Abstract
SPARX is a family of ARXbased block ciphers designed according to the longtrail strategy, which has 32bit ARXbased SBoxes and has provable bounds against singledifferential and singlelinear cryptanalysis. Since its proposation, some thirdparty cryptanalysis methods have been presented. As far as we know, the best attacks against SPARX64 covered 16 (out of 24) rounds. In this paper, we propose zerocorrelation linear attacks on SPARX64. At first, we construct some new zerocorrelation linear distinguishers covering 14round and 15round SPARX64. Then, 15,16,17 and 18round versions can be attacked using multidimensional or multiple zerocorrelation linear attack models, under DKP(distinct known plaintexts) settings. These are the best attacks against SPARX64 up to now, regarding to the number of attacked rounds. Finally, we transform the zerocorrelation distinguishers into integral ones using existing methods, which are also longer than the ones proposed by the designers.
1. Introduction
SPARX [1], introduced by Dinu et al. at ASIACRYPT’16, is the first ARX based family of block ciphers with the aim of providing provable security against singletrail differential and linear cryptanalysis. To achieve this target, the designers developed the long trail strategy which is different from the wellstudied wide trail strategy [2] used in the design of AES. The long trail strategy advocates the use of large and comparatively expensive SBoxes in conjunction with cheaper and weaker linear layers. All the instances of SPARX, (SPARX64/128, SPARX128/128 and SPARX128/128) use three or four rounds of SPECK [3] with subkeys as the big SBox, which can be specified using three simple operations: addition modulo (), 16bit rotations ( and ) and 16bit Xor ().
There have been some cryptanalysis results on the family of SPARX. The designers gave the provable bounds on the probability of differential characteristic and the bias of linear trail. There is no differential or linear trail with significant probability for 5 (or more) steps. Also, they made integral attacks with the help of Todo’s division property [4]. For SPARX64/128, the attack covers 15 rounds and recovers the key in time using chosen plaintexts. Morever, the integral attacks cover 22round SPARX128/128 and 24round SPARX128/256. Then Abdelkhalek et al. [5] attacked 16round SPARX64128 using impossible differential attack, with the help of one 13round distinguisher and the dependencies between the subkeys. Later, Tolba et al. [6] proposed multidimensional zerocorrelation linear attacks on up to 25 rounds of SPARX128/256 and 22 rounds of SPARX128/128. Recently, Ankele and List [7] presented chosenciphertext differential attacks on 16round SPARX64/128. Previous attack results on SPARX64/128 are compared in Table 1.
There is no zerocorrelation cryptanalysis results on SPARX64/128 from the literatures and we focus on this method in this paper. Zerocorrelation [8] is one powerful tool in the cryptanalysis of block ciphers. Similar to that the impossible differential distinguisher uses a differential with probability zero, the zerocorrelation distinguisher uses a linear hull with correlation zero. Then this technique develops a lot and some new models have been proposed, such as the multiple zerocorrelation linear cryptanalysis [9], the multidimensional zerocorrelation linear cryptanalysis [10] and some improved versions [11, 12]. In particular, Sun et al. [12] removed the approximation from the distribution to the normal distribution during the construction of multiple and multidimensional zerocorrelation linear attack (MPZC and MDZC) models, which released the restriction on the number ‘’ of zerocorrelation linear hulls, i.e., ‘’ sholud be large enough. The new models were called MPZC and MDZC.
To improve the time complexity of linear attacks using algorithm 2, FFT technique was proposed in [13]. When the target bit for the linear distinguisher is a function of where are both bit values, the time can be improved from to simple calculations.
Our Contributions. We evaluate the security of SPARX64/128 using the zerocorrelation cryptanalysis in this paper: (1)We find some new zerocorrelation distinguishers. By extending the existing simple zerocorrelation distinguisher proposed in [6], we construct several multidimensional zerocorrelation distinguishers covering 14round SPARX64. Morever, with careful selection of the input mask, we can extend some distinguishers by one more round and get three 15round zerocorrelation distinguishers. These are the longest zerocorrelation linear distinguishers of SPARX64 as we know(2)Using the new zerocorrelation distinguishers, we make zerocorrelation linear attacks with the help of multiple/multidimensional zerocorrelation linear cryptanalysis model in [12]. The multidimensional zerocorrelation attack covers 15round and 16round using 14round distinguishers. Then the zerocorrelation attack with one single 15round linear hull covers 17round. What’s more, with the help of FFT technique, we also can attack 18round SPARX64. These are the best attacks from the view of number of rounds attacked(3)Also, we transform the zerocorrelation linear distinguishers into integral distinguishers. As a result, we can get some 14round and 15round integral distinguishers with balanced properties. The balanced property means that the numbers of each value in the output sets are equal for the integral distinguisher, while the zerosum property means the Xorsum is zero
Outline. First, we describe the target block cipher SPARX64/128 and the zerocorrelation linear attack models in Sect.2. In Sect.3, we show how to construct the 14round and 15round zerocorrelation linear distinguishers for SPARX64. Then we give the multidimensional zerocorrelation and multiple zerocorrelation linear cryptanalysis against SPARX in Sect.4 and 5. Sect.6 describes some new integral distinguishers and finally, Sect.7 concludes this paper.
2. Preliminaries
2.1. Notations
The following symbols and notations are used throughout this paper: (i): addition modulo (ii): bitwise Xor(iii): 16bit rotation to the left(iv): 16bit rotation to the right(v): concatenation of two bit strings(vi): left half (16bit) of the word (32bit).(vii): right half (16bit) of the word (32bit).(viii)SPECKEY3R: three rounds of SPECKEY(ix), : the subkeys used in the left and, respectively, right SPECKEY3R of the th step of SPARX64. Each has three 32bit words , used in three rounds of SPECKEY3R, respectively(x)(,): bit of ‘’(‘’,’’).’’ is one undetermined bit(xi): the th bit of bit string . is the least significant bit(xii): the concatenation of ,
2.2. Brief Description of SPARX64/128
SPARX64/128 is the lightest instance of the SPARX family. It operates on two 32bit words and uses a 128bit key. There are 8 steps and 3 rounds per step. A high level view of SPARX64/128 and the general structure of a step is shown in Figure 1. Both branches have nonlinear operations SPECKEY3R, which means three rounds of SPECKEY, involving three 32bit subkeys. SPECKEY splits the state into two 16bit branches and xor the left and right half key bits, i.e., and , in each branch before the nonlinear operations. The linear layer operates 32bit value as follows,
(a) SPECKEY
(b)
(c) SPECKEY3R
(d) The th step of SPARX64
In the th step of SPARX64, six 32bit subkeys are involved. In particular, are used in the left SPECKEY3R and are used in the right SPECKEY3R.
The 128bit permutation used in the key schedule is simple, which is shown in Algorithm 1. For more details, please refer to [1].

2.3. Multiple/Multidimensional ZeroCorrelation Cryptanalysis
We start this section with the introduction of MPZC and MDZC models. Suppose that there are plaintextciphertext samples and zerocorrelation linear approximations for an bit block cipher. For the th approximation, the adversary counts the samples which make the linear approximation hold and gets the corresponding counter . Under the model of MPZC cryptanalysis, the adversary evaluates the following statistic:
For MDZC model, the zerocorrelation linear approximations form a linear space (considering the zero vector in) with dimension and then . For each plaintextciphertext sample, the adversary evaluates the base linear approximation and obtains an bit value . By iterating all samples, the adversary would get a counter vector with . The statistic used in MDZC is:
To estimate the data complexity and success probability, researchers [14] considered two sampling models, i.e., KP and DKP. In KP settings, the samples are obtained randomly while in DKP settings there is a restriction that the plaintextciphertext samples are nonrepeating. In [14], Blondeau and Nyberg proved and followed the same distribution when the same sampling method are applied. They gave the estimation method of data complexity under these two sampling models for MPZC and MDZC. Later, Sun et al. proposed the MPZC and MDZC, in which they use the distributions to model the statistics [12], instead of the normal distributions.
Considering two types of errors: (i)Type1 error: made by wrongfully discarding the cipher (false negative) and suppose the probability is . This is related to the success probability and (ii)Type2 error: made by wrongfully accepting a randomly chosen permutation as the cipher (false positive) and suppose the probability is . This is related to the time complexity of the exhaustive search phase and where is the length of the main key
Then the MPZC and MDZC evaluate the data complexity as follows.where and are the respective quantiles of the distribution with degrees of freedom evaluated on the points and .In the attacks, the threshold value to distinguisher the cipher and randomly chosen permutation is calculated as .
Theorem 1. in ([12])
Suppose that the linear approximations involved satisfy the hypotheses in [14]. The number of KPs requires in a MPZC or MDZC linear attack is
and the number of DKPs required in a MPZC or MDZC linear attack is
3. ZeroCorrelation Linear Hulls of SPARX64
The 12round zerocorrelation linear hull of SPARX64 proposed in [6] is shown in Figure 2, which is . are linear masks derived from the input mask , while are linear masks derived from the output mask . The contradiction appears in the second linear permutation , where the corresponding input mask is zero while the output mask is nonzero value . This distinguisher is like the 5round zerocorrelation linear hull of Feistel structure [8] with bijected functions, which only takes advantage of the properties of the structures. In the following subsections, we will study the detailed property of linear mask’s propogation in SPECKEY and construct longer zerocorrelation linear hulls.
Since there are only Xor (), Modulo Addition (), Branch () and Rotation ( or ), we review how the linear masks propogate through these operations. Let be values and be the corresponding masks. Suppose the position of the first bit ‘1’ from the MSB is for . Then the masks’ relations are shown in Table 2.
Only the Modulo Addition (’’) is nonlinear and the corresponding correlation may be not one. However, when or , the correlation at’’ is equal to 1.
3.1. Expand the Linear Hull with Input Mask Backward with Correlation One
In fact, by limiting the values of and , we can expand the number of rounds of zerocorrelation linear hull. The main idea is to make the input mask (or output mask) go back (or forward) one more round with correlation one. The only nonlinear operation in one SPECK round is’’, so we hope the corresponding input mask or output mask of’’ is or , which leads to linear approximations with correlation one.
For the case of input mask , we expect that be or , where are the output masks of the ‘’ in Figure 3. It’s easy to know that and where is the transform of the linear layer. So we can get the following four equations:
According to , we know that only the first and forth equations have possible solutions. (i)Equation Equation (4). holds when (ii)Equation Equation (7) holds when
We set the condition (See the left part of Figure 3) and then we can derive that the linear mask becomes after one decrypted round. In a further step, there is To expand one more round with correlation one, we hope the corresponding masks also be or . Then we obtain the only nonzero solution . At last, we get the linear mask after two decrypted rounds.
Similarly, when the condition is (See right part of Figure 3), we can derive that
Then there is In this situation, there is no value of satisfying at the same time. This means that when , we can only expand the linear hull backward one more round and can not expand the linear hull two more rounds backward with correlation one.
3.2. Expand the Linear Hull with Output Mask Forward with Correlation One
For the output linear mask , we follow the similar method. See Figure 4. At first, we hope that the linear masks taking value or . So we can list the following equations.
According to , we know that only the solutions are as follows. (i)Equation Equation (4). holds when (ii)Equation Equation (5) holds when (iii)Equation Equation (7) holds when (iv)Equation Equation (8) holds when
Figure 4 gives the detailed propogation of output linear mask when or . The output mask after one more round is respectively. Otherwise, when , there is
We list the zerocorrelation linear hulls in Table 3. denotes the number of rounds of the distinguishers.
4. Multidimensional ZeroCorrelation Cryptanalysis of SPARX64 Using 14round Distinguishers
In this section, we give 15round and 16round multidimensional attacks with 14round zerocorrelation distinguishers in DKP sampling setting.
4.1. 15Round Multidimensional ZeroCorrelation Attack with One 14round Distinguisher
Wu use one 14round multidimensional zerocorrelation distinguisher to mount the attack. By adding one round at the top, the attack would cover 15 rounds. The symbols denote the corresponding states derived from the plaintexts or ciphertexts (See Figure 5). For enough plaintextciphertext samples, we need to guess the corresponding subkeys and get the numbers of all possible values of
Since the MSB of , i.e.,, is linear with and , in the attack there is no need guessing these two key bits. For simplicity, we can set them as . Similarly, we can also set and as constant values. So in the round before the distinguisher, the keys need to be guessed are and . Since is linear with and , no key bits need to be guessed in the backward rounds.
Suppose the number of samples in the attack is , the attack procedure is as follows. (i)Step 1. For values of , suppose , then . We can compute
We get values of . (ii)Step 2. Guess valid bits of , encrypt by one round and we can get . Store the numbers of .(iii)Step 3. Guess valid bits of , encrypt by one round and we can get . Store the numbers of .(iv)Step 4. For each guessed key, compute the statistic value used in the multidimensional zerocorrelation attack, i.e.,where . When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintextciphertext pairs.
By setting and , we can compute that the data complexity and threshold . The first three steps need encryptions. The last step needs times encryption. So the total time complexity is about encryptions.
4.2. 16Round Multidimensional ZeroCorrelation Attack with One 14round Distinguisher
We can append one more round at the bottom to attack 16 rounds (See Figure 6). To control the time complexity, we use part of the above distinguisher. In detail, we only consider the input mask with form , which means the distinguisher has dimension . So need to be guessed.
For the ouput mask , we expand it by one round. The mask pattern at would become . Only the nonlinear key bits need to be guessed for the last round, which means we only consider ).
The attack proceudere is as follows. (1)For values of , compress by one round and get and .(2)Guess bits of , encrypt by one round and get . Store the numbers of .(3)Guess valid bits of , decrypt by one round and we can get . Store the numbers of .(4)Guess valid bits of , decrypt by one round and we can get . Store the numbers of .(5)For each guessed key, compute the statistic value used in the multidimensional zerocorrelation attack, i.e.,where . When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintextciphertext pairs.
By setting , and , we can compute that the data complexity and threshold . The first four steps need encryptions. The last step needs times encryption. So the total time complexity is about encryptions.
5. ZeroCorrelation Cryptanalysis of SPARX64 Using 15round Distinguisher
In this section, we give 17round and 18round attacks with 15round zerocorrelation distinguisher in DKP sampling setting. Notice that there is only one single zerocorrelation linear hull. However, we also can use the multiple zerocorrelation linear attack model to estimate the data complexity, as shown in [12].
5.1. 17Round ZeroCorrelation Attack with One 15round Distinguisher
We use the 15round zerocorrelation distinguisher to attack 17round SPARX64/128.
We add one round at the top and one round at the bottom to make the attack which is similar to the 16round attack, except that the distinguisher here is 15round (See Figure 7). The key bits involved in this attack are and .
The attack procedure is as follows. (1)For values of , compress by one round and get and .(2)Guess bits of , encrypt by one round and get . Calculate the numbers of according to the sign of ( if , if ).(3)Guess valid bits of , decrypt by one round and we can get . Calculate the numbers of according to the sign of (4)Guess valid bits of , decrypt by one round and we can get . Calculate the final counter according to the sign of (5)For each guessed key, compute the statistic value used in the multiple zerocorrelation attack, i.e.,
When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintextciphertext pairs.
By setting and , we can compute that the data complexity and threshold . The first four steps need encryptions. The last step needs times encryption. So the total time complexity is encryptions.
5.2. 18Round ZeroCorrelation Attack with One 15round Distinguisher
By adding one more round before the 17round attack, we can extend the attack to 18 rounds. The key bits involved in the first round are and . According to the key schedule, we know that
Let be the plaintextciphertext pair. The attack proceudere is as follows. (1)For values of , guess bits of , and encrypt by two rounds and get
Calculate the numbers of according to the value of ( if , if ), where (2)It’s clear that the target bit, i.e., is a function of , where . So the target counter can be computed using FFT techniques for all possible keys(3)For each guessed key, compute the statistic value used in the multiple zerocorrelation attack, i.e.,
When is smaller than the threshhold value , the key is supposed to be a right key candidate and can then be checked using two plaintextciphertext pairs.
By setting and , we can compute that the data complexity and threshold . The first step needs encryptions. The second step needs simple calculations. The last step needs times encryption. So the total time complexity is encryptions.
6. Integral Distinguishers on SPARX
Zerocorrelation linear distinguishers can be transformed into integral distinguishers according to the known results in [10, 15]. Theorem 6 describes the result given in [15].
Theorem 2. (Corollary 4, [15])
Let be a function on , and let be a subspace of and . Suppose that is a zero correlation linear hull of , then for any , is balanced on .
As a result, we can transform the linear hulls in Table 3 to some integral distinguishers. Partial integral distinguisher are geven in Table 4.
Suppose the state of SPARX64/128 is represented as where is a 16bit word. The 12round integral distinguisher means if we set the value at and to consts and let the value at take all possible values, the values at after 4 steps (minus the last linear layer) will take all possible values. This is the same with that proposed in [1].
The 14round distinguisher means that when letting the values at take all possible values and setting , after one SPECKEY round, four full steps and one SPECKEY round, the one bit result of will be active, where means the value after 14round encryption. We can expand this distinguisher one more round forward with probability 1 to get one 15round distinguisher. The input set has elements which satisfy ‘0’ (or = ‘1’).
7. Conclusion
We have given zerocorrelation cryptanalysis results against SPARX64/128 in this paper. 14 and 15round zerocorrelation linear distinguishers have been proposed, which are the longest distinguishers as far as we know. Then, with the help of MTZD and MPZC models, we have given 15, 16, 17 and 18round key recovery attacks of SPARX64/128 with postwhitening key. Our attacks cover the most rounds, while the existing attack on SPARX64/128 covers 16 rounds. Also, we have transformed the new zerocorrelation linear distinguishers into integral distinguishers. The longest one is 15round, which is three rounds longer than the existing 12round zerocorrelation distinguisher.
Data Availability
The data used to support the findings of this study are included within the article
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.