will give a solution to this problem with only one constraint. Let linearly independent neutral differences be . Denote the neutral space spanned by these neutral differences as and the remaining space as . In this section, we will demonstrate how to identify neutral differences for a given differential within using existing solvers.

Theorem 3. Let and . There holds that

Proof. The necessary and sufficient condition for is that , which proves the above.

Theorem 4. Let be linearly independent neutral differences and . Let be a linear bijection and for . There holds that

Proof. Let . Since is a linear bijection, it holds that . By Theorem 3, this theorem holds.

The following is a construction method for the linear bijection . Let and . is a binary inverse matrix. indicates that , where is the th column of . Therefore, are the first columns of . Ensuring the matrix is invertible means that the linear bijection is obtained, which is easy by the linear algebra techniques.

Once another neutral difference is obtaining, the -th column of is replaced by . Once again, ensuring the matrix to be invertible will lead to an updated linear bijection . The number of constraints excluding spanned by neutral differences is reduced from the original to 1, as stated in Theorem 4.

4. Application to SPECK

First, we apply the automatic search technique of neutral difference to SPECK32 and experimentally validate its effectiveness. Second, we enhance the differential-linear distinguishers for 11-round SPECK32 by incorporating neutral differences, resulting in increased absolute values of correlations.

4.1. SPECK

SPECK is a lightweight block cipher designed by the US National Security Agency, whose round function is depicted in Figure 1. For word size , each variant is identified by SPECK, where is its block size and is the key size. The rotation constants are and for SPECK32 with 64-bit key, while and for the others. Since we do not facilitate properties of the key schedules, their details are omitted.

4.2. The Neutral Subspaces for Two 2-Round Differentials

For SPECK32, there is a 2-round differential characteristic with a probability of . Table 4 shows the neutral space for this differential, which is spanned by the linearly independent neutral differences.

The following is an example to illustrate the search process introduced in Section 3.2. To search for a neutral difference for this differential trail, we specify the differences used in the EBCT trail in the search model, namely . To ensure that the differences propagate as expected, we set , , and in the search model. Suppose that the neutral difference is known, one can find a linear bijection where and . According to Theorem 4, one can introduce the following constraint to prevent from being chosen from the linear space spanned by and .

Furthermore, one needs to characterize the relationships between differences in EBCT trails and differential trails. Using this search model, the solvers will yield a solution of with the maximum neutral probability. Here, represents the newly discovered neutral difference. Suppose that is the newly discovered neutral difference. By employing an EBCT trail, the neutral probability is estimated as . By setting and repeating the aforementioned process, we discovered a total of 8 EBCT trails. By using these EBCT trails, the theoretical estimation of neutral probability is , and the experimental result is 1 as well. Additionally, Table 5 presents the corresponding conditions that improve the neutral probabilities. Similar results for another 2-round differential with a probability of are shown in Tables 6 and 7.

The input difference is definitely a neutral difference with a probability of 1. However, it is generally not useful for further cryptanalysis as exchanging two plaintexts in a pair of plaintext holds little value. It is crucial to note that not only should we avoid using the input difference as a neutral difference but also include it in the neutral space used, which is inappropriate.

4.3. Enhanced Differential-Linear Distinguishers by Neutral Differences

This section reviews how to construct a more effective distinguisher by a simple DL approximation when enough neutral differences are given. Furthermore, we present the improved distinguishers for 11-round SPECK32.

The correlation [25] of a differential-linear approximation for a vectorial Boolean function is defined as follows:where and . Assuming that a DL trail has a correlation , we aim to enhance the correlation by incorporating neutral differences of the prepended short-round differential with a probability of . Under the condition that , Beierle et al. [5] pointed out that the DL distinguisher would work as follows:

Step 1: Randomly generate a plaintext , and then use neutral differences to generate the corresponding plaintext pair structure , where is the space spanned by these neutral differences.

Step 2: The corresponding cipher pair structure of is denoted by . Then, one can compute

Step 3: If the correlation observed using pairs is approximately , the distinguisher succeeds. Otherwise, go to Step 1.

The essential requirement for this distinguisher to be effective is to identify sufficient neutral differences so that . With probability , the plaintext pair structure makes the short-round differential satisfied. Denote the product of the neutral probabilities of the neutral differences utilized by . With probability , the distinguisher succeeds in Step 3. Thus, the data complexity of required is instead of . Note that the statistical value is derived from ciphertext pairs. When comparing with the DL distinguishers without using the neutral difference technique, we regard the (equivalent) correlations of DL (ND) as , since the data complexity required is . Table 8 summarizes the differential-linear distinguishers for 11-round SPECK32.

5. Application to LEA

5.1. LEA

The LEA family of block ciphers not only serves as the national standard of the Republic of Korea but also is included in the ISO/IEC 29192-2:2019 standard. The LEA family has a block size of 128 bits and consists of three different key sizes: 128, 192, and 256 bits, denoted by LEA128, LEA192, and LEA256, respectively. Figure 2(a) provides a schematic view of the round function of LEA. The inputs/outputs of each round of LEA consist of four 32-bit words.

(a)

(b)

5.2. Enhanced Differential-Linear Distinguishers by Neutral Differences

For LEA, there is a 4-round differential characteristic shown in Table 9, with a probability of . Table 10 of Appendix A outlines 61 linearly independent neutral differences for this differential. Since not all of the neutral probabilities are 1, it is significant to know the probability of obtaining a plaintext structure consisting of right pairs from a right pair. In this case, the statistical variable will clearly demonstrate advantages when the key is guessed correctly. Though it is computationally infeasible to verify it directly, we randomly select subspaces spanned by five neutral differences and verify the probability of obtaining right pairs from a right pair. Denote the product of the five individual neutral probabilities by , and let the empirical probability of obtaining right pairs be . We utilized right pairs to repeat the above experiments 100 times and found , and the average of is 1.033. In summary, this experiment indicates that the probability of obtaining right pairs using neutral differences can be approximated by the product of the individual neutral probability experimental values of these neutral differences, which has been verified in [6]. Consequently, the theoretical probability of obtaining right pairs from a right pair using these 61 neutral differences is . The differential-linear distinguisher that employs the neutral difference technique is presented in Table 8.

5.3. The 18-Round Key Recovery Attack on LEA

To attack the 18-round LEA with key sizes of 192 and 256 bits, we employ the 17-round DL (ND) distinguisher described in Table 8 by adding an additional round. The attack program is outlined in Algorithm 1, which recovers 60 bits of subkey in the last round.

Input: neutral differences and corresponding subspace , number of replications , plaintext structures for , threshold .
Output: List of key candidates, denoted by .
1
2 fordo
3 Choose the th plaintext structure
/ Denote the ciphertext pairs, encrypted from , by /
4 foreach possible do
5
6 fordo
// A filtering process that enhances advantages.
/ represents one round decryption with . represents the output mask, and is the number of ciphertext pairs to calculate this correlation. /
7 if is useful for current then
8 end
8 else
10 Continue
// Without losing generality, let the correlation of the bottom DL distinguisher be less than 0 and .
11 ifthen
12 Store the key candidate to .

For the convenience of introducing the 18-round key recovery attack, we use the following notations (see Figure 2(b)):where indicates the current ciphertext comes from the th ciphertext pair. If is obvious in the context, will be omitted. Similarly, let represent the other ciphertext for the th ciphertext pair.

Consider the linear mask . The statistical value is calculated as follows:where . Here, and can be directly obtained from the th ciphertext pair. We guess the least significant 29 bits of both and to obtain the least significant 29 bits of , i.e., . In this scenario, we also obtain the least significant 30 bits of . For example, and for . Due to the nature of the additions, we have the following:and

Additionally, we utilize the conditional linear approximation proposed by Biham and Carmeli [26] to compute and . See Appendix B for more details. For clarity, let and represent and , respectively. Then we have the following:where and . We define , , and for simplicity. As a result, the statistical value can be rewritten as follows:where

Note that only of the generated plaintext–ciphertext pairs are used simultaneously. Consequently, we need to guess 60 bits of the subkey, i.e., , , and .

The 18-round attack utilizes all 61 neutral differences in Table 10 simultaneously and sets the parameter as . Let and represent the correlation of the bottom DL approximation (see the last row of Table 8). If the guessed subkey is correct and each pair of satisfies the prepended short-round differential, the statistical variable follows the normal distribution with mean of and variance of . Otherwise, follows the normal distribution with mean of and variance of . When the threshold is set to , the right key will pass through Line 9 of Algorithm 1 with a probability of while a wrong key will pass with a probability of . Here, is the distribution function of the standard normal distribution. The expected number of wrong keys in key candidates is . The data complexity should be chosen plaintext pairs and the time complexity should be operations. Each operation consists of a partial decryption for one round, a dot product, and an addition. Roughly estimated, we assume that the time complexity for one operation is approximately equal to that of one round of decryption. Therefore, the final time complexity for our 18-round attack is full encryptions of 18-round LEA. The success rate is determined by the probability of obtaining a plaintext structure, where each plaintext pair satisfies the prepended short-round differential characteristic, i.e., . The comparison of our attack with previous attacks on LEA is shown in Table 2.

6. Conclusion

In this paper, we have investigated the link between neutral difference and boomerang cryptanalysis. Based on it, we introduce an automated approach for identifying linearly independent neutral differences. Consequently, we present the improved differential-linear distinguishers for SPECK32 and LEA, along with the 18-round attacks on LEA192 and LEA256 with the lowest time complexity up to date.

Appendix

A. Neural Differences for 4-Round Differential on LEA

B. Conditional Linear Approximations for Additions

This section introduces the conditional linear approximation technique, which is also known as the partitioning technique proposed by Biham and Carmeli [26]. This technique has the ability to amplify the bias of linear approximations of additions. Furthermore, it has been applied to the differential-linear attack on ARX ciphers [5, 6, 27]. The core of the conditional linear approximation technique is shown in Lemma B.1.

Lemma B.1 (Page 10, [5]). Let and , where . Let . For , we have the following:where and .

Data Availability

The data that support the findings of this study are openly available at https://github.com/PigInTheSky1234/Unveiling-the-Neutral-Difference-and-Its-Automated-Search.

Conflicts of Interest

The authors have no conflicts of interest to declare that are relevant to the content of this article besides the funding that we already state and our affiliations.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (grant nos. 62302518 and 62372463) and the Natural Science Foundation of Henan (grant no: 222300420100).

References

E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, vol. 4, no. 1, pp. 3–72, 1991.
View at: Publisher Site | Google Scholar
E. Biham and R. Chen, “Near-collisions of SHA-0,” in Advances in Cryptology–CRYPTO 2004, vol. 3152 of Lecture Notes in Computer Science, pp. 290–305, Springer, Berlin, Heidelberg, 2004.
View at: Publisher Site | Google Scholar
Z. Bao, J. Guo, M. Liu, L. Ma, and Y. Tu, “Enhancing differential-neural cryptanalysis,” in Advances in Cryptology–ASIACRYPT 2022, vol. 13791 of Lecture Notes in Computer Science, pp. 318–347, Springer, 2022.
View at: Publisher Site | Google Scholar
A. Gohr, “Improving attacks on round-reduced speck32/64 using deep learning,” in Advances in Cryptology–CRYPTO 2019, vol. 11693 of Lecture Notes in Computer Science, pp. 150–179, Springer, Cham, 2019.
View at: Publisher Site | Google Scholar
C. Beierle, M. Broll, F. Canale et al., “Improved differential-linear attacks with applications to ARX ciphers,” Journal of Cryptology, vol. 35, no. 4, Article ID 29, 2022.
View at: Publisher Site | Google Scholar
Y. Chen, Z. Bao, and H. Yu, “Differential-linear approximation semi-unconstrained searching and partition tree: Application to lea and speck,” in Advances in Cryptology–ASIACRYPT 2023, vol. 14440 of Lecture Notes in Computer Science, pp. 223–255, Springer, Singapore, 2023.
View at: Publisher Site | Google Scholar
O. Dunkelman, N. Keller, and A. Weizmann, “Practical-time related-key attack on GOST with secret S-boxes,” in Advances in Cryptology–CRYPTO 2023, vol. 14083 of Lecture Notes in Computer Science, pp. 177–208, Springer, Cham, 2023.
View at: Publisher Site | Google Scholar
S. Wang, M. Liu, S. Hou, and D. Lin, “Moving a step of chacha in syncopated rhythm,” in Advances in Cryptology–ASIACRYPT 2022, vol. 14083 of Lecture Notes in Computer Science, pp. 273–304, Springer, Cham, 2023.
View at: Publisher Site | Google Scholar
E. Bellini, D. Gerault, J. Grados, R. H. Makarim, and T. Peyrin, “Fully automated differential-linear attacks against ARX ciphers,” in Topics in Cryptology–CT-RSA 2023, vol. 13871 of Lecture Notes in Computer Science, pp. 252–276, Springer, Cham, 2023.
View at: Publisher Site | Google Scholar
R. AlTawy and A. Hülsing, “Another look at differential-linear attacks,” 2023, Cryptology ePrint Archive, Paper 2023/1675 (2023). https://doi.org/10.1007/978-3-030-99277-4, https://eprint.iacr.org/2023/1675.
View at: Google Scholar
K. Fu, M. Wang, Y. Guo, S. Sun, and L. Hu, “MILP-based automatic search algorithms for differential and linear trails for speck,” in Fast Software Encryption. FSE 2016, vol. 9783 of Lecture Notes in Computer Science, pp. 268–288, Springer, Berlin, Heidelberg, 2016.
View at: Publisher Site | Google Scholar
Z. Niu, S. Sun, Y. Liu, and C. Li, “Rotational differential-linear distinguishers of ARX ciphers with arbitrary output linear masks,” in Advances in Cryptology–CRYPTO 2022, vol. 13507 of Lecture Notes in Computer Science, pp. 3–32, Springer, Cham, 2022.
View at: Publisher Site | Google Scholar
H. Lee, S. Kim, H. Kang, D. Hong, J. Sung, and S. Hong, “Calculating the approximate probability of differentials for ARX-based cipher using SAT solver,” Journal of the Korea Institute of Information Security & Cryptology, vol. 28, no. 1, pp. 15–24, 2018.
View at: Google Scholar
D. Wang, B. Wang, and S. Sun, “SAT-aided automatic search of boomerang distinguishers for ARX ciphers,” IACR Transactions on Symmetric Cryptology, vol. 2023, no. 1, pp. 152–191, 2023.
View at: Publisher Site | Google Scholar
D. Kim, D. Kwon, and J. Song, “Efficient computation of boomerang connection probability for ARX-based block ciphers with application to SPECK and LEA,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E103.A, no. 4, pp. 677–685, 2020.
View at: Publisher Site | Google Scholar
L. Song, Z. Huang, and Q. Yang, “Automatic differential analysis of ARX block ciphers with application to speck and LEA,” in Information Security and Privacy. ACISP 2016, vol. 9723 of Lecture Notes in Computer Science, pp. 379–394, Springer, Cham, 2016.
View at: Publisher Site | Google Scholar
C. Cid, T. Huang, T. Peyrin, Y. Sasaki, and L. Song, Advances in Cryptology–EUROCRYPT 2018, vol. 10821 of Lecture Notes in Computer Science, Springer, Cham, 2018.
View at: Publisher Site
S. Delaune, P. Derbez, and M. Vavrille, “Catching the fastest boomerangs,” IACR Transactions on Symmetric Cryptology, vol. 2020, no. 4, pp. 104–129, 2020.
View at: Publisher Site | Google Scholar
S. Sun, L. Hu, M. Wang et al., “Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties,” 2014, Cryptology ePrint Archive.
View at: Google Scholar
L. Sun, W. Wang, and M. Wang, “Accelerating the search of differential and linear characteristics with the SAT method,” IACR Transactions on Symmetric Cryptology, vol. 2021, no. 1, pp. 269–315, 2021.
View at: Publisher Site | Google Scholar
T. Hou, J. Zhang, and T. Cui, “Recover the secret components in a ForkCipher,” Chinese Journal of Electronics, vol. 32, no. 3, pp. 597–602, 2023.
View at: Publisher Site | Google Scholar
K. Taka, T. Ishikawa, K. Sakamoto, and T. Isobe, “An efficient strategy to construct a better differential on multiple-branch-based designs: application to orthros,” in Topics in Cryptology–CT-RSA 2023, vol. 13871 of Lecture Notes in Computer Science, pp. 277–304, Springer, Cham, 2023.
View at: Publisher Site | Google Scholar
T. Cui, Y. Mao, Y. Yang, Y. Zhang, J. Zhang, and C. Jin, “Congruent differential cluster for binary SPN ciphers,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 2385–2397, 2024.
View at: Publisher Site | Google Scholar
A. B. Kidmose and T. Tiessen, “Formal analysis of boomerang probabilities,” IACR Transactions on Symmetric Cryptology, vol. 2022, no. 1, pp. 88–109, 2022.
View at: Publisher Site | Google Scholar
S. K. Langford and M. E. Hellman, “Differential-linear cryptanalysis,” in Advances in Cryptology-CRYPTO’94, pp. 17–25, Springer, Cham, 1994.
View at: Google Scholar
E. Biham and Y. Carmeli, “An improvement of linear cryptanalysis with addition operations with applications to feal-8x,” in Selected Areas in Cryptography--SAC 2014, vol. 8781 of Lecture Notes in Computer Science, pp. 59–76, Springer, Cham, 2014.
View at: Publisher Site | Google Scholar
G. Leurent, “Improved differential-linear cryptanalysis of 7-round chaskey with partitioning,” in Advances in Cryptology–EUROCRYPT 2016, vol. 9665 of Lecture Notes in Computer Science, pp. 344–371, Springer, Berlin, Heidelberg, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2024 Guangqiu Lv et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

58

Downloads

38

Citations