Cryptanalysis of the Lightweight Block Cipher BORON

Liang, Huicong; Wang, Meiqin

doi:https://doi.org/10.1155/2019/7862738

Security and Communication Networks

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 7862738 | https://doi.org/10.1155/2019/7862738

Cryptanalysis of the Lightweight Block Cipher BORON

Huicong Liang^1,2and Meiqin Wang^1,2

Academic Editor: Vincenzo Conti

Received15 Mar 2019

Revised01 Nov 2019

Accepted25 Nov 2019

Published18 Dec 2019

Abstract

This paper provides security evaluations of a lightweight block cipher called BORON proposed by Bansod et al. There is no third-party cryptanalysis towards BORON. Designers only provided coarse and simple security analysis. To fill this gap, security bounds of BORON against differential and linear cryptanalysis are presented in this paper. By automatic models based on the SMT solver STP, we search for differential and linear trails with the minimal number of active S-boxes and trails with optimal probability and bias. Then, we present key-recovery attacks towards round-reduced BORON. This paper is the first third-party cryptanalysis towards BORON.

1. Introduction

Lightweight cryptography is one of the most actively discussed topics in the current cryptographic community. For the last decade, a great number of lightweight block ciphers have been proposed, such as PRESENT [1], CLEFIA [2], PRINCE [3], SIMON [4], SPECK [4], SKINNY [5], GIFT [6], QARMA [7], and so on, which draw plenty of researchers’ attention.

Meanwhile, there are some unknown lightweight block ciphers. BORON [8] is one of them. BORON, a substitution-permutation network cipher, supports 64-bit messages and 80/128-bit keys, which has a total of 25 rounds. The substitution layer is made up of 16 same 4-bit S-Boxes, and the permutation layer includes nibble shift, bit rotation, and block XOR operation.

Except for simple security analysis illustrated by designers, there is no third-party security evaluation in the open literature. To fill this gap, differential [9] and linear cryptanalysis [10] towards BORON are presented in this paper. Differential and linear cryptanalysis are one of the most fundamental and powerful techniques for security evaluations of cryptographic primitives.

Differential cryptanalysis discusses how differences propagate through the objective cryptographic primitives. If input differences and output differences occur in some regular patterns, these could be used to build distinguishers or even to recover secret keys.

Linear cryptanalysis focuses on the linear equation between plaintexts, ciphertexts, and keys. If this linear equation happens with a high probability, the distinguishing attack or key-recovery attack could be presented. Therefore, finding good distinguishers is the first step to evaluate security against differential and linear cryptanalysis.

There are many methods to find differential and linear trails, such as Matsui’s algorithm, SAT/SMT and MILP, which are widely used to analyse the security of cryptographic primitives [11–15]. In this paper, we utilize the SMT solver STP (http://stp.github.io) to search for good trails, which is suitable for dealing with bit vectors.

1.1. Contributions

This paper analyses the security of BORON against differential and linear cryptanalysis. Security bounds are depicted in Table 1.

The minimal number of active S-boxes of differential and linear trails could describe approximate security bounds resistance to differential and linear cryptanalysis. We find that the minimal number of active S-boxes proposed by designers is incorrect and intact. Then, differential and linear trails with the accurate minimal number of active S-boxes are found. Our results are listed in Table 2.

We also search for (related-key) differential and linear trails with the optimal probability and bias. Details about the optimal probability and bias are illustrated in Table 3. Specific trails with the optimal probability and bias are listed in Tables4–6. We figure out that there is no effective 9-round differential trail and 10-round linear trail. We also try to find impossible differential trails of BORON, and 7-round BORON impossible differential trails are obtained.

Utilizing the 8-round differential trail with the optimal probability of , we depict a key-recovery attack towards 9-round BORON with the 80-bit key schedule, whose time complexity is , data complexity is , and memory complexity is . By the 9-round linear trail with the optimal bias of , a key-recovery attack towards 11-round BORON with the 128-bit key schedule is described, whose time complexity is , data complexity is , and memory complexity is .

And, in this paper, we assume that BORON is the Markov cipher.

1.2. Outline

This paper is organized as follows. Section 2 introduces the description of BORON. In Section 3, automatic models for finding trials are illustrated. Key-recovery attacks towards BORON are presented in Section 4. Section 5 concludes this paper.

2. Description of BORON

2.1. Encryption Algorithm

BORON is a 25-round SPN block cipher, whose message length is 64-bit and the key length is 80-bit or 128-bit. The round function of BORON is made up of Substitution Layer and Permutation Layer. The Substitution Layer consists of 16 same 4-bit S-boxes in parallel. The S-box is described in Table 7. The Permutation Layer includes three parts, nibble shift, bit rotation, and block XOR operation. And, the round function is described in Figure 1. For more details, refer [8].

In Figure 1, we regard 4 bits as a nibble and 16 bits as a block. Note that nibble shift is the permutation between nibbles, while bit rotation and block XOR operation are ones in term of blocks.

2.2. Key Schedule

The key schedule of BORON is inspired by the one of PRESENT [1]. There are two versions, 80-bit and 128-bit. In total, 26 subkeys are generated by the key schedule in the whole procedure of encryption. Each subkey has 64 bits.

For the 80-bit version, the master key could be stored in a key register and denoted as . First, extract the least significant 64 bits of the master key as the first subkey, that is, the whitening key . In the th round , after extracting the least significant 64 bits, the key register is updated as follows:(1)(2)(3)

For the 128-bit version, the master key could be stored in a key register and denoted as . Extract the least significant 64 bits of the master key as the first subkey, that is, the whitening key . In the th round , after extracting the least significant 64 bits, the key register is updated as follows:(1)(2)(3)(4)

3. Automatic Models for Searching Trails

In this paper, we use STP [16], an SMT solver, to search for good differential and linear trails. STP uses CVC and SMTLIB2 languages to encode constraints and then invokes an SAT solver to check for the satisfiability of these constraints. In this paper, the CVC language is used to encode difference and linear mask propagations of BORON.

Inspired by models in [11–15, 17–20], we present automatic models for finding differential and linear trails of BORON. All intermediate states of BORON are represented by variables which are used to build constraints. Searching for good trails is transformed into checking for the satisfiability of constraints. For different searching problems, there are different constraints. We show constraints for all operations used in BORON as follows.

3.1. Finding Differential Trails

First, we give some notations about variables. We count from the right side and zero.(i)before_sbox_vaule1_i_j: input value of the th S-box in the th round(ii)after_sbox_vaule1_i_j: output value of the th S-box in the th round whose input value is before_sbox_vaule1_i_j(iii)before_sbox_vaule2_i_j: input value of the th S-box in the th round(iv)after_sbox_vaule2_i_j: output value of the th S-box in the th round whose input value is before_sbox_vaule2_i_j(v)before_sbox_difference_i_j = (vi)after_sbox_difference_i_j = (vii)before_rotation_difference_i_j: difference of the th block before bit rotation of the th round(viii)after_rotation_difference_i_j: difference of the th block after bit rotation of the th round(ix)after_blockxor_difference_i_j: difference of the th block after block XOR operation of the th round(x)flag_i_j: represents whether the th S-box in the th round is active or not(xi)total_num: the total number of active S-boxes in the trail(xii)probability_i_j: probability parameter of the th S-box in the th round(xiii)total_probability: probability parameter of the whole differential trail

3.1.1. Permutation Layer

The Permutation Layer is made up of three linear operations. Constraints about these linear operations are listed in Algorithm 1, 2, and 3, respectively.

r: the number of rounds
(1)	for to r do
(2)	before_rotation_difference_i_0 =
(3)	after_sbox_difference_i_1 after_sbox_difference_i_0
(4)	after_sbox_difference_i_3 after_sbox_difference_i_2
(5)
(6)	before_rotation_difference_i_1 =
(7)	after_sbox_difference_i_5 after_sbox_difference_i_4
(8)	after_sbox_difference_i_7 after_sbox_difference_i_6
(9)
(10)	before_rotation_difference_i_2 =
(11)	after_sbox_difference_i_9 after_sbox_difference_i_8
(12)	after_sbox_difference_i_11 after_sbox_difference_i_10
(13)
(14)	before_rotation_difference_i_3 =
(15)	after_sbox_difference_i_13 after_sbox_difference_i_12
(16)	after_sbox_difference_i_15 after_sbox_difference_i_14
(17)	end for

r: the number of rounds
(1)	for to r do
(2)	after_rotation_difference_i_0 = before_rotation_difference_i_
(3)	after_rotation_difference_i_1 = before_rotation_difference_i_
(4)	after_rotation_difference_i_2 = before_rotation_difference_i_
(5)	after_rotation_difference_i_3 = before_rotation_difference_i_
(6)	end for

r: the number of rounds
(1)	for to r do
(2)	after_blockxor_difference_i_1 =
(3)	after_rotation_difference_i_1 after_rotation_difference_i_3
(4)	after_blockxor_difference_i_2 =
(5)	after_rotation_difference_i_0 after_rotation_difference_i_2
(6)	after_blockxor_difference_i_0 =
(7)	after_rotation_difference_i_0 after_blockxor_difference_i_1
(8)	after_blockxor_difference_i_3 =
(9)	after_rotation_difference_i_3 after_blockxor_difference_i_2
(10)	end for

3.1.2. Substitution Layer

Constraints built in Algorithm 4 describe difference propagations through S-boxes, which include initializing variables by values of S-boxes and showing relationships among variables.

r: the number of rounds
: output of the S-box with the input x
(1)	for to r do
(2)	for to 15 do
(3)	for to 15 do
(4)
(5)
(6)	end for
(7)	end for
(8)	end for
(9)
(10)	for to r do
(11)	for to 15 do
(12)	before_sbox_difference_i_j
(13)	= before_sbox_value1_i_j before_sbox_value2_i_j
(14)	after_sbox_difference_i_j
(15)	= after_sbox_value1_i_j after_sbox_value2_i_j
(16)	end for
(17)	end for

Other constraints should be added in Algorithm 4, when searching for differential trails with the minimal number of active S-boxes. These constraints of searching for the minimal number of active S-boxes are illustrated in Algorithm 5. The variable flag_i_j is used to explain whether an S-box is active or not. When the th S-box in the th round is active, ; otherwise, .

r: the number of rounds
n: the expected number of active S-boxes in the whole trail
(1)	for to r do
(2)	for to 15 do
(3)	if AND then
(4)	flag_i_j = 0
(5)	else
(6)	flag_i_j = 1
(7)	end if
(8)	end for
(9)	end for
(10)
(11)
(12)
(13)

We need to check whether is satisfied or not under constraints from Algorithm 4 and 5, where n is the expected number of active S-boxes in the whole differential trail, and is regarded as the objective constraints.

We first search for -round trails with the minimal number of active S-boxes, and set . Put all constraints including Algorithm 1–5 into STP and check the satisfaction of these objective constraints. If STP returns invalid, gradually adjust the value of n by adding 1 till STP returns a trail. When searching for -round trails with the minimal number of active S-boxes, we set the value of n equal to the minimal number of active S-boxes of -round trails. Repeat the above steps.

When searching for the optimal differential trail, we need to consider probabilities of difference propagations through S-boxes. Probabilities of S-boxes could be described by the difference distribution table (DDT).

For any input difference x and output difference y of the S-box, the probability of the S-box, named , is equal to the corresponding value in the DDT divided by 16, which is

We can write that . In our model, we use the parameter to present the probability of the S-box and

Values of for all x and y are stored in a table called Diff_dist.

Denote the probability of the whole differential trail as and

The parameter total_probability is used to represent the probability of the whole trail in the constraints. Constraints of finding the optimal differential trail are presented in Algorithm 6.

r: the number of rounds
: the expected probability of the whole trail
(1)	for to 15 do
(2)	for to 15 do
(3)
(4)	end for
(5)	end for
(6)
(7)	for to r do
(8)	for to 15 do
(9)	probability_i_j
(10)	= Diff_dist [before_sbox_difference_i_j] [after_sbox_difference_i_j]
(11)	end for
(12)	end for
(13)
(14)
(15)
(16)

Let that the value of total_probability starts from doubling the minimal number of active S-boxes because consider probabilities of all active S-boxes in the trail are optimal. Adjust the value of total_probability by adding 1 till obtaining the trail with the optimal probability.

3.2. Finding Linear Trails

Due to differences between difference propagations and linear mask propagations, we need to build constraints suitable for tracking linear masks in all operations of BORON. Notations are given as follows:(i)before_sbox_mask_i_j: input mask of the th S-box in the th round(ii)after_sbox_mask_i_j: output mask of the th S-box in the th round(iii)branch_i_j_up, branch_i_j_down, branch_i_j_another: masks of the th branch operation in the block XOR operation of the -th round(iv)xor_i_j_up, xor_i_j_down, xor_i_j_another: masks of the th xor operation in the block XOR operation of the th round(v)bias_i_j: bias parameter of the th S-box in the th round(vi)total_bias: bias parameter of the whole linear trail

3.2.1. Permutation Layer

Situations that linear masks propagate nibble shift and bit rotation are the same as situations that differences do. So, we omit constraints about tracking linear masks through nibble shift and bit rotation. Refer Algorithm 1 and 2 for details.

It is little complicated that linear masks propagate through block XOR operation due to the property of linear masks. Detailed constraints are described in Algorithm 7. Figure 2 illustrates the variables which are used in tracking linear masks through block XOR operation.

r: the number of rounds
input mask:
output mask:
(1)	for to r do
(2)	for to 4 do
(3)
(4)	end for
(5)	end for
(6)
(7)	for to r do
(8)	for to 4 do
(9)
(10)	end for
(11)	end for
(12)
(13)	for to r do
(14)
(15)
(16)
(17)
(18)	end for
(19)
(20)	for to r do
(21)
(22)
(23)
(24)
(25)	end for

3.2.2. Substitution Layer

Similar to finding differential trails, we also use flag_i_j to represent whether an S-box is active or not when finding linear trails with the minimal number of active S-boxes. And, the objective constraint is , where n is the expected number of active S-boxes in the whole linear trail. The choice of n is the same as above. Detailed constraints are illustrated in Algorithm 8.

r: the number of rounds
n: the expected number of active S-Boxes in the whole trail
(1)	for to r do
(2)	for to 15 do
(3)	if before_sbox_mask_i_j = 0 AND after_sbox_mask_i_j = 0 then
(4)	flag_i_j = 0
(5)	else
(6)	flag_i_j = 1
(7)	end if
(8)	end for
(9)	end for
(10)
(11)
(12)
(13)	total_num = n

When searching for the optimal linear trail, we need to consider biases of S-boxes which could be described by the linear approximation table (LAT).

For any input mask α and output mask ß of the S-box, the bias of the S-box, named is equal to the corresponding value in the LAT divided by 16, which is

We can write that .

Use the parameter to present the bias of the S-box in the constraints and

Values of for all α and ß are stored in a table named linear_dist.

Denote the bias of the whole linear trail as and due to the Piling-up Lemma [10], we have

Constraints of finding linear trails with the optimal bias are presented in Algorithm 9.

r: the number of rounds
: the expected bias of the whole trail
(1)	for to 15 do
(2)	for to 15 do
(3)
(4)	end for
(5)	end for
(6)
(7)	for to r do
(8)	for to 15 do
(9)	bias_i_j
(10)	= linear_dist[before_sbox_mask_i_j][after_sbox_mask_i_j]
(11)	end for
(12)	end for
(13)
(14)
(15)
(16)

Set the initial value of total_bias by considering all S-boxes with the optimal bias. Adjust the value of total_bias by adding 1 till obtaining the trail with the optimal bias.

3.3. Finding Related-Key Differential Trails

When searching for differential trails in related-key setting, some constraints are given in Algorithm 10 to illustrate the related-key relationship. And we also need to construct some constraints which describe difference propagations through the key schedule. Operations in the key schedule are similar to those in the encryption algorithm and constraints could refer to Algorithm 2, 3, and 6. Detailed codes are presented in the GitHub and the optimal trails are illustrated in Table 6.

r: the number of rounds
(1)	for to r do
(2)
(3)
(4)
(5)
(6)	end for
(7)
(8)	for to r do
(9)
(10)
(11)	end for

3.4. Finding Impossible Differential Trails

In order to find impossible differential trails, we need to set the pattern of input and output differences and check the satisfaction of constraints. If the solver returns a trail, there is no impossible differential trail under this pattern. If returns invalid, an impossible differential trails are found. Constraints are listed in Algorithm 11.

r: the number of rounds
x: input pattern of the trail
y: output pattern of the trail
(1)
(2)	for to 15 do
(3)
(4)	end for
(5)
(6)
(7)	for to 15 do
(8)
(9)	end for
(10)
(11)
(12)

As a result, we obtain 4 different 7-round impossible differential trails, which are

The former is the input pattern, and the latter is the output pattern of the 7-round BORON, where “1” represents the active nibble and “0” represents the inactive nibble.

4. Key-Recovery Attacks

4.1. Differential Cryptanalysis

Considering the 8-round differential trail with the probability of as a distinguisher illustrated in Table 4, a key-recovery attack towards 9-round BORON is presented in the following by adding one more round on the tail of the distinguisher. We omit the permutation layer of the last round due to linearity. We adopt the 80-bit key schedule in this key-recovery attack.

The input difference of this distinguisher is 0x0000080000100000, and the output difference is 0x0041004100080009. We choose plaintext pairs whose differences are equal to 0x0000080000100000. Filter these plaintext pairs and keep ones whose ciphertext differences are equal to 0x00??00??000?000?, where ? represents the unknown difference. On average, plaintext pairs are left because the probability that a pair satisfies the limitation of this distinguisher is .

Guess 24 bits of subkey including , , , , , , , , , , , , , , , , , , , , , , , and . Set counters and initialize their values as zero. Each candidate subkey has a counter. And, values of counters represent the number of plaintext pairs that satisfy the distinguisher under the corresponding candidate subkey.

For the right candidate subkey, one plaintext pair satisfies the distinguisher. However, for wrong candidate subkeys, plaintext pair satisfies the distinguisher on average. We pick the candidate subkey whose counter is maximum as the right subkey. The time complexity is , the memory complexity is , and the data complexity is .

For the 80-bit master key, we have already guessed 24 bits. To obtain the left 56 bits, we use a brute-force search. The time complexity is . The memory and data complexity could be omitted.

Hence, we give a key-recovery attack towards 9-round BORON with time complexity , memory complexity , and data complexity .

We use the method in [21] to evaluate the success probability of this attack. The success probability is computed as follows:where , is the probability of the differential trail, is the number of plaintext pairs, is the advantage, and is the signal-to-noise ratio. In our differential cryptanalysis,

4.2. Linear Cryptanalysis

Based on the 9-round optimal linear trail listed in Table 5, we could present a key-recovery attack against 11-round BORON by linking one more round at the head and tail of this 9-round linear trail.

The number of plaintexts required in the key-recovery attack is equal to , where is the bias of the linear approximation and c is a constant [10]. Set , and then we need plaintexts to achieve this attack and the success probability of this attack is .

We need to guess 28 bits of subkey and 24 bits of subkey . Considering the 128-bit key schedule, there are 10 same bits between and . In total, we need to guess 42 bits to obtain 5-bit key information. This key-recovery attack requires one-round encryptions, which is equivalent to 11-round encryptions. The left 123 bits need to be searched by brute-force.

Hence, the time complexity is , memory complexity is , and data complexity is .

5. Conclusion

In this paper, we present the first third-party cryptanalysis of the lightweight block cipher BORON against differential and linear cryptanalysis. By the automatic tool, we search for differential and linear trails with the minimal number of active S-boxes and trails with the optimal probability and bias. Considering the optimal trails as distinguishers, we mount key-recovery attacks. Utilizing the 8-round differential trail with the optimal probability , we give a key-recovery attack towards 9-round BORON whose time complexity is , data complexity is , and memory complexity is . By the 9-round linear trail with the optimal bias , we describe the key-recovery attack towards 11-round BORON whose time complexity is , data complexity is , and memory complexity is . Besides differential and linear cryptanalysis, there are other powerful cryptanalysis techniques. Further security evaluations could be made in future work.

Data Availability

The codes and trails used to support the findings of this study have been deposited in the GitHub (https://github.com/CatherineLiang/Cryptanalysis-of-BORON).

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

The authors thank Associate Professor Wu Hongjun from Nanyang Technological University for careful discussion. This work was supported by the National Cryptography Development Fund (no. MMJJ20170102), National Natural Science Foundation of China (grant no. 61572293), Major Scientific and Technological Innovation Projects of Shandong Province, China (no. 2017CXGC0704), Fundamental Research Fund of Shandong Academy of Sciences (grant no. 2018:12-16), and the China Scholarship Council (no. CSC201906220073).

References

A. Bogdanov, L.-R. Knudsen, G. Leander et al., “PRESENT: an ultra-lightweight block cipher,” in Cryptographic Hardware and Embedded Systems—CHES 2007, P. Paillier and I. Verbauwhede, Eds., vol. 4727, pp. 450–466, Springer, Heidelberg, Germany, 2007.
View at: Publisher Site | Google Scholar
T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, “The 128-bit blockcipher CLEFIA (extended abstract),” in Fast Software Encryption, A. Biryukov, Ed., vol. 4593, pp. 181–195, Springer, Heidelberg, Germany, 2007.
View at: Publisher Site | Google Scholar
J. Borghoff, A. Canteaut, T. Güneysu et al., “PRINCE—a low-latency block cipher for pervasive computing applications,” in Advances in Cryptology—ASIACRYPT 2012, X. Wang and K. Sako, Eds., vol. 7658, pp. 208–225, Springer, Heidelberg, Germany, 2012.
View at: Publisher Site | Google Scholar
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers, “The SIMON and SPECK families of lightweight block ciphers,” Tech. Rep., 2013, https://eprint.iacr.org/2013/404.pdf.
View at: Google Scholar
C. Beierle, J. Jean, S. Kölbl et al., “The SKINNY family of block ciphers and its low-latency variant MANTIS,” in Advances in Cryptology—CRYPTO 2016, M. Robshaw and J. Katz, Eds., vol. 9815, pp. 123–153, Springer, Heidelberg, Germany, 2016.
View at: Publisher Site | Google Scholar
S. Banik, S.-K. Pandey, T. Peyrin, Y. Sasaki, S.-M. Sim, and Y. Todo, “GIFT: a small present,” in Lecture Notes in Computer Science, W. Fischer and N. Homma, Eds., vol. 10529, pp. 321–345, Springer, Heidelberg, 2017.
View at: Publisher Site | Google Scholar
R. Avanzi, “The QARMA block cipher family,” 2016, https://eprint.iacr.org/2016/444.pdf.
View at: Google Scholar
G. Bansod, N. Pisharoty, and A. Patil, “BORON: an ultra-lightweight and low power encryption design for pervasive computing,” Frontiers of Information Technology & Electronic Engineering, vol. 18, no. 3, pp. 317–331, 2017.
View at: Publisher Site | Google Scholar
E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, vol. 4, no. 1, pp. 3–72, 1991.
View at: Publisher Site | Google Scholar
M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptology—EUROCRYPT ’93, vol. 765, pp. 386–397, Springer, Heidelberg, Germany, 1993.
View at: Publisher Site | Google Scholar
S. Kölbl, G. Leander, and T. Tiessen, “Observations on the SIMON block cipher family,” in Lecture Notes in Computer Science, R. Gennaro and M. Robshaw, Eds., vol. 9215, pp. 161–185, Springer, Heidelberg, Germany, 2015.
View at: Publisher Site | Google Scholar
Y. Liu, Q. Wang, and V. Rijmen, “Automatic search of linear trails in ARX with applications to SPECK and Chaskey,” in Applied Cryptography and Network Security, M. Manulis, A. R. Sadeghi, and S. Schneider, Eds., vol. 9696, pp. 485–499, Springer, Heidelberg, Germany, 2016.
View at: Publisher Site | Google Scholar
N. Mouha and B. Preneel, “towards finding optimal differential characteristics for ARX: application to Salsa20,” 2013, https://eprint.iacr.org/2013/328.pdf.
View at: Google Scholar
N. Mouha, Q. Wang, D. Gu, and B. Preneel, “Differential and linear cryptanalysis using mixed-integer linear programming,” in Information Security and Cryptology, C.-K. Wu, M. Yung, and D. Lin, Eds., vol. 7537, pp. 57–76, Springer, Heidelberg, Germany, 2011.
View at: Publisher Site | Google Scholar
S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. Song, “Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers,” in Lecture Notes in Computer Science, P. Sarkar and T. Iwata, Eds., vol. 8873, pp. 158–178, Springer, Heidelberg, Germany, 2014.
View at: Publisher Site | Google Scholar
V. Ganesh, T. Hansen, M. Soos, D. Liew, and R. Govostes, “STP constraint solver,” 2007, https://github.com/stp/stp.
View at: Google Scholar
R. Ankele and S. Kölbl, “Mind the gap—a closer look at the security of block ciphers against differential cryptanalysis,” in Selected Areas in Cryptography—SAC 2018, C. Cid and M.-J. Jacobson Jr., Eds., vol. 11349, pp. 163–190, Springer, Heidelberg, Germany, 2019.
View at: Publisher Site | Google Scholar
A. Biryukov and V. Velichkov, “Automatic search for differential trails in ARX ciphers,” in Topics in Cryptology—CT-RSA 2014, J. Benaloh, Ed., vol. 8366, pp. 227–250, Springer, Heidelberg, Germany, 2016.
View at: Publisher Site | Google Scholar
A. Biryukov, V. Velichkov, and Y.-L. Corre, “Automatic search for the best trails in ARX: application to block cipher SPECK,” in Fast Software Encryption, T. Peyrin, Ed., vol. 9783, pp. 289–310, Springer, Heidelberg, Germany, 2016.
View at: Publisher Site | Google Scholar
Y. Sasaki and Y. Todo, “New impossible differential search tool from design and cryptanalysis aspects,” in Lecture Notes in Computer Science, J. S. Coron and J. Nielsen, Eds., vol. 10212, pp. 185–215, Springer, Heidelberg, Germany, 2017.
View at: Publisher Site | Google Scholar
A.-A. Selçuk and A. Biçak, “On probability of success in linear and differential cryptanalysis,” in Security in Communication Networks, S. Cimato, G. Persiano, and C. Galdi, Eds., vol. 2576, pp. 174–185, Springer, Heidelberg, Germany, 2002.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2019 Huicong Liang and Meiqin Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1649

Downloads

1236

Citations