Improved Conditional Differential Analysis on NLFSR-Based Block Cipher KATAN32 with MILP

Xing, Zhaohui; Zhang, Wenying; Han, Guoyong

doi:https://doi.org/10.1155/2020/8883557

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Attacks, Challenges, and New Designs in Security and Privacy for Smart Mobile Devices

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 8883557 | https://doi.org/10.1155/2020/8883557

Improved Conditional Differential Analysis on NLFSR-Based Block Cipher KATAN32 with MILP

Zhaohui Xing,^1,2Wenying Zhang ,¹and Guoyong Han³

Academic Editor: Ding Wang

Received24 Jun 2020

Revised18 Oct 2020

Accepted03 Nov 2020

Published23 Nov 2020

Abstract

In this paper, a new method for constructing a Mixed Integer Linear Programming (MILP) model on conditional differential cryptanalysis of the nonlinear feedback shift register- (NLFSR-) based block ciphers is proposed, and an approach to detecting the bit with a strongly biased difference is provided. The model is successfully applied to the block cipher KATAN32 in the single-key scenario, resulting in practical key-recovery attacks covering more rounds than the previous. In particular, we present two distinguishers for 79 and 81 out of 254 rounds of KATAN32. Based on the 81-round distinguisher, we recover 11 equivalent key bits of 98-round KATAN32 and 13 equivalent key bits of 99-round KATAN32. The time complexity is less than encryptions of 98-round KATAN32 and less than encryptions of 99-round KATAN32, respectively. Thus far, our results are the best known practical key-recovery attacks for the round-reduced variants of KATAN32 regarding the number of rounds and the time complexity. All the results are verified experimentally.

1. Introduction

Cryptographic techniques move into applications like access control, parking management, goods tracking, radio frequency identification tags, and integrated circuit (IC) printing [1]. At the same time, wireless sensor networks (WSNs) have been used for various critical industrial applications, such as heartbeat monitoring, temperature monitoring for precision agriculture, self-monitoring of autonomous vehicles, and power usage monitoring for smart grid [2, 3]. In these new cryptography environments, RFID technology applications and sensor networks have similar features such as weak computation ability, small storage space, and strict power constraints. However, the data processed in these applications are sensitive [4]. The ever-increasing demand for security and privacy in these very constrained environments requires new cryptographic primitives, like low cost, tiny, and efficient ciphers. Hence, traditional block ciphers such as AES are not suitable for these constrained environments. Many lightweight ciphers, including KATAN and KTANTAN family [5] and Piccolo [6], have been proposed to tackle this problem.

The KATAN and KTANTAN block ciphers were proposed by Christophe DeCannière, Orr Dunkelman, and Miroslav Knezevic at CHES 2009 [5]. In order to reduce the energy consumed in data processing and improve the efficiency, KATAN uses nonlinear feedback shift registers (NLFSRs) as well as a linear key schedule [7]. Both KATAN and KTANTAN have three variants with 32-bit, 48-bit, and 64-bit block sizes, each requiring an 80-bit user key. In addition, KATAN and KTANTAN share the same data path specification, including round transformation and round constants. The only difference between KATAN and KTANTAN is the generation of subkeys. For KTANTAN, two bits of the 80-bit are selected each round. However, the key schedule of the KATAN32 cipher (and the other two variants KATAN48 and KATAN64) loads the 80-bit key into an LFSR (the least significant bit of the key is loaded to position 0 of the LFSR). For each round, positions 0 and 1 of the LFSR are generated as the round subkey and , and the LFSR is clocked twice. Because of the simple key schedule, KTANTAN was broken by Wei et al. [8], and while a more complex key schedule makes KATAN secure and stronger, the key schedule is also linear.

1.1. Related Work

KATAN family ciphers have been analyzed by extensive cryptanalysis. At ASIACRYPT 2010, Knellwolf et al. analyzed KATAN and KTANTAN [9] using conditional differential cryptanalysis [10] and recovered four equivalent key bits for 78 of 254 rounds of KATAN32 in the single-key scenario. They subsequently analyzed KATAN32 in the related-key scenario with an improved technique using automatic tools and then obtained key-recovery attacks for 120 of 254 rounds of KATAN32 [11]. Finding the nonuniformity of the difference distribution after 91 rounds, Albrecht and Leander proposed a 91-round distinguisher with the time complexity being encryptions [12]. These results on KATAN32 are listed in Table 1.

Other types of attacks formally published on this cipher are also listed in Table 1, such as all subkeys recovery (ASR), which is a variant of the meet-in-the-middle (MITM) attack [13], Match Box MITM attack [14], Dynamic Cube attack [15], and Multidimensional MITM attack [16, 17]. As can be seen from the details in Table 1, each time complexity is too high to present a practical attack.

As stated in [18], related-key attacks are arguable in a practical sense, because a related-key attack is under the assumption that the attacker had known and even controlled the relation between multiple unknown keys. Because of this assumption, the related-key attack is arguable from the aspect of practical security, though it is meaningful during the design and certification of a cipher. In particular, the key of an ultra-lightweight block cipher in low-end devices such as a passive RFID tag may not be changed during its life cycle. In a practical sense, the security of a lightweight cipher under the single-key scenario is the most important. As shown in [19], even though the result of an attack in the related-key scenario is better, it is still meaningful to explore an attack in the single-key scenario.

Conditional differential cryptanalysis was first introduced by Biham and Ben-Aroya at Crypto 1993 in [10]. The idea is to control the propagation of differences by imposing conditions on the public variables of the cipher. In particular, we want to impose some conditions to filter plaintexts. Depending on whether these conditions involve secret variables or not, key-recovery or distinguishing attacks can be mounted. The key bit conditions lead to a key-recovery attack. The technique has been extended to higher order differential cryptanalysis. Later, it has been a very popular technique in hash functions cryptanalysis [20]. It allows increasing the probability of a differential characteristic satisfying some conditions; it also can be useful for block ciphers.

In some attacks, attackers derive the conditions by hand, which is time consuming and error prone. This paper uses an automatic tool named Mixed Integer Linear Programming (MILP) to get minimum conditions and obtain new cryptanalytic results. MILP is a general mathematical tool for optimization that takes as inputs a linear objective function and a system of linear inequalities and finds solutions that optimize the objective function under the constraints of all inequalities. It was first applied by Mouha et al. in [21] and Wu et al. in [22] to count the active Sboxes of word-based block ciphers. It has been applied to search for differential characteristics and linear approximations [23, 24]. It has also been applied to search for integral distinguishers and division trails [25, 26] and impossible differentials [27, 28]. In particular, it has been applied to key-recovery attacks of keyed Keccak MAC, where attackers implemented conditional cube attacks on Keccak with the propagation of cube variables controlled under conditions in the first several rounds and attacked keyed Keccak [29–31].

1.2. Our Contributions

In this paper, we improve conditional differential attacks from two aspects. On the one hand, we propose a method of automatic conditional differential cryptanalysis using MILP. This method helps us minimize the number of conditions under which the differential characteristic can hold because the fewer the conditions, the higher the probability of the differential path. On the other hand, we propose a method to quickly calculate the bias of every bit quickly and detect the bit, which has a strongly biased difference. Finally, using the standard differential attack, we extend the conditional differential attack to more rounds. The details are described in the following paragraphs.

We first propose a novel method using MILP to automatically search an initial difference and conditions for conditional differential cryptanalysis. In [9], Knellwolf et al. chose initial differences manually, and it is difficult to find the optimal choice, a crucial element in this attack. In this paper, we solve this problem by using MILP. We analyze how to identify conditions on internal state variables, and then, by modeling relations between differences in state bits and conditions, we construct a linear inequality system. The object function of this MILP problem is the minimum number of conditions in a certain number of rounds. Based on the method using MILP, we automatically obtain the initial difference and conditions.

Second, we present an approach to detecting the bias in the difference of the update bit. In [9], Knellwolf et al. detected the bias experimentally by observing certain nonrandomness of a difference of the update bit. We find that the probability of a difference in the update bit is determined by the probabilities of differences in bits that generate the update bit. After the analysis, we present a formula for evaluating the probability of the difference in the update bit, helping us detect which bit has a strongly biased difference.

Given the initial difference, the conditions, and the bit’s position with a bias, we can mount a key-recovery attack.

We apply conditional differential cryptanalysis with these two improvements to analyze the security of KATAN32. It is shown that we can retrieve ten equivalent key bits for the variant of KATAN32 with 79 initialization rounds and four equivalent key bits with 81 initialization rounds.

Using standard differential attacks, we extend the 81-round conditional differential key-recovery attacks to 97-round, 98-round, and 99-round with time complexity being ,, and encryptions, respectively. Extended key-recovery attacks can recover 10, 11, and 13 equivalent key bits, respectively. It is the best known practical cryptanalytic result on KATAN32 so far.

All of our attacks succeed experimentally. All of our source codes and experiment results are available at https://www.dropbox.com/sh/028s4f06f363b2h/AADItFkz-N1KaAMZR7nIPTawa?dl=0.

1.3. Organization

The paper is organized as follows. In Section 2, some preliminaries are introduced. Section 3 describes the two improvements in conditional differential attacks. In Section 4, with these improvements, the attacks mounted on 79 and 81 of 254 rounds of KATAN32 are presented in detail. In Section 5, we extend the attacks to 97, 98, and 99 of 254 rounds of KATAN32 combined with standard differential attacks. Finally, we conclude the paper in Section 6.

2. Preliminaries

We present our notations in Table 2.

2.1. Description of KATAN

The block ciphers KATAN family are lightweight cryptographic primitives dedicated to hardware implementation. They share a very similar structure based on nonlinear feedback shift registers (NLFSR). KATAN and KTANTAN are composed of three block ciphers with 32-, 48-, and 64-bit block sizes, respectively, denoted by KATANn and KTANTANn for . They all have 80-bit keys, and the only difference between KATAN and KTANTAN is the key schedule. The round key bits of KATAN are the linear combination of the initial key bits, and the key bits of KTANTAN are extracted directly from the initial 80 key bits according to the predefined rule. Here, we will briefly introduce KATAN32, which is analyzed in this paper.

2.1.1. Key Schedule

The master key is loaded into an 80-bit linear feedback register, and new round keys are generated by the linear feedback relation:

In the remainder of this paper, for any , we call one equivalent key bit, which is the linear combination of the initial key bits.

2.1.2. Round Function

In initialization, a 32-bit plaintext block is loaded into two NLFSRs with lengths 13 and 19 bits, respectively. Denote states of the 13-bit NLFSR and the 19-bit NLFSR at round as and .

When , the plaintext is loaded as for and for .

At round , for , two new bits and are produced according to the following equations: where is a round constant generated by the 8-bit LFSR using the recursive relation with the seed value After 254 rounds, the state is outputted as the ciphertext. The round function is depicted in Figure 1.

2.2. Conditional Differential Analysis

Knellwolf et al. applied conditional differential cryptanalysis to NLFSR-based cryptosystems at ASIACRYPT 2010 [9]. This technique is based on differential cryptanalysis used to analyze initialization mechanisms of stream ciphers in [32, 33]. After choosing an initial difference, it studies the propagation of the difference through NLFSR-based cryptosystems and identifies conditions on internal state bits to prevent difference propagation whenever possible. By taking the plaintext pairs conforming to these conditions as input, biases can be detected in differences of update bits at some rounds. Once a bias is detected, the key is considered to obey the expected conditions, and we obtain information for secret key bits. In some cases, there are single key bits or relations of key bits in the conditions; we call each of them one equivalent key bit, leading to a key-recovery attack.

3. Improved Conditional Differential Cryptanalysis

In [9], the authors traced differences through cryptosystems and prevented the propagation whenever possible by identifying conditions on internal state variables. They gave suggestions on manually choosing an initial difference rather than providing a specific method for acquiring it. They suggest that the difference propagation should be controllable for as many rounds as possible with fewer conditions. They also suggest there should not be too many conditions involving bits of during initial rounds.

While the initial difference is of crucial importance with respect to the number of rounds attacked, it is not easy to manually choose a suitable initial difference. In this paper, we propose a novel method using MILP to search for an initial difference, deriving as few conditions as possible and the differential characteristic that covers as many rounds as possible. We also present a method for evaluating the probability of the difference in the update bit, by which we can detect the bit with an obvious bias.

Using these two improvements, we apply the improved conditional differential cryptanalysis to block cipher KATAN32. The framework of the analysis is divided into the following four steps.

Search for an initial difference with MILP. With the method described in Section 3.1, one can formulate an MILP model of difference propagation, search for a differential characteristic with minimum conditions, and obtain the initial difference simultaneously.

Choose conditions. We trace the propagation of the initial difference and identify conditions that prevent the propagation of differences until the number of key bits and plaintext bits involved in conditions becomes too great to mount an attack (exceed the enumeration capability).

Calculate the bias. Given the initial difference and conditions chosen in the previous steps, the probability of the difference in each bit of the two NLFSRs can be easily derived when the conditions cease being applied. Taking this probability as the input of the method described in Section 3.2, we can calculate the probability of the difference in update bit at each subsequent round. According to these probabilities, we can locate the bit whose difference has an obvious bias, and the number of rounds is the largest.

Mount the key-recovery attack. Since the conditions include some equivalent key bits, if plaintexts are selected with the conditions consisting of correct equivalent key bits, the difference in the located update bit will show the bias. The equivalent key bits involved in the conditions can be recovered. The attack is involved in Algorithm 1.

Input: Equation (2) and Equation (3)
Output: : correct equivalent key bits
Obtain an initial difference and a conditions set by MILP technique;
{conditions chosen from in the previous rounds to make sure that the number of key bits and plaintext bits involved in conditions should not exceed the enumeration capability};
{the probability of the difference of each bit at round from which conditions just cease being applied. It is derived from and };
{the probabilities of the differences of each subsequent update bit after round calculated by using the method described in Section 3.2};
the bit derived from having the nonzero bias and at the highest possible number of rounds;
for{enumerate equivalent key bits involved in } do
;
;
for{enumerate plaintext bits involved in } do
if satisfy then
calculate from and ;
ifthen
;
else
;
end
end
end
;
;
end
searching in for the max ;
return in accordance with the max .

Algorithm 1. The framework of the conditional differential attack.

3.1. Modeling the Difference Propagation of the Round Function

By modeling the propagation of differences under the control of conditions, we obtain an initial difference and a conditional differential characteristic with the fewest conditions. The steps are as follows.

(1) Finding All Modes of Difference Propagation under the Control of Conditions. For KATAN32, at each round, only two bits are generated by some bits from the previous round, so the differences in these two bits are caused only by these bits. Equations (2) and (3) show the relation between these bits.

There are linear and nonlinear terms in Equations (2) and (3). If there are differences in nonlinear terms, the difference in the update bit can be canceled by imposing conditions even if there are differences in linear terms at the same time. If differences appear only in linear terms, there are no possible conditions that could be applied to cancel the differences; they only can be canceled by one another, or the difference appears in the update bit.

For example, for Equation (2): , if , with the other bits having no differences, we add the condition to ensure that . The number of conditions is 1, and the difference of the update bit is 0. If , with the other bits having no differences, no conditions could cancel the difference. The difference appears in the update bit and propagates to the next round. In this case, the number of conditions is 0 and the difference of the update bit is 1.

This shows that we can apply conditions to prevent the propagation of differences when the difference state (we call the difference of the internal state the difference state) is at some particular value. At some other values, there are no conditions that can prevent the propagation of the differences.

For each exact difference state, it can be confirmed whether conditions could be applied and whether there would be a difference in the update bit according to the previous strategy that is aimed at preventing the propagation of differences.

With respect to Equation (2), is generated by six bits in the 19-bit NLFSR of round so that the difference of depends on the values and the differences of these six bits. Let (the flag of adding a condition) denote whether a condition is applied to cancel the difference of the update bit, and let us search all values of the vector following the following strategies.

If according to Equation (2), takes value 0.

Example 1. If , according to Equation (2), . Since no conditions need to be added, is the vector we hunt.

Assuming that may be 1 or 0 according to Equation (2). If a condition could be applied to ensure that , takes value 0 and takes value 1.

Example 2. Suppose that , according to Equation (2), could be either 1 or 0. But if we impose the condition , must be 0, and takes value 1, so is the vector we hunt.

If there must be a difference in and no conditions can cancel it, takes value 1 and takes value 0.

Example 3. Suppose that , according to Equation (2), , and it cannot be canceled by any conditions. Then, takes value 1 and takes value 0. So we obtain .

The difference state can take on one of values. We derive the exact values of and from each value of the difference state in accordance with the above strategies. Then, with respect to Equation (2), we get all 64 values of the 8-dimensional vector (, , , , , , , ), presented in Table 3.

Meanwhile, with respect to Equation (3), we can also find all the difference state values (, , , , , , ). It should be noted that in Equation (3) there is a constant at each round. To simplify constraints of the MILP, we model two cases corresponding to the values of .

When , Equation (3) contains five Boolean variables , , , , and so that the difference state (, , , , ) can take on one of different values deriving the 32 values of the 7-dimensional vector shown in Table 4.

When , Equation (3) contains four Boolean variables , , , and so that the difference state (, , , ) can take on one of different values that lead to the 16 values of the 6-dimensional vector (, , , , , ) shown in Table 5.

(2) Modeling the Vector Sets Using Linear Inequalities. Via SageMath at http://www.sagemath.org, we obtain 19 linear inequalities that accurately describe the set of the 64 8-dimensional vectors in Table 3. This set of linear inequalities characterizes the difference propagation of Equation (2) under the control of conditions. Ten inequalities are remaining after a simple reduction. shows the ten inequalities.

Using the same method, we obtain two sets of linear inequalities and that accurately describe the 32 7-dimensional vectors given in Table 4 and the 16 6-dimensional vectors given in Table 5. The two sets are shown below:

(3) Formulating the MILP Model to Determine an Initial Difference and Minimum Conditions. With these linear inequalities, we can obtain the relationships among the differences of bits that generate the update bit, the flag of adding a condition and the difference of the update bit in one round. We then expand the linear inequalities to rounds, where is a selected number, to obtain constraints of MILP. The objective function to be minimized is . The constraint of the initial difference is . In our work, the MILP problem is solved by Cplex. With this solution, we can obtain both an initial difference and minimum conditions.

There are too many plaintext bits and key bits in the conditions applied in the later rounds, so we prefer applying the conditions in earlier rounds rather than all of them. No more conditions have been applied since a particular round, which leads to uncontrollable difference propagation in subsequent rounds. After several rounds, the probability of the difference in the update bit would always be . In Section 3.2, we propose a method to evaluate the update bit difference probability, which helps us find the bit whose difference probability deviates significantly from and has the largest number of rounds.

3.2. Detecting the Bias of the Difference

In [9, 11], a bias was detected by experimentally observing certain nonrandomness, and we now present a method for automatically detecting the bias by programming. The method produces a formula for calculating the probability of the update bit difference, enabling us to find the bit whose probability of the difference has a bias from . The greater the bias, the higher probability of a successful attack.

The properties below show that we can evaluate the probability of difference in the update bit, given all the probabilities of difference in the bits that generate the update bit. When conditions cease being applied, we get the probability of difference in each bit of two NLFSRs at that round. Using these probabilities, we can calculate the update bit difference probability in each subsequent round.

Property 1. Let be two independent random Boolean variables, and then, the probability

With Property 1, if the probabilities of the differences in and were known, we could evaluate the probability of the difference in . It can be extended to the sum of four Boolean variables.

Property 2. Let be independent random Boolean variables, and then, the probability

In the following, we consider the difference probability of two Boolean variables’ products. Property 3 shows us how to evaluate the probability.

Property 3. Let be the same as defined in Property 1, and then, the probability

In Equations (2) and (3), there is no difference in the key and const, so , , and do not influence the probability of the difference.

Accordingly, we can derive the results as follows.

From Equation (2), we can obtain the formula to calculate the probability of : where

From Equation (3), we can obtain the formula to calculate the probability of : where

Using the two formulas, we can calculate the probabilities of the differences in the update bits in Algorithm 2 at every subsequent round after the conditions stop being applied. After a certain round, the probability forever becomes 1/2. Before that, we can find the biased bit corresponding to the longest conditional differential characteristic.

Input: the set of probabilities of the difference for each bit of the 13-bit NLFSR at round ; the set of probabilities of the difference for each bit of the 19-bit NLFSR at round .
Output: : the set of the probabilities of the differences for update bits from round to round , there are two update bits at each round.
;
;
;
fordo
the probability calculated from according to formulas (8) and (9);
the probability calculated from according to formulas (10) and (11);
;
;

end
return.

Algorithm 2. Calculating the probabilities of the differences in the update bits from round to round .

4. Application to KATAN32

We have applied the MILP method to KATAN32 for different rounds to obtain different differential characteristics and minimum conditions. We choose two results with fewer conditions in the previous rounds.

For 64-round KATAN32 (we have modeled 64-round KATAN32 together), the minimum number of conditions is 27. However, we cannot apply all these conditions since there are too many key bits and plaintext bits involved in them, resulting in attack failure. We only choose 11 conditions from the first 23 rounds to impose in this analysis. Since other conditions from round 24 have not been applied, difference propagation becomes out of control, with more and more probabilities of differences in update bits tending to be 1/2. We calculate the probabilities of and after round 23, and we find that finally the probability of would always be 1/2 starting from and the probability of would always be 1/2 starting from . Before , we detect an obvious bias in . is generated at round 60 and is the rightmost bit of the 19-bit NLFSR at round 79. Utilizing the bias of , we can recover 10 equivalent key bits of the 79-round KATAN32.

For 77-round KATAN32, the minimum number of conditions is 34. We only impose seven conditions from the first 16 rounds and recover four equivalent key bits of the 81-round KATAN32 with a bias in . is generated at round 62 and is the rightmost bit of the 19-bit NLFSR at round 81.

In this section, we present the details of our analysis and attacks on these two results.

4.1. Key-Recovery Attack on 79-Round KATAN32

The differential characteristic of 64-round KATAN32 has the initial difference of weight six at the positions of the plaintext block, . We only apply 11 conditions in the first 23 rounds.

At round 1, we have , and we impose conditions . At round 3, we have , and we impose conditions . At round 6, we have , and we impose the condition

At round 8, we have , and we impose the condition

At round 10, we have , and we impose the condition . At round 12, we have , and we impose the condition

At round 14, we have , and we impose the condition

At round 19, we have . If we try to impose the condition , it has too many variables, which would make the attack unavailable because of the significantly high computing complexity. So we skip this condition, and assume . At round 21, we have , and we impose the condition

At round 23, we have , and we impose the condition

The difference propagation and the conditions applied are presented in Table 6.

After imposing these conditions, we obtain the probability of difference in each bit at round 24 as follows: (0,0,0,0,0,0,0,0, 1/2,0,0,0,0,0,0,0,0,0,1, 0, 0, 0, 0, 0, 0, 0, 0, 0,0,0,0,0).

According to Algorithm 2, we can compute the bias of the difference in the update bit for each round after round 24 and find that starting from the probability of would always be 1/2. Among the bits whose positions are very close to , has the maximum biased difference, shown as follows:

We confirmed the strongly biased difference in bit experimentally. Let us consider the conditions applied. There are ten equivalent key bits , , , , , , , , , and 21 bits of plaintext , , , , , , , , , , , , , , , , , , , , involved in the conditions. We choose key in which bits are free, and the remaining bits are fixed. For each key, we enumerate plaintexts of which the 21 bits involved in the conditions are free and other bits are zero. We then can use conditions (12)–(17) to filter the plaintexts, and if the plaintext satisfied the conditions, we calculate with the initial difference and count at last. The complexity of each experiment is less than evaluations of the 60-round KATAN32 encryption because not every plaintext can pass the filtering. The experimental results verify the strongly biased difference in bit . All the results of these 256 experiments are that is lower than .

Furthermore, we can mount a key-recovery attack. Looking at conditions (12)–(17), we consider , , , , , , , , , , the 10 equivalent key bits, as ten variables. In a key-recovery attack, since the key is unknown to the attacker, we enumerate guesses of these ten equivalent key bits. For each guess, similar to the verification, we use conditions (12)–(17) to filter plaintexts of which the 21 bits involved in conditions (12)–(17) are free and other 11 bits are fixed to zero, then calculate with initial difference , and finally count .

When the guess is correct, plaintexts are filtered by the conditions corresponding to the correct guessed equivalent key bits, and then, shows the obvious bias. In the 1024 statistical results from guesses of 10 equivalent key bits, the maximum bias in the results corresponds to the ten equivalent key bits’ correct values. This allows us to recover , , , , , , , , , , with experimental complexity less than evaluations of the 60-round KATAN32 encryption. We randomly choose four 80-bit keys and mount four key-recovery attack experiments and each time the ten equivalent key bits can be recovered correctly, as shown by the results listed in Table 7.

4.2. Key-Recovery Attack on 81-Round KATAN32

The initial difference of the differential characteristic of 77-round KATAN32 weights three at position 7, 18, and 28 of the plaintext block, .

At round 1, we have and then impose the condition to prevent difference propagation.

Similarly, at round , we have , so we require bits to be zero.

At round 12, we have , and we impose the condition

At round 14, we have and we impose the condition

At round 16, we have and we impose the condition

The differences in propagation and conditions applied are presented in Table 8. After imposing these conditions, we obtain the probability of difference in each bit at round 17 as follows: .

We compute the bias of the update bit of each round from the 17th round and find that starting from the probability of would always be 1/2. Among the bits whose positions are very close to , has the maximum biased difference, shown as follows:

We experimentally verified the strongly biased difference in bit . There are four equivalent key bits and 16 bits of plaintext , , , , , , , , , , , , , , , in conditions (19)–(21). We choose keys of which are free and the other bits are fixed. For each key, we enumerate plaintexts of which the 16 bits involved in conditions are free and other bits are fixed to 0. We then use conditions (19)–(21) to filter the plaintexts, and if a plaintext satisfies the conditions, we calculate with the initial difference and calculate. The complexity of each experiment is less than evaluations of the 62-round KATAN32 encryption. In all the results of these 16 experiments is greater than .

We now will describe mounting the key-recovery attack. Looking at conditions (19)–(21), we consider these four equivalent key bits as four Boolean variables. There are 16 bits of plaintext involved in conditions (19)–(21). To enlarge the space of plaintexts after filtering, we choose other three bits of plaintext not included in any condition as free bits in addition to the 16 bits of plaintext involved in conditions (19)–(21). For each of the guesses of these four variables, we use conditions (19)–(21) to filter the plaintexts enumerated by the 19 bits we just choose with the remaining 13 bits fixed to 0. We then calculate with initial difference and calculate . In the 16 statistical results obtained from 16 guesses of four equivalent key bits, the maximum bias in the results corresponds to the correct value of the four equivalent key bits, allowing us to recover . The complexity of the experiment is less than evaluations of the 62-round KATAN32 encryption. We choose five 80-bit keys randomly and mount five key-recovery attack experiments, and each time the four equivalent key bits can be correctly recovered. The results of these five key-recovery attack experiments are listed in Table 9.

5. Extension with the Standard Differential Attack

Combined with the standard differential attack, the conditional differential attack on 81-round KATAN32 can be extended to 97-round, 98-round, and 99-round key-recovery attacks.

5.1. Key-Recovery Attack on 97-Round KATAN32

Inspired by the technique representing the dependence of the intermediate state on the output by an algebraic representation in [34], we give the algebraic representation of the intermediate state using the ciphertext and round keys.

Using Equations (2) and (3), we can get the expression of in decryption direction:

Suppose the output bits of 97-round KATAN32 corresponding to plaintext are and , and the output bits of 97-round KATAN32 corresponding to plaintext are and . For decryption direction, can be expressed by round keys and the ciphertext of 97-round KATAN32 by using Equations (23) and (24) iteratively.

According to this expression, one can calculate by using the ciphertexts of 97-round KATAN32 and six equivalent key bits . We extend the attack described in Section 4.2 to 97-round. Plaintexts being filtered by the conditions are encrypted to ciphertexts by 97-round KATAN32. can be computed from ciphertexts of 97-round KATAN32 and the guess of these six equivalent key bits . Given every guess of ten equivalent key bits ( ), we can calculate and count with respect to a set of filtered plaintexts. If the guess is right, shows an obvious bias. The computational cost of the experiment is less than encryptions of 97-round KATAN32. We mount five key-recovery attack experiments with the same key as the experiments in Section 4.2, and each time the ten equivalent key bits can be correctly recovered.

5.2. Key-Recovery Attack on 98-Round KATAN32

Suppose the output bits of 98-round KATAN32 corresponding to plaintext are and , and the output bits corresponding to plaintext are and . For decryption direction, can be expressed using round keys and the ciphertext of 98-round KATAN32.

The expression contains seven equivalent key bits , , , , , , , which makes the computational cost of the key-recovery attack be less than times 98-round KATAN32 encryption. In this attack, 11 equivalent key bits , , , , , , , , , , can be correctly recovered. Every experiment requires about 2.4 hours on a 2.5 GHz PC with our implementation.

5.3. Key-Recovery Attack on 99-Round KATAN32

Suppose the output bits of 99-round KATAN32 corresponding to plaintext are and , and the output bits corresponding to plaintext are and . For decryption direction, can be expressed using round keys and the ciphertext of 99-round KATAN32.

There are nine equivalent key bits , , , , , , , , . So the computational cost of the key-recovery attack is less than times 99-round KATAN32 encryption. In this attack, 13 equivalent key bits , , , , , , , , , , , , can be correctly recovered. Every experiment requires about 9.64 hours on a 2.5 GHz PC with our implementation.

It is thus possible to extend the conditional differential attack on 81-round KATAN32 to 114-round with the computational cost of less than times 114-round KATAN32 encryption.

6. Conclusion

Conditional differential analysis towards the NLFSR is quite a recent research topic. We advance the research in this direction by using Mixed Integer Linear Programming on the NLFSR-based block cipher KATAN32, a newly typical and well-designed lightweight block cipher. It is the first time applying MILP in the automatically searching for conditional differential trails. Using MILP helps us efficiently obtain the initial difference and conditions of the conditional differential analysis. We propose a new method to quickly calculate the probability of the difference to detect the bit with a bias. We apply the improved conditional differential analysis to KATAN32 and obtain two results, recovering ten equivalent key bits of 79-round KATAN32 and four equivalent key bits of 81-round KATAN32, respectively.

Combined with the standard differential attack, we extend the 81-round conditional key-recovery attack to 99-round with the time complexity being encryptions of 99-round KATAN32 and recover 13 equivalent key bits. Compared with the previously best practical distinguisher on KATAN32, our results are extended more than seven rounds with less computation time and memory. We believe both strategies to be general to NLFSR-based ciphers. Applying these two strategies on other NLFSR-based ciphers will be one topic of interest in our future works.

Data Availability

All of our source codes and experiment results are available at https://www.dropbox.com/sh/028s4f06f363b2h/AADItFkz-N1KaAMZR7nIPTawa?dl=0.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (61672330 and 11771256).

References

D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Publisher Site | Google Scholar
D. Wang, W. Li, and P. Wang, “Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks,” IEEE Transactions on Industrial Informatics, vol. 14, no. 9, pp. 4081–4092, 2018.
View at: Publisher Site | Google Scholar
Q. Jiang, N. Zhang, J. Ni, J. Ma, X. Ma, and K. R. Choo, “Unified biometric privacy preserving three-factor authentication and key agreement for cloud-assisted autonomous vehicles,” IEEE Transactions on Vehicular Technology, vol. 69, no. 9, pp. 9390–9401, 2020.
View at: Publisher Site | Google Scholar
C. Wang, D. Wang, Y. Tu, G. Xu, and H. Wang, “Understanding node capture attacks in user authentication schemes for wireless sensor networks,” IEEE Transactions on Dependable and Secure Computing, p. 1, 2020.
View at: Publisher Site | Google Scholar
C. D. Cannière, O. Dunkelman, and M. Knezevic, “KATAN and KTANTAN – a family of small and efficient hardware-oriented block ciphers,” in Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings, ser. Lecture Notes in Computer Science, C. Clavier and K. Gaj, Eds., vol. 5747, pp. 272–288, Springer, 2009.
View at: Publisher Site | Google Scholar
G. Han and W. Zhang, “Improved biclique cryptanalysis of the lightweight block cipher piccolo,” Security and Communication Networks, vol. 2017, 12 pages, 2017.
View at: Publisher Site | Google Scholar
M. Liu, “Degree evaluation of nfsr-based cryptosystems,” in Advances in Cryptology - CRYPTO 2017-37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part III, ser. Lecture Notes in Computer Science, J. Katz and H. Shacham, Eds., vol. 10403, pp. 227–249, Springer, 2017.
View at: Publisher Site | Google Scholar
L. Wei, C. Rechberger, J. Guo, H. Wu, H. Wang, and S. Ling, “Improved meet- in-the-middle cryptanalysis of KTANTAN (poster),” in Information Security and Privacy -16th Australasian Conference, ACISP 2011, Melbourne, Australia, July 11-13, 2011. Proceedings, ser. Lecture Notes in Computer Science, U. Parampalli and P. Hawkes, Eds., vol. 6812, pp. 433–438, Springer, 2011.
View at: Publisher Site | Google Scholar
S. Knellwolf, W. Meier, and M. Naya-Plasencia, “Conditional differential cryptanalysis of nlfsr-based cryptosystems,” in Advances in Cryptology - ASIACRYPT 2010 -16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5-9, 2010. Proceedings, ser. Lecture Notes in Computer Science, M. Abe, Ed., vol. 6477, pp. 130–145, Springer, 2010.
View at: Google Scholar
I. Ben-Aroya and E. Biham, “Differtial cryptanalysis of lucifer,” in Advances in Cryptology - CRYPTO '93, 13th Annual International Cryptology Conference, Santa Barbara, California, USA, August 22-26, 1993, Proceedings, ser. Lecture Notes in Computer Science, D. R. Stinson, Ed., vol. 773, pp. 187–199, Springer, 1993.
View at: Publisher Site | Google Scholar
S. Knellwolf, W. Meier, and M. Naya-Plasencia, “Conditional differential cryptanalysis of trivium and KATAN,” in Selected Areas in Cryptography -18th International Workshop, SAC 2011, Toronto, ON, Canada, August 11-12, 2011, Revised Selected Papers, ser. Lecture Notes in Computer Science, A. Miri and S. Vaudenay, Eds., vol. 7118, pp. 200–212, Springer, 2011.
View at: Publisher Site | Google Scholar
M. R. Albrecht and G. Leander, “An all-in-one approach to differential cryptanalysis for small block ciphers,” IACR Cryptology ePrint Archive, vol. 2012, article 401, 2012.
View at: Google Scholar
T. Isobe and K. Shibutani, “Improved all-subkeys recovery attacks on fox, KATAN and SHACAL-2 block ciphers,” in Fast Software Encryption -21st International Workshop, FSE 2014, London, UK, March 3-5, 2014. Revised Selected Papers, ser. Lecture Notes in Computer Science, C. Cid and C. Rechberger, Eds., vol. 8540, pp. 104–126, Springer, 2014.
View at: Publisher Site | Google Scholar
T. Fuhr and B. Minaud, “Match box meet-in-the-middle attack against KATAN,” in Fast Software Encryption -21st International Workshop, FSE 2014, London, UK, March 3-5, 2014. Revised Selected Papers, ser. Lecture Notes in Computer Science, C. Cid and C. Rechberger, Eds., vol. 8540, pp. 61–81, Springer, 2014.
View at: Publisher Site | Google Scholar
Z. Ahmadian, S. Rasoolzadeh, M. Salmasizadeh, and M. R. Aref, “Automated dynamic cube attack on block ciphers: cryptanalysis of SIMON and KATAN,” IACR Cryptology ePrint Archive, vol. 2015, 2015.
View at: Google Scholar
B. Zhu and G. Gong, “Multidimensional meet-in-the-middle attack and its applications to KATAN32/48/64,” Cryptography and Communications, vol. 6, no. 4, pp. 313–333, 2014.
View at: Publisher Site | Google Scholar
S. Rasoolzadeh and H. Raddum, “Multidimensional meet in the middle cryptanalysis of KATAN,” IACR Cryptology ePrint Archive, vol. 2016, 2016.
View at: Google Scholar
T. Isobe, “A single-key attack on the full GOST block cipher,” Journal of Cryptology, vol. 26, no. 1, pp. 172–189, 2013.
View at: Publisher Site | Google Scholar
Z. Jiang and C. Jin, “Impossible differential cryptanalysis of 8-round deoxys bc-256,” IEEE Access, vol. 6, pp. 8890–8895, 2018.
View at: Publisher Site | Google Scholar
W. Zhang, Y. Li, and L. Wu, “A new one-bit difference collision attack on HAVAL-128,” Science China Information Sciences, vol. 55, no. 11, pp. 2521–2529, 2012.
View at: Publisher Site | Google Scholar
N. Mouha, Q. Wang, D. Gu, and B. Preneel, “Differential and linear cryptanalysis using mixed-integer linear programming,” in Information Security and Cryptology -7th International Conference, Inscrypt 2011, Beijing, China, November 30 - December 3, 2011. Revised Selected Papers, ser. Lecture Notes in Computer Science, C. Wu, M. Yung, and D. Lin, Eds., vol. 7537, pp. 57–76, Springer, 2011.
View at: Publisher Site | Google Scholar
S. Wu and M. Wang, “Security evaluation against differential cryptanalysis for block cipher structures,” IACR Cryptology ePrint Archive, vol. 2011, article 551, 2011.
View at: Google Scholar
S. Sun, L. Hu, P. Wang, K. Qiao, X. Ma, and L. Song, “Automatic security evaluation and (related-key) differential characteristic search: application to simon, present, lblock, DES(L) and other bit-oriented block ciphers,” in Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014. Proceedings, Part I, ser. Lecture Notes in Computer Science, P. Sarkar and T. Iwata, Eds., vol. 8873, pp. 158–178, Springer, 2014.
View at: Publisher Site | Google Scholar
P. Zhang and W. Zhang, “Differential cryptanalysis on block cipher skinny with MILP program,” Security and Communication Networks, vol. 2018, 11 pages, 2018.
View at: Publisher Site | Google Scholar
Z. Xiang, W. Zhang, Z. Bao, and D. Lin, “Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers,” in Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I, ser. Lecture Notes in Computer Science, J. H. Cheon and T. Takagi, Eds., vol. 10031, pp. 648–678, 2016.
View at: Publisher Site | Google Scholar
W. Zhang and V. Rijmen, “Division cryptanalysis of block ciphers with a binary diffusion layer,” IET Information Security, vol. 13, no. 2, pp. 87–95, 2019.
View at: Publisher Site | Google Scholar
Y. Sasaki and Y. Todo, “New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers,” in Advances in Cryptology - EUROCRYPT 2017 -36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part III, ser. Lecture Notes in Computer Science, J. Coron and J. B. Nielsen, Eds., vol. 10212, pp. 185–215, 2017.
View at: Publisher Site | Google Scholar
G. Han, W. Zhang, and H. Zhao, “An upper bound of the longest impossible differentials of several block ciphers,” KSII Transactions on Internet and Information Systems, vol. 13, no. 1, pp. 435–451, 2019.
View at: Publisher Site | Google Scholar
Z. Li, W. Bi, X. Dong, and X. Wang, “Improved conditional cube attacks on keccak keyed modes with MILP method,” in Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part I, ser. Lecture Notes in Computer Science, vol. 10624, pp. 99–127, Springer, 2017.
View at: Publisher Site | Google Scholar
L. Song, J. Guo, and D. Shi, “New MILP modeling: improved conditional cube attacks to keccak-based constructions,” IACR Cryptology ePrint Archive, vol. 2017, 2017.
View at: Google Scholar
S. Huang, X. Wang, G. Xu, M. Wang, and J. Zhao, “Conditional cube attack on reduced-round keccak sponge function,” in Advances in Cryptology- EUROCRYPT 2017 -36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part II, ser. Lecture Notes in Computer Science, J. Coron and J. B. Nielsen, Eds., vol. 10211, pp. 259–288, 2017.
View at: Publisher Site | Google Scholar
E. Biham and O. Dunkelman, “Differential cryptanalysis in stream ciphers,” IACR Cryptology ePrint Archive, vol. 2007, 2007.
View at: Google Scholar
C. D. Cannière, “Analysis of grain’s initialization algorithm,” in Progress in Cryptology - AFRICACRYPT 2008, First International Conference on Cryptology in Africa, Casablanca, Morocco, June 11-14, 2008. Proceedings, ser. Lecture Notes in Computer Science, S. Vaudenay, vol. 5023, pp. 276–289, Springer, 2008.
View at: Publisher Site | Google Scholar
W. Zhang, M. Cao, J. Guo, and E. Pasalic, “Improved security evaluation of SPN block ciphers and its applications in the single-key attack on SKINNY,” IACR Transactions on Symmetric Cryptology, vol. 2019, no. 4, pp. 171–191, 2019.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Zhaohui Xing et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

463

Downloads

738

Citations