Integral Distinguishers of the Full-Round Lightweight Block Cipher SAT_Jo

Qiu, Xueying; Wei, Yongzhuang; Hodzic, Samir; Pasalic, Enes

doi:https://doi.org/10.1155/2021/5310545

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 5310545 | https://doi.org/10.1155/2021/5310545

Integral Distinguishers of the Full-Round Lightweight Block Cipher SAT_Jo

Xueying Qiu,¹Yongzhuang Wei,^1,2Samir Hodzic,³and Enes Pasalic⁴

Academic Editor: Chien Ming Chen

Received10 May 2021

Revised25 Jul 2021

Accepted16 Aug 2021

Published18 Sept 2021

Abstract

Integral cryptanalysis based on division property is a powerful cryptanalytic method whose range of successful applications was recently extended through the use of Mixed-Integer Linear Programming (MILP). Although this technique was demonstrated to be efficient in specifying distinguishers of reduced round versions of several families of lightweight block ciphers (such as SIMON, PRESENT, and few others), we show that this method provides distinguishers for a full-round block cipher SAT_Jo. SAT_Jo cipher is very similar to the well-known PRESENT block cipher, which has successfully withstood the known cryptanalytic methods. The main difference compared to PRESENT, which turns out to induce severe weaknesses of SAT_Jo algorithm, is its different choice of substitution boxes (S-boxes) and the bit-permutation layer for the reasons of making the cipher highly resource-efficient. Even though the designers provided a security analysis of this scheme against some major generic cryptanalytic methods, an application of the bit-division property in combination with MILP was not considered. By specifying integral distinguishers for the full-round SAT_Jo algorithm using this method, we essentially disapprove its use in intended applications. Using a 30-round distinguisher, we also describe a subkey recovery attack on the SAT_Jo algorithm whose time complexity is about encryptions (noting that SAT_Jo is designed to provide 80 bits of security). Moreover, it seems that the choice of bit-permutation induces weak division properties since replacing the original bit-permutation of SAT_Jo by the one used in PRESENT immediately renders integral distinguishers inefficient.

1. Introduction

Lightweight block ciphers play an important role in providing the security in various constrained environments (referring to different applications of Internet of Things). In recent years, many resource-efficient block ciphers have been proposed, such as MIDORI [1], PICCOLO [2], MIBS [3], PRIDE [4], PRESENT [5], and LBLOCK [6]. Recently, many new lightweight ciphers (candidates) in the second round of NIST’s lightweight cryptography standardization process were also proposed [7]. However, because of restricted design rationales, certain lightweight designs sometimes fail to deliver a reasonable resistance to certain cryptanalytic methods. Although designers of new schemes provide a security analysis against the well-known attacks (e.g., integral attacks [8], differential attacks [9], and linear attacks [10]), it may happen that not all attacks are taken into consideration.

In this work, we consider a lightweight block cipher SAT_Jo [11] (proposed in 2018) and search for integral distinguishers based on division property using the MILP technique [12] introduced in [13]. Before describing the contribution of this work in more detail, we briefly summarize a development of integral attack and division property.

Namely, in 1997, Daemen et al. [14] proposed a square attack on block cipher SQUARE. In 2001, Lucks et al. [15] proposed a saturation attack on TWOFISH cipher, which generalizes the square attack. Biryukov et al. [16] introduced a multiset attack on the SPN-based block ciphers. Then, in 2002, Knudsen et al. [8] proposed the so-called integral analysis, which generalizes the previous three attacks. In fact, from the point of view of Boolean functions, this attack is also closely related to higher-order differential attack proposed in [17]. Some further versions of this attack have been derived in 2008 by Z’aba et al. [18], who proposed the bit-pattern-based integral attack. It has been shown that one can derive integral distinguishers by analyzing the propagation of the integral property, where one tracks the positions of active, constant, and balanced bits. More specifically, the opponent selects a set of plaintexts having a portion of bits fixed at certain positions (called constant bits), whereas the remaining bits can take all possible values and are called active. Moreover, the XOR sum of their corresponding ciphertexts is computed (alternatively, a suitable subset is considered). Now, if the XOR sum at certain positions is always 0, regardless of the choice of secret key, such bits are called balanced. On the other hand, if the XOR sum changes at some positions (depending on the secret key value), such bits are commonly called unknown. This integral property can then be used to distinguish the real encryption algorithm form a random permutation.

A further generalization of integral attacks has been introduced by Todo [19] at EUROCRYPT 2015, by developing a cryptanalytic framework based on the so-called division property. Later, Todo and Morii [20] proposed bit-based division property, which was utilized for construction of a 15-round integral distinguisher for SIMON32 [21]. Finally, at ASIACRYPT 2016, Xiang et al. [13] proposed a method which combines the bit-based division property and searches for the division trails by employing the MILP method. Consequently, this combination successfully overcomes the main issue of the bit-based division property reflected in relatively high time and memory complexity which is bounded above by , where is the block length. In what follows, we describe the contribution and structure of the subsequent sections.

Our contribution: in this paper, we analyze the lightweight block cipher SAT_Jo, which is built as a substitution-permutation (SP) network and processes plaintext blocks of length 64 bits through an iterative application of 31 identical rounds, using the secret key of size 80 bits. We emphasize that the designers of this algorithm provided the security evaluation [22] of the cipher by considering some main cryptanalytic tools such as differential and linear cryptanalysis, as well as the resistance against algebraic attacks. However, to the best of our knowledge, the robustness of this scheme with respect to integral attacks has not been evaluated so far.

We consider the three basic operations used in the SAT_Jo algorithm which then give rise to a set of linear inequalities that characterize the propagation of bit-based division property for SAT_Jo algorithm. Similar to the analysis performed in [13], by employing the open-source Gurobi MILP solver, an automated search for integral distinguishers is performed. Most notably, this MILP solver returns an integral distinguisher for the full-round SAT_Jo algorithm within a few seconds on a standard personal computer. Consequently, the bit-permutation of SAT_Jo algorithm (linear layer) appears not to be well designed and its increased efficiency turns out to be traded-off against lower security margins. Though our cryptanalysis does not substantially differ from the security evaluation in [13] (performed on SIMON, PRESENT, and a few more lightweight block ciphers), the results are quite dramatic due to the possibility of specifying integral distinguishers for a full-round block cipher which is not quite common. Moreover, we show that an efficient subkey recovery attack, whose time complexity corresponds to encryptions, can be easily mounted using our distinguisher.

Outline of the paper: Section 2 mainly introduces notations and definitions related to the division property. In Section 3, we discuss the MILP method and propagation rules of division property. In Section 4, an MILP model for SAT_Jo algorithm is derived, and its application is summarized in Section 5. In Section 6, the conclusion is given.

2. Preliminaries

By , we denote the binary vector space of all n-tuples , where denotes the i-th coordinate of . Throughout this work, the following definitions will be used.

Definition 1 (bit product function [20]). Let . A bit product function is defined asHere, we have that and if and , respectively.

Definition 2 (algebraic normal form (ANF) [19]). A Boolean function can be uniquely represented by its algebraic normal form (ANF) aswhere are the binary constants that depend on u and specify .
In 2015, Todo [19] introduced the division property (as a generalization of the integral property), which was utilized to efficiently construct integral distinguishers (mainly applicable to S-box-oriented block ciphers). This concept was later refined in [20] by introducing the bit-based division property, which applies to block ciphers that do not necessarily employ S-boxes. The following definitions capture the essence of the bit-based division property.

Definition 3 (ordering ). For two binary vectors and , the inequality between and is defined as if and only if for all .

Definition 4 (bit-based division property [20]). Let X be a multiset whose elements belong to the space . Then, X is said to satisfy the division property , if the parity of for all is always even. Equivalently, the following conditions must be satisfied:By , we denote the binary all-one vector of size n (i.e., ), where for simplicity, the all-one vector of size one will be simply denoted by 1 instead of . To provide more clarity about the bit-based division property, we give the following example.

Example 1. Assume that a multiset satisfies the division property , where . This means that is exactly equal to 0 for any .
In addition, the propagation rules for the bit-division property in SPN schemes were also derived in [19, 20]. Nevertheless, since these rules are not relevant in our context, we omit their specification.

Definition 5 (division trail [13]). Let denote a round function of an iterated block cipher. Assume that an input multiset to the block cipher has initial division property , and denote the division property after propagating through for rounds by . Thus, we have the following chain of division property propagations:Moreover, for any vector , there must exist a vector such that can propagate to by division property propagation rules. Furthermore, for , if can propagate to for all , then is called an r-round division trail.

Example 2 (Proposition 5 in [13]). Denote by the division property of the input multiset of an iterated block cipher, and let be its round function. Denote also bythe r-round propagation of division property. Thus, the set of the last vectors in this chain of all r-round division trails which start with is equal to .

3. MILP Combined with Bit-Based Division Property

3.1. A Brief Overview of the MILP Method

Many classical cryptanalytic methods can be converted into optimization problems, where the main goal is to achieve an optimal solution (minimum or maximum) of the objective function under certain constraints. The mixed-integer linear programming is a well-known optimization method also used in the field of cryptanalysis and in particular for finding division trails in block ciphers [13, 20]. In general, the objective function can be defined aswhere the linear constraints (including the requirement on variables ) are given as follows:

Notice that the MILP problem can be transformed into an integer programming (IP) problem if . In particular, it has been verified that IP problems, in general, are somewhat easier to solve than MILP problems of similar kind [12].

For our purpose, the parameters involved in the MILP method are all positive integers. An MILP model is denoted by , the variables involved are denoted by , the constraints are denoted by , and the objective function is denoted by . A simple example of an MILP instance can be described as follows. The set of linear inequalities, denoted by , is given bywhere and the objective function is . The goal is then to find the maximum value of . In this example, the domain of the objective function is determined by the two inequalities and constraints that , and then the feasible solutions of the objective function in this domain are obtained. The maximum value of is 3, and it corresponds to . On the other hand, a closely related problem is to provide a set of points, say , and to obtain the set of linear inequalities (using for instance the inequality_generator () function in the Sage software) for which all the solutions satisfying are included in this set of points . For further details on how this method works, the reader is referred to Appendix A in [13], where a detailed example is elaborated. As noticed in [13], the main problem with this approach is that the number of linear inequalities returned can be quite large which then makes the MILP instance computationally infeasible. The solution to this was provided by Sun et al. through a greedy algorithm which selects a subset of linear inequalities in that still efficiently describes (see [23] and Algorithm 1 in [13]).

Usually, the goal of an MILP problem is to quickly find a feasible (or optimal) solution to the given problem. In the context of bit-based division property, one constructs an MILP model such that it describes the propagation trails of the integral property. This procedure then represents an automatic search for integral distinguishers, where solutions of the MILP problem are interpreted as follows (see also [13]):(i)Each feasible solution to the system of linear inequalities corresponds to a division trail. In other words, these feasible solutions do not contain any impossible division trail.(ii)Conversely, each division trail must satisfy all linear inequalities in the system. That is, each division trail corresponds to a feasible solution of the linear inequality system.

Note that, in our work, the constructed MILP model will be solved by the open-source mathematical optimization software Gurobi (https://www.gurobi.com).

3.2. Bit-Based Division Property in terms of MILP

The main reason behind the use of MILP tools in context of the bit-based division property is to improve the time complexity when searching for division trails. In essence, a division trail of an encryption algorithm is obtained by converting the basic operations (involved in the round function) into corresponding linear inequalities, which satisfy the propagation rules of the division property.

Initial division property and stopping rule: let us consider a multiset with division property and let denote the vector of length (also called a unit vector) whose i-th coordinate is the only nonzero coordinate. In [13], it was illustrated how to determine the existence of r-round integral distinguisher by checking whether contains all . More precisely, if one can find all the unit vectors in the set (thus, each ), then it means that there does not exist any r-round division trail. Equivalently, if there exists such that , then it means that one can find an r-round integral distinguisher. In terms of Definition 4, the previously described termination test (condition) for the division property can be explained as follows. Let denote the output of r encryption rounds performed on the input set . If does not have any useful integral property, then the XOR sum of all vectors of is unknown for each bit position. This means that is unknown for any unit vector , where . On the contrary, if there exists at least one unit vector which does not belong to , then the value at the i-th position of is always equal to zero, i.e., we can find an r-round integral distinguisher.

For an iterated block cipher with a round function , let denote the division property of an input multiset. Also, letbe the r-round division property propagation, where denotes the set of vectors of all r-round division trails which start with .

Now, if we denote an r-round division trail by , then the set of linear inequalities (which constitute the MILP model) depends on variables . In addition, the objective function is set to be Obj: Min .

Notice that feasible solutions of the given MILP model are all division trails, and furthermore, if does not contain all-zero vector, then the objective function will never take the zero value. At the end of the search, the balanced and unknown positions of the integral distinguisher can be determined. More precisely, those unit vectors which are not in will indicate the balanced positions in the distinguisher.

When performing integral analysis on a given block cipher based on the division property and using the MILP model (whose round functions consist of a composition of the S-box and linear layer), the search for effective integral distinguisher is the main goal of the attack. In general, this analysis can be roughly divided into the following three steps: Step 1: determine the division property of the initial input, that is, the specific number of active and constant bits of the input. Step 2: using the division property mentioned in Step 1, the MILP model of the division path through the round function is constructed according to the structural characteristics of the cryptographic algorithm itself, including both linear and nonlinear layer. Step 3: let the bit-based division property of r identical encryption rounds of a given block cipher, using the MILP model, be denoted by . In order to obtain , one needs to consider r-round propagation of the bit-based division property in the MILP model of the single round function operation.

This is basically done by using the division trail specified by . As previously mentioned, the system of linear inequalities will depend on the binary variables , where and (thus, MILP becomes a 0-1 integer programming problem). However, many of these variables are automatically removed (assigned to a constant value 0) when running Algorithm 3 in [13]. This algorithm uses the set of inequalities and the objective function to find feasible solutions of the MILP instance and is constantly updated by adding new constraints with respect to , more precisely by setting when needed. The reader is referred to [13] for further details on how Algorithm 3 works. Notice, however, that the MILP instance that models the search for bit-based distinguishers is executed several times (this is an intrinsic property of Algorithm 3 in [13]) since we need to check whether all the unit vectors are included in , as a stopping rule. Finally, if the solver can find a feasible solution for a particular MILP instance, then the existence of an r-round distinguisher for a given cipher is established (in our case for the SAT_Jo encryption algorithm).

Since some specific cryptographic operations such as key addition and adding a round constant do not affect the propagation of division property, these operations will not be considered here.

4. An MILP Model of SAT_Jo Algorithm

In this section, we describe the process of modelling SAT_Jo algorithm as an MILP instance for the purpose of specifying integral distinguishers.

4.1. A Description of SAT_Jo

The schematic structure of SAT_Jo block cipher is shown in Figure 1, whereas a precise description of its encryption process is given in Algorithm 1. The round function of SAT_Jo is similar to the one in the PRESENT block cipher, and it is defined as a composition of the S-box layer (applying 16 times the S-box defined in Table 1) and the bit-permutation function defined in Table 2. As mentioned earlier, SAT_Jo iterates the round function 31 times, where in addition the round key is applied at the end (as a postwhitening step). We omit the definition of the newRoundKey function because it is not important for the division property.

	Input: Plaintext PT [64], Key K [80]
	Output: Ciphertext CT [64]
(1)
(2)	whiledo
(3)
(4)
(5)
(6)
(7)
(8)	end while
(9)
(10)
(11)

Remark 1. Notice that the permutation layer uses a simple rule mod 64 which simplifies design but at the same time induces serious security issues (bad diffusion properties).

4.2. An Integral Attack on SAT_Jo Using Division Property

In order to apply the MILP method, one firstly has to derive a set of linear inequalities (defined in Section 3.1, where ) to describe the propagation of division property based on the structure of the round function. We note that both the S-box and permutation layer (P-box) affect the division property when deriving the MILP model. On the other hand, the division property is not affected by the AddRoundKey step in Algorithm 1, and thus the MILP model of a round function is constructed without considering this operation.

4.2.1. Modelling S-Box of SAT_Jo

Now, in order to derive the set of inequalities for the S-box layer of SAT_Jo, we only have to consider the S-box defined in Table 1. Let denote the input of this S-box and denote its corresponding output. The ANF of the S-box (given in Table 1) is given bywhere modulo two addition is performed. Then, utilizing Algorithm 2 in [13], we obtain 45 division trails (shown in Table 3) of the SAT_Jo S-box.

Each division trail of a 4-bit S-box can be viewed as an 8-dimensional vector in . Thus, 45 division trails form a subset of . Next, by taking as an input to the inequality_ generator () function of SageMath software, a set of 162 linear inequalities is returned. The following SageMath software code is used for this purpose:

The output of the above SageMath code, consisting of 162 linear inequalities, can be further reduced to 10 linear inequalities by using the greedy algorithm in [[13], Algorithm 1], originally proposed in [23]. If the division path through the S-box is described by , these 10 inequalities are given as follows:

In order to obtain the solutions of linear inequalities restricted to , we only need to specify that all variables can only take values in {0, 1}.

4.2.2. Modelling the Permutation Layer of SAT_Jo

In order to describe the permutation layer as an MILP instance, some intermediate variables are introduced to describe the basic operations in the permutation layer. Since the design of the permutation layer of the SAT_Jo encryption algorithm is relatively simple and described on the bit level in [5] (the bit of the internal state is moved to bit position in accordance with Table 2 and follows the rule given in Remark 1), the division path of input/output through the permutation layer is easily embedded in the MILP model.

4.2.3. A Search Algorithm for Integral Distinguishers for SAT_Jo Algorithm

To summarize the whole procedure, an automatic search algorithm for integral distinguishers of SAT_Jo is given by Algorithm 2 (which is similar to Algorithm 3 in [13]). Note that the notation (used in Algorithm 2) denotes the MILP model for rounds composed of the set of inequalities and an objective function . Also, the set of output bits after rounds is denoted by .

	Input: MILP model consisting of linear inequalities and an objective function
	Output: balanced bit position of
(1)	Initialization
(2)	fordo
(3)	if has a feasible solution then
(4)	ifValue = 1 then// value after optimizing , it returns the current value of the objective function
(5)	Obj = obj. Objective ()//obj.Objective represents the objective function of the returned model
(6)	fordo
(7)	var = obj.getValue ()//Return the -th variable of the objective function
(8)	value = obj.getAttr ()//Get the var value of the current solution
(9)	if value = 1 then
(10)	delete/{var}in //Delete the var value in
(11)	M.addConstraint (var = 0)
(12)	M.update ()
(13)	break
(14)	end if
(15)	end for
(16)	end if
(17)	end if
(18)	end for
(19)	return //Represent the S value of all outputs

5. The Results

By specifying and solving the MILP instance that models the full-round SAT_Jo algorithm (having 31 encryption rounds), we can specify different integral distinguishers. Table 4 shows how many active bits can be set in the input and how many balanced bits are obtained in the output for the SAT_Jo algorithm. Note that all these results are practically confirmed on a personal computer within a few seconds. Moreover, integral distinguishers could be found for up to 151 encryption rounds, which indicates a serious design flow regarding the choice of bit-permutation employed in the SAT_Jo algorithm.

Recall that, for active bits at the input, denoted by “,” we essentially take all possible input values at these positions. For instance, if we have 5 active bits in the input, then in total we require plaintexts that cover all the possible values at these specific positions. Other input bits that are kept fixed are denoted by “.” The balanced bits at the output, denoted by “,” simply correspond to those positions of the ciphertext having the same number of zeros and ones, whereas unbalanced cases are denoted by “.”

Table 5 shows other cryptanalytic results for SAT_Jo.

The key recovery attack on SAT_Jo: in order to perform a key recovery attack on the full-round SAT_Jo cipher, one can use the 30-round distinguisher specified in the first row in Table 4. More precisely, a set of plaintexts which satisfies the input of the integral distinguisher is selected. Moreover, one needs to guess the last round subkey bits (64 bits in total) which are then used together with the ciphertexts to calculate the output of the 30^th round (the so-called one round partial decryption). For a guessed 64 bit subkey , if the XOR sum of the state bits at the output of the 30^th round is zero, then it is considered as a valid candidate for the correct subkey; otherwise, the guessed value is considered incorrect. In order to achieve the correct one among these candidates, one selects another set of four plaintexts (again varying the first two bits) and obtains the corresponding ciphertexts . For each candidate subkey, the decryption of the ciphertexts can be performed and the resulting values (corresponding to the encryption of 30 rounds) are XORed together. The correct subkey is identified when this XOR sum is the all-zero vector of length 64. Thus, the 31-round attack process of SAT_Jo is as follows: Step 1: after 31 rounds of encryption are performed on the 4 selected plaintexts according to the 30-round integral distinguisher, the opponent can attain 4 ciphertexts. Step 2: by guessing the 64 bit , the opponent can decrypt the 31-st round data status. Step 3: similarly, the opponent guesses the 4-bit so that she can decrypt the 30^th-round data status. In this case, she can further calculate the XOR sum of the state bits at the output of the 30^th round.

This attack requires 8 chosen plaintexts, and its time complexity is about encryption operations. The success rate of this attack is 1. Notice that the master key is of length 80 bits, and after recovering 64 bits of , the similar procedure can be performed to retrieve other subkeys.

Remark 2. The simulations have been conducted using the computer with the following specification: Intel(R) Core (T-M) i5-8300H CPU@ 2.30 GHz, RAM-8 GB, x64 Windows 10. In addition, the Python programming language, Sage software, and Gurobi solver have been used to implement the search algorithm.

6. Conclusion

We remark that the choice of bit-permutation used in the SAT_Jo algorithm appears to be the main reason for the existence of full-round integral distinguishers. Indeed, replacing the bit-permutation used in the SAT_Jo algorithm by the one employed in the PRESENT block cipher implies that there are no integral distinguishers for the full-round SAT_Jo. In particular, if the original permutation layer of SAT_Jo is replaced by the bit-permutation given in Table 6, one can verify that the SAT_Jo variant cipher achieves quite good integral property. More precisely, an integral distinguisher can then be specified for at most 9 encryption rounds. The main weakness of SAT_Jo algorithm, as already mentioned in Remark 1, is an inappropriate choice of its bit-permutation which does not provide sufficient diffusion. The permutation layer uses a simple rule mod 64 for SAT_Jo, which simplifies design but at the same time induces serious security issues (bad diffusion properties). However, the new permutation layer (see Table 6) uses the different rule mod 64).

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest.

Acknowledgments

The works of Y. Wei and X. Qiu were supported in part by the National Natural Science Foundation of China (No. 61872103), in part by the Guangxi Science and Technology Foundation (No. Guike AB18281019), in part by the Innovation Research Team Project of Guangxi (No. 2019GXNSFGA245004), in part by the Foundation of Science and Technology on Communication Security Laboratory (No. 6142103190103), and in part by the Foundation of Key Laboratory of Cognitive Radio and Information Processing, Ministry of Education (Guilin University of Electronic Technology) (No. CRKL180107). S. Hodzic was supported by a grant from the Independent Research Fund Denmark for Technology and Production (No. 8022-00348A).

References

S. Banik, A. Bogdanov, T. Isobe, and K. Shibutani, “Midori: a block cipher for low energy,” Advances in Cryptology-ASIACRYPT, vol. 9453, pp. 411–436, 2015.
View at: Publisher Site | Google Scholar
K. Shibutani, T. Isobe, H. Hiwatari, T. Mitsuda, T. Akishita, and T. Shirai, “Piccolo: an ultra-lightweight block cipher,” Cryptographic Hardware and Embedded Systems-CHES, vol. 6917, pp. 342–357, 2011.
View at: Publisher Site | Google Scholar
M. Izadi, B. Sadeghiyan, S. Sadeghian, and H. A. Khanooki, “MIBS: a new lightweight block cipher,” Cryptology and Network Security-CANS, vol. 5888, pp. 334–348, 2009.
View at: Publisher Site | Google Scholar
M. R. Albrecht, B. Driessen, E. B. Kavun, G. Leader, C. C. Paar, and T. Yalçın, “Block ciphers-focus on the linear layer (feat. PRIDE),” Advances in Cryptology-CRYPTO, vol. 8616, pp. 57–76, 2014.
View at: Publisher Site | Google Scholar
A. Bogdanov, L. Knudsen, G. Leander et al., “PRESENT: an ultra-lightweight block cipher,” Cryptographic Hardware and Embedded Systems-CHES, vol. 4727, pp. 450–466, 2007.
View at: Google Scholar
W. Wu and L. Zhang, “Lblock: a lightweight block cipher,” Applied Cryptography and Network Security-ACNS, vol. 6715, pp. 327–344, 2011.
View at: Publisher Site | Google Scholar
M. S. Turan (Nist), K. McKay (Nist), D. Chang (NIST) et al., Status Report on the Second Round of the NIST Lightweight Cryptography Standardization Process: NISTIR 8369, National Insititute of Standards and Technology, Gaithersburg, MD, USA, 2021.
L. Knudsen and D. Wagner, “Integral cryptanalysis,” Fast Software Encryption-FSE, vol. 2365, pp. 112–127, 2002.
View at: Publisher Site | Google Scholar
E. Biham and A. Shamir, “Differential cryptanalysis of DES variants,” Differential Cryptanalysis of the Data Encryption Standard, Springer, New York, NY, USA, 1993.
View at: Publisher Site | Google Scholar
M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances in Cryptology-EUROCRYPT, vol. 765, pp. 386–397, 1993.
View at: Google Scholar
M. Shantha and L. Arockiam, “Sat_Jo: an enhanced lightweight block cipher for the internet of things,” in Proceedings of the IEEE International Conference on Intelligent Computing and Control Systems-ICICCS2018, pp. 1146–1150, Madurai, India, June 2018.
View at: Google Scholar
N. Mouha, Q. Wang, D. Gu, and B. Preneel, “Differential and linear cryptanalysis using mixed-integer linear programming,” Information Security and Cryptology-Inscrypt, vol. 7537, pp. 57–76, 2011.
View at: Google Scholar
Z. Xiang, W. Zhang, Z. Bao, and D. Lin, “Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers,” Advances in Cryptology-ASIACRYPT, vol. 10031, pp. 648–678, 2016.
View at: Publisher Site | Google Scholar
J. Daemen, L. Knudsen, and V. Rijmen, “The block cipher SQUARE,” Fast Software Encryption-FSE, vol. 1267, pp. 149–165, 1997.
View at: Publisher Site | Google Scholar
S. Lucks, “The saturation attack-a bait for Twofish,” Fast Software Encryption-FSE, vol. 2355, pp. 1–15, 2001.
View at: Google Scholar
A. Biryukov and A. Shamir, “Structural cryptanalysis of SASAS,” Advances in Cryptology-EUROCRYPT, vol. 2045, pp. 395–405, 2001.
View at: Publisher Site | Google Scholar
X. Lai, “Higher order derivatives and differential cryptanalysis,” Communications and Cryptography, vol. 276, pp. 227–233, 1994.
View at: Publisher Site | Google Scholar
M. Z’aba, H. Raddum, M. Henricksen, and E. D. Dawson, “Bit-pattern based integral attack,” Fast Software Encryption-FSE, vol. 5086, pp. 363–381, 2008.
View at: Google Scholar
Y. Todo, “Structural evaluation by generalized integral property,” Advances in Cryptology-EUROCRYPT, vol. 9056, pp. 287–314, 2015.
View at: Publisher Site | Google Scholar
Y. Todo and M. Morii, “Bit-based division property and application to Simon family,” Fast Software Encryption-FSE, vol. 9783, pp. 357–377, 2016.
View at: Publisher Site | Google Scholar
R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers, The SIMON and SPECK families of lightweight block ciphers, IACR Cryptology ePrint Archive, 2013, https://eprint.iacr.org/2013/404.
R. Joshitta, L. Arockiam, and P. Malarchelvi, “Security analysis of SAT_Jo lightweight block cipher for data security in healthcare IoT,” in Proceedings of the 2019 3rd International Conference on Cloud and Big Data Computing-ICCBDC 2019, pp. 111–116, Oxford, England, August 2019.
View at: Publisher Site | Google Scholar
S. Sun, L. Hu, M. Wang et al., Towards Finding the Best Characteristics of Some Bit-Oriented Block Ciphers and Automatic Enumeration of (Related-key) Differential and Linear Characteristics with Predefined Properties, IACR Cryptology ePrint Archive, 2014, https://eprint.iacr.org/2014/747.pdf.

Copyright

Copyright © 2021 Xueying Qiu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

499

Downloads

487

Citations