Zero-Correlation Linear Cryptanalysis on SPARX-64

Zhou, Dawei; Chen, Huaifeng; Zong, Rui; Song, Ningning

doi:https://doi.org/10.1155/2021/2193543

Journal of Sensors

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Special Issue

Intelligent Sensing, Monitoring, and Optimization of Advanced Manufacturing Systems

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 2193543 | https://doi.org/10.1155/2021/2193543

Zero-Correlation Linear Cryptanalysis on SPARX-64

Dawei Zhou,¹Huaifeng Chen,^2,3Rui Zong,⁴and Ningning Song^2,3

Academic Editor: Chao Wang

Received19 Sept 2021

Accepted29 Nov 2021

Published27 Dec 2021

Abstract

SPARX is a family of ARX-based block ciphers designed according to the long-trail strategy, which has 32-bit ARX-based SBoxes and has provable bounds against single-differential and single-linear cryptanalysis. Since its proposation, some third-party cryptanalysis methods have been presented. As far as we know, the best attacks against SPARX-64 covered 16 (out of 24) rounds. In this paper, we propose zero-correlation linear attacks on SPARX-64. At first, we construct some new zero-correlation linear distinguishers covering 14-round and 15-round SPARX-64. Then, 15,16,17 and 18-round versions can be attacked using multidimensional or multiple zero-correlation linear attack models, under DKP(distinct known plaintexts) settings. These are the best attacks against SPARX-64 up to now, regarding to the number of attacked rounds. Finally, we transform the zero-correlation distinguishers into integral ones using existing methods, which are also longer than the ones proposed by the designers.

1. Introduction

SPARX [1], introduced by Dinu et al. at ASIACRYPT’16, is the first ARX based family of block ciphers with the aim of providing provable security against single-trail differential and linear cryptanalysis. To achieve this target, the designers developed the long trail strategy which is different from the well-studied wide trail strategy [2] used in the design of AES. The long trail strategy advocates the use of large and comparatively expensive SBoxes in conjunction with cheaper and weaker linear layers. All the instances of SPARX, (SPARX-64/128, SPARX-128/128 and SPARX-128/128) use three or four rounds of SPECK [3] with subkeys as the big SBox, which can be specified using three simple operations: addition modulo (), 16-bit rotations ( and ) and 16-bit Xor ().

There have been some cryptanalysis results on the family of SPARX. The designers gave the provable bounds on the probability of differential characteristic and the bias of linear trail. There is no differential or linear trail with significant probability for 5 (or more) steps. Also, they made integral attacks with the help of Todo’s division property [4]. For SPARX-64/128, the attack covers 15 rounds and recovers the key in time using chosen plaintexts. Morever, the integral attacks cover 22-round SPARX-128/128 and 24-round SPARX-128/256. Then Abdelkhalek et al. [5] attacked 16-round SPARX64-128 using impossible differential attack, with the help of one 13-round distinguisher and the dependencies between the subkeys. Later, Tolba et al. [6] proposed multidimensional zero-correlation linear attacks on up to 25 rounds of SPARX-128/256 and 22 rounds of SPARX-128/128. Recently, Ankele and List [7] presented chosen-ciphertext differential attacks on 16-round SPARX-64/128. Previous attack results on SPARX-64/128 are compared in Table 1.

There is no zero-correlation cryptanalysis results on SPARX-64/128 from the literatures and we focus on this method in this paper. Zero-correlation [8] is one powerful tool in the cryptanalysis of block ciphers. Similar to that the impossible differential distinguisher uses a differential with probability zero, the zero-correlation distinguisher uses a linear hull with correlation zero. Then this technique develops a lot and some new models have been proposed, such as the multiple zero-correlation linear cryptanalysis [9], the multidimensional zero-correlation linear cryptanalysis [10] and some improved versions [11, 12]. In particular, Sun et al. [12] removed the approximation from the -distribution to the normal distribution during the construction of multiple and multidimensional zero-correlation linear attack (MPZC and MDZC) models, which released the restriction on the number ‘’ of zero-correlation linear hulls, i.e., ‘’ sholud be large enough. The new models were called -MPZC and -MDZC.

To improve the time complexity of linear attacks using algorithm 2, FFT technique was proposed in [13]. When the target bit for the linear distinguisher is a function of where are both -bit values, the time can be improved from to simple calculations.

Our Contributions. We evaluate the security of SPARX-64/128 using the zero-correlation cryptanalysis in this paper: (1)We find some new zero-correlation distinguishers. By extending the existing simple zero-correlation distinguisher proposed in [6], we construct several multidimensional zero-correlation distinguishers covering 14-round SPARX-64. Morever, with careful selection of the input mask, we can extend some distinguishers by one more round and get three 15-round zero-correlation distinguishers. These are the longest zero-correlation linear distinguishers of SPARX-64 as we know(2)Using the new zero-correlation distinguishers, we make zero-correlation linear attacks with the help of multiple/multidimensional zero-correlation linear cryptanalysis model in [12]. The multidimensional zero-correlation attack covers 15-round and 16-round using 14-round distinguishers. Then the zero-correlation attack with one single 15-round linear hull covers 17-round. What’s more, with the help of FFT technique, we also can attack 18-round SPARX-64. These are the best attacks from the view of number of rounds attacked(3)Also, we transform the zero-correlation linear distinguishers into integral distinguishers. As a result, we can get some 14-round and 15-round integral distinguishers with balanced properties. The balanced property means that the numbers of each value in the output sets are equal for the integral distinguisher, while the zero-sum property means the Xor-sum is zero

Outline. First, we describe the target block cipher SPARX-64/128 and the zero-correlation linear attack models in Sect.2. In Sect.3, we show how to construct the 14-round and 15-round zero-correlation linear distinguishers for SPARX-64. Then we give the multidimensional zero-correlation and multiple zero-correlation linear cryptanalysis against SPARX in Sect.4 and 5. Sect.6 describes some new integral distinguishers and finally, Sect.7 concludes this paper.

2. Preliminaries

2.1. Notations

The following symbols and notations are used throughout this paper: (i): addition modulo (ii): bit-wise Xor(iii): 16-bit rotation to the left(iv): 16-bit rotation to the right(v): concatenation of two bit strings(vi): left half (16-bit) of the word (32-bit).(vii): right half (16-bit) of the word (32-bit).(viii)SPECKEY-3R: three rounds of SPECKEY(ix), : the subkeys used in the left and, respectively, right SPECKEY-3R of the -th step of SPARX-64. Each has three 32-bit words , used in three rounds of SPECKEY-3R, respectively(x)(,): -bit of ‘’(‘’,’’).’’ is one undetermined bit(xi): the -th bit of bit string . is the least significant bit(xii): the concatenation of ,

2.2. Brief Description of SPARX-64/128

SPARX-64/128 is the lightest instance of the SPARX family. It operates on two 32-bit words and uses a 128-bit key. There are 8 steps and 3 rounds per step. A high level view of SPARX-64/128 and the general structure of a step is shown in Figure 1. Both branches have non-linear operations SPECKEY-3R, which means three rounds of SPECKEY, involving three 32-bit subkeys. SPECKEY splits the state into two 16-bit branches and xor the left and right half key bits, i.e., and , in each branch before the non-linear operations. The linear layer operates 32-bit value as follows,

(a) SPECKEY

(b)

(c) SPECKEY-3R

(d) The -th step of SPARX-64

In the -th step of SPARX-64, six 32-bit subkeys are involved. In particular, are used in the left SPECKEY-3R and are used in the right SPECKEY-3R.

The 128-bit permutation used in the key schedule is simple, which is shown in Algorithm 1. For more details, please refer to [1].

Input:
Output:
,
Fortodo

2.3. Multiple/Multidimensional Zero-Correlation Cryptanalysis

We start this section with the introduction of MPZC and MDZC models. Suppose that there are plaintext-ciphertext samples and zero-correlation linear approximations for an -bit block cipher. For the -th approximation, the adversary counts the samples which make the linear approximation hold and gets the corresponding counter . Under the model of MPZC cryptanalysis, the adversary evaluates the following statistic:

For MDZC model, the zero-correlation linear approximations form a linear space (considering the zero vector in) with dimension and then . For each plaintext-ciphertext sample, the adversary evaluates the base linear approximation and obtains an -bit value . By iterating all samples, the adversary would get a counter vector with . The statistic used in MDZC is:

To estimate the data complexity and success probability, researchers [14] considered two sampling models, i.e., KP and DKP. In KP settings, the samples are obtained randomly while in DKP settings there is a restriction that the plaintext-ciphertext samples are non-repeating. In [14], Blondeau and Nyberg proved and followed the same distribution when the same sampling method are applied. They gave the estimation method of data complexity under these two sampling models for MPZC and MDZC. Later, Sun et al. proposed the -MPZC and MDZC, in which they use the -distributions to model the statistics [12], instead of the normal distributions.

Considering two types of errors: (i)Type-1 error: made by wrongfully discarding the cipher (false negative) and suppose the probability is . This is related to the success probability and (ii)Type-2 error: made by wrongfully accepting a randomly chosen permutation as the cipher (false positive) and suppose the probability is . This is related to the time complexity of the exhaustive search phase and where is the length of the main key

Then the -MPZC and MDZC evaluate the data complexity as follows.where and are the respective quantiles of the -distribution with degrees of freedom evaluated on the points and .In the attacks, the threshold value to distinguisher the cipher and randomly chosen permutation is calculated as .

Theorem 1. in ([12])
Suppose that the linear approximations involved satisfy the hypotheses in [14]. The number of KPs requires in a MPZC or MDZC linear attack is and the number of DKPs required in a MPZC or MDZC linear attack is

3. Zero-Correlation Linear Hulls of SPARX-64

The 12-round zero-correlation linear hull of SPARX-64 proposed in [6] is shown in Figure 2, which is . are linear masks derived from the input mask , while are linear masks derived from the output mask . The contradiction appears in the second linear permutation , where the corresponding input mask is zero while the output mask is non-zero value . This distinguisher is like the 5-round zero-correlation linear hull of Feistel structure [8] with bijected functions, which only takes advantage of the properties of the structures. In the following subsections, we will study the detailed property of linear mask’s propogation in SPECKEY and construct longer zero-correlation linear hulls.

Since there are only Xor (), Modulo Addition (), Branch () and Rotation ( or ), we review how the linear masks propogate through these operations. Let be values and be the corresponding masks. Suppose the position of the first bit ‘1’ from the MSB is for . Then the masks’ relations are shown in Table 2.

Only the Modulo Addition (’’) is non-linear and the corresponding correlation may be not one. However, when or , the correlation at’’ is equal to 1.

3.1. Expand the Linear Hull with Input Mask Backward with Correlation One

In fact, by limiting the values of and , we can expand the number of rounds of zero-correlation linear hull. The main idea is to make the input mask (or output mask) go back (or forward) one more round with correlation one. The only non-linear operation in one SPECK round is’’, so we hope the corresponding input mask or output mask of’’ is or , which leads to linear approximations with correlation one.

For the case of input mask , we expect that be or , where are the output masks of the ‘’ in Figure 3. It’s easy to know that and where is the transform of the linear layer. So we can get the following four equations:

According to , we know that only the first and forth equations have possible solutions. (i)Equation Equation (4). holds when (ii)Equation Equation (7) holds when

We set the condition (See the left part of Figure 3) and then we can derive that the linear mask becomes after one decrypted round. In a further step, there is To expand one more round with correlation one, we hope the corresponding masks also be or . Then we obtain the only non-zero solution . At last, we get the linear mask after two decrypted rounds.

Similarly, when the condition is (See right part of Figure 3), we can derive that

Then there is In this situation, there is no value of satisfying at the same time. This means that when , we can only expand the linear hull backward one more round and can not expand the linear hull two more rounds backward with correlation one.

3.2. Expand the Linear Hull with Output Mask Forward with Correlation One

For the output linear mask , we follow the similar method. See Figure 4. At first, we hope that the linear masks taking value or . So we can list the following equations.

According to , we know that only the solutions are as follows. (i)Equation Equation (4). holds when (ii)Equation Equation (5) holds when (iii)Equation Equation (7) holds when (iv)Equation Equation (8) holds when

Figure 4 gives the detailed propogation of output linear mask when or . The output mask after one more round is respectively. Otherwise, when , there is

We list the zero-correlation linear hulls in Table 3. denotes the number of rounds of the distinguishers.

4. Multidimensional Zero-Correlation Cryptanalysis of SPARX-64 Using 14-round Distinguishers

In this section, we give 15-round and 16-round multidimensional attacks with 14-round zero-correlation distinguishers in DKP sampling setting.

4.1. 15-Round Multidimensional Zero-Correlation Attack with One 14-round Distinguisher

Wu use one 14-round multidimensional zero-correlation distinguisher to mount the attack. By adding one round at the top, the attack would cover 15 rounds. The symbols denote the corresponding states derived from the plaintexts or ciphertexts (See Figure 5). For enough plaintext-ciphertext samples, we need to guess the corresponding subkeys and get the numbers of all possible values of

Since the MSB of , i.e.,, is linear with and , in the attack there is no need guessing these two key bits. For simplicity, we can set them as . Similarly, we can also set and as constant values. So in the round before the distinguisher, the keys need to be guessed are and . Since is linear with and , no key bits need to be guessed in the backward rounds.

Suppose the number of samples in the attack is , the attack procedure is as follows. (i)Step 1. For values of , suppose , then . We can compute

We get values of . (ii)Step 2. Guess valid bits of , encrypt by one round and we can get . Store the numbers of .(iii)Step 3. Guess valid bits of , encrypt by one round and we can get . Store the numbers of .(iv)Step 4. For each guessed key, compute the statistic value used in the multidimensional zero-correlation attack, i.e.,where . When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs.

By setting and , we can compute that the data complexity and threshold . The first three steps need encryptions. The last step needs times encryption. So the total time complexity is about encryptions.

4.2. 16-Round Multidimensional Zero-Correlation Attack with One 14-round Distinguisher

We can append one more round at the bottom to attack 16 rounds (See Figure 6). To control the time complexity, we use part of the above distinguisher. In detail, we only consider the input mask with form , which means the distinguisher has dimension . So need to be guessed.

For the ouput mask , we expand it by one round. The mask pattern at would become . Only the non-linear key bits need to be guessed for the last round, which means we only consider ).

The attack proceudere is as follows. (1)For values of , compress by one round and get and .(2)Guess bits of , encrypt by one round and get . Store the numbers of .(3)Guess valid bits of , decrypt by one round and we can get . Store the numbers of .(4)Guess valid bits of , decrypt by one round and we can get . Store the numbers of .(5)For each guessed key, compute the statistic value used in the multidimensional zero-correlation attack, i.e.,where . When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs.

By setting , and , we can compute that the data complexity and threshold . The first four steps need encryptions. The last step needs times encryption. So the total time complexity is about encryptions.

5. Zero-Correlation Cryptanalysis of SPARX-64 Using 15-round Distinguisher

In this section, we give 17-round and 18-round attacks with 15-round zero-correlation distinguisher in DKP sampling setting. Notice that there is only one single zero-correlation linear hull. However, we also can use the multiple zero-correlation linear attack model to estimate the data complexity, as shown in [12].

5.1. 17-Round Zero-Correlation Attack with One 15-round Distinguisher

We use the 15-round zero-correlation distinguisher to attack 17-round SPARX64/128.

We add one round at the top and one round at the bottom to make the attack which is similar to the 16-round attack, except that the distinguisher here is 15-round (See Figure 7). The key bits involved in this attack are and .

The attack procedure is as follows. (1)For values of , compress by one round and get and .(2)Guess bits of , encrypt by one round and get . Calculate the numbers of according to the sign of ( if , if ).(3)Guess valid bits of , decrypt by one round and we can get . Calculate the numbers of according to the sign of (4)Guess valid bits of , decrypt by one round and we can get . Calculate the final counter according to the sign of (5)For each guessed key, compute the statistic value used in the multiple zero-correlation attack, i.e.,

When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs.

By setting and , we can compute that the data complexity and threshold . The first four steps need encryptions. The last step needs times encryption. So the total time complexity is encryptions.

5.2. 18-Round Zero-Correlation Attack with One 15-round Distinguisher

By adding one more round before the 17-round attack, we can extend the attack to 18 rounds. The key bits involved in the first round are and . According to the key schedule, we know that

Let be the plaintext-ciphertext pair. The attack proceudere is as follows. (1)For values of , guess bits of , and encrypt by two rounds and get

Calculate the numbers of according to the value of ( if , if ), where (2)It’s clear that the target bit, i.e., is a function of , where . So the target counter can be computed using FFT techniques for all possible keys(3)For each guessed key, compute the statistic value used in the multiple zero-correlation attack, i.e.,

When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs.

By setting and , we can compute that the data complexity and threshold . The first step needs encryptions. The second step needs simple calculations. The last step needs times encryption. So the total time complexity is encryptions.

6. Integral Distinguishers on SPARX

Zero-correlation linear distinguishers can be transformed into integral distinguishers according to the known results in [10, 15]. Theorem 6 describes the result given in [15].

Theorem 2. (Corollary 4, [15])
Let be a function on , and let be a subspace of and . Suppose that is a zero correlation linear hull of , then for any , is balanced on .

As a result, we can transform the linear hulls in Table 3 to some integral distinguishers. Partial integral distinguisher are geven in Table 4.

Suppose the state of SPARX64/128 is represented as where is a 16-bit word. The 12-round integral distinguisher means if we set the value at and to consts and let the value at take all possible values, the values at after 4 steps (minus the last linear layer) will take all possible values. This is the same with that proposed in [1].

The 14-round distinguisher means that when letting the values at take all possible values and setting , after one SPECKEY round, four full steps and one SPECKEY round, the one bit result of will be active, where means the value after 14-round encryption. We can expand this distinguisher one more round forward with probability 1 to get one 15-round distinguisher. The input set has elements which satisfy ‘0’ (or = ‘1’).

7. Conclusion

We have given zero-correlation cryptanalysis results against SPARX-64/128 in this paper. 14 and 15-round zero-correlation linear distinguishers have been proposed, which are the longest distinguishers as far as we know. Then, with the help of -MTZD and MPZC models, we have given 15, 16, 17 and 18-round key recovery attacks of SPARX-64/128 with post-whitening key. Our attacks cover the most rounds, while the existing attack on SPARX-64/128 covers 16 rounds. Also, we have transformed the new zero-correlation linear distinguishers into integral distinguishers. The longest one is 15-round, which is three rounds longer than the existing 12-round zero-correlation distinguisher.

Data Availability

The data used to support the findings of this study are included within the article

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

References

D. Dinu, L. Perrin, A. Udovenko, V. Velichkov, J. Großschädl, and A. Biryukov, “Design strategies for arx with provable bounds: Sparx and lax,” in Advances in Cryptology – ASIACRYPT 2016, J. H. Cheon and T. Takagi, Eds., pp. 484–513, Springer Berlin Heidelberg, Berlin, Heidelberg, 2016.
View at: Google Scholar
J. Daemen and V. Rijmen, “Aes and the wide trail design strategy,” in Advances in Cryptology | EUROCRYPT 2002, L. R. Knudsen, Ed., pp. 108-109, Springer Berlin Heidelberg, Berlin, Heidelberg, 2002.
View at: Google Scholar
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers, The simon and speck families of lightweight block ciphers, Cryptology ePrint Archive, Report 2013, 2013, https://eprint.iacr.org/2013/404.
Y. Todo, “Structural evaluation by generalized integral property,” in Advances in Cryptology – EUROCRYPT 2015, I. E. Oswald and M. Fischlin, Eds., pp. 287–314, Springer Berlin Heidelberg, Berlin, Heidelberg, 2015.
View at: Google Scholar
A. Abdelkhalek, M. Tolba, and A. M. Youssef, “Impossible differential attack on reduced round sparx-64/128,” in Progress in Cryptology – AFRICACRYPT 2017, M. Joye and A. Nitaj, Eds., pp. 135–146, Springer International Publishing, Cham, 2017.
View at: Google Scholar
M. Tolba, A. Abdelkhalek, and A. M. Youssef, “Multidimensional zerocorrelation linear cryptanalysis of reduced round sparx-128,” in Selected Areas in Cryptography – SAC 2017, C. Adams and J. Camenisch, Eds., pp. 423–441, Springer International Publishing, Cham, 2018.
View at: Google Scholar
R. Ankele and E. List, “Di_erential cryptanalysis of round-reduced sparx-64/128,” in applied cryptography and network security, B. Preneel and F. Vercauteren, Eds., pp. 459–475, Springer International Publishing, Cham, 2018.
View at: Google Scholar
A. Bogdanov and V. Rijmen, “Linear hulls with correlation zero and linear cryptanalysis of block ciphers,” Designs, Codes and Cryptography, vol. 70, no. 3, pp. 369–383, 2014.
View at: Publisher Site | Google Scholar
A. Bogdanov and M. Wang, “Zero correlation linear cryptanalysis with reduced data complexity,” in Fast Software Encryption, A. Canteaut, Ed., pp. 29–48, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.
View at: Google Scholar
A. Bogdanov, G. Leander, K. Nyberg, and M. Wang, “Integral and multidimensional linear distinguishers with correlation zero,” in Advances in Cryptology – ASIACRYPT 2012, X. Wang and K. Sako, Eds., pp. 244–261, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.
View at: Google Scholar
H. Chen, T. Cui, and MeiqinWang, “Improving algorithm 2 in multidimensional (zero-correlation) linear cryptanalysis using $$\chi ^2$$ χ 2 -method,” Designs, Codes and Cryptography, vol. 81, no. 3, pp. 523–540, 2016.
View at: Publisher Site | Google Scholar
L. Sun, H. Chen, and M. Wang, “Zero-correlation attacks: statistical models independent of the number of approximations,” Designs, Codes and Cryptography, vol. 86, no. 9, pp. 1923–1945, 2018.
View at: Publisher Site | Google Scholar
C. Baudoin, F. X. Standaert, and J.-J. Quisquater, “Improving the time complexity of matsui's linear cryptanalysis,” in Information Security and Cryptology - ICISC 2007, K.-H. Nam and G. Rhee, Eds., pp. 77–88, Springer Berlin Heidelberg, Berlin, Heidelberg, 2007.
View at: Google Scholar
C. Blondeau and K. Nyberg, “Joint data and key distribution of simple, multiple, and multidimensional linear cryptanalysis test statistic and its impact to data complexity,” Designs, Codes and Cryptography, vol. 82, no. 1-2, pp. 319–349, 2017.
View at: Publisher Site | Google Scholar
B. Sun, Z. Liu, V. Rijmen et al., “Links among impossible differential, integral and zero correlation linear cryptanalysis,” in Advances in Cryptology–CRYPTO 2015, R. Gennaro and M. Robshaw, Eds., vol. 14, pp. 95–115, Springer Berlin Heidelberg, Berlin, Heidelberg, 2015.
View at: Google Scholar

Copyright

Copyright © 2021 Dawei Zhou et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

314

Downloads

537

Citations