Automatic Search for the Best Trails in ARX: Application to Block Cipher Speck

We propose the first adaptation of Matsui's algorithm for finding the best differential and linear trails to the class of ARX ciphers. It is based on a branch-and-bound search strategy, does not use any heuristics and returns optimal results. The practical application of the new algorithm is demonstrated on reduced round variants of block ciphers from the Speck family. More specifically, we report the probabilities of the best differential trails for up to 10, 9, 8, 7, and 7 rounds of Speck32, Speck48, Speck64, Speck96 and Speck128 respectively, together with the exact number of differential trails that have the best probability. The new results are used to compute bounds, under the Markov assumption, on the security of Speck against single-trail differential cryptanalysis. Finally, we propose two new ARX primitives with provable bounds against single-trail differential and linear cryptanalysis -- a long standing open problem in the area of ARX design

A Survey of ARX-based Symmetric-key Primitives

Addition Rotation XOR is suitable for fast implementation symmetric –key primitives, such as stream and block ciphers. This paper presents a review of several block and stream ciphers based on ARX construction followed by the discussion on the security analysis of symmetric key primitives where the best attack for every cipher was carried out. We benchmark the implementation on software and hardware according to the evaluation metrics. Therefore, this paper aims at providing a reference for a better selection of ARX design strategy

Automatic Search for Differential Trails in ARX Ciphers

We propose a tool for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui's algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui's algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations. The source code of the tool is publicly available as part of a larger toolkit for the analysis of ARX at the following address: https://github.com/vesselinux/yaarx

Proposing an MILP-based method for the experimental verification of difference-based trails: application to SPECK, SIMECK

Under embargo until: 2022-07-08Searching for the right pairs of inputs in difference-based distinguishers is an important task for the experimental verification of the distinguishers in symmetric-key ciphers. In this paper, we develop an MILP-based approach to verify the possibility of difference-based distinguishers and extract the right pairs. We apply the proposed method to some published difference-based trails (Related-Key Differentials (RKD), Rotational-XOR (RX)) of block ciphers SIMECK, and SPECK. As a result, we show that some of the reported RX-trails of SIMECK and SPECK are incompatible, i.e. there are no right pairs that follow the expected propagation of the differences for the trail. Also, for compatible trails, the proposed approach can efficiently speed up the search process of finding the exact value of a weak key from the target weak key space. For example, in one of the reported 14-round RX trails of SPECK, the probability of a key pair to be a weak key is 2−94.91 when the whole key space is 296; our method can find a key pair for it in a comparatively short time. It is worth noting that it was impossible to find this key pair using a traditional search. As another result, we apply the proposed method to SPECK block cipher, to construct longer related-key differential trails of SPECK which we could reach 15, 16, 17, and 19 rounds for SPECK32/64, SPECK48/96, SPECK64/128, and SPECK128/256, respectively. It should be compared with the best previous results which are 12, 15, 15, and 20 rounds, respectively, that both attacks work for a certain weak key class. It should be also considered as an improvement over the reported result of rotational-XOR cryptanalysis on SPECK.acceptedVersio

Mind the Gap - A Closer Look at the Security of Block Ciphers against Differential Cryptanalysis

Resistance against differential cryptanalysis is an important design criteria for any modern block cipher and most designs rely on finding some upper bound on probability of single differential characteristics. However, already at EUROCRYPT'91, Lai et al. comprehended that differential cryptanalysis rather uses differentials instead of single characteristics. In this paper, we consider exactly the gap between these two approaches and investigate this gap in the context of recent lightweight cryptographic primitives. This shows that for many recent designs like Midori, Skinny or Sparx one has to be careful as bounds from counting the number of active S-boxes only give an inaccurate evaluation of the best differential distinguishers. For several designs we found new differential distinguishers and show how this gap evolves. We found an 8-round differential distinguisher for Skinny-64 with a probability of 2−56.932−56.93, while the best single characteristic only suggests a probability of 2−722−72. Our approach is integrated into publicly available tools and can easily be used when developing new cryptographic primitives. Moreover, as differential cryptanalysis is critically dependent on the distribution over the keys for the probability of differentials, we provide experiments for some of these new differentials found, in order to confirm that our estimates for the probability are correct. While for Skinny-64 the distribution over the keys follows a Poisson distribution, as one would expect, we noticed that Speck-64 follows a bimodal distribution, and the distribution of Midori-64 suggests a large class of weak keys

Finding Differential Paths in ARX Ciphers through Nested Monte-Carlo Search

We propose the adaptation of Nested Monte-Carlo Search algorithm for finding differential trails in the class of ARX ciphers. The practical application of the algorithm is demonstrated on round-reduced variants of block ciphers from the SPECK family. More specifically, we report the best differential trails,up to 9 rounds, for SPECK32

A Bit-Vector Differential Model for the Modular Addition by a Constant

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR, which achieve the best software performances in low-end microcontrollers. To evaluate the resistance of an ARX cipher against differential cryptanalysis and its variants, the recent automated methods employ constraint satisfaction solvers, such as SMT solvers, to search for optimal characteristics. The main difficulty to formulate this search as a constraint satisfaction problem is obtaining the differential models of the non-linear operations, that is, the constraints describing the differential probability of each non-linear operation of the cipher. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains O(log2(n)) basic bit-vector constraints and describes the binary logarithm of the differential probability. We also represent an SMT-based automated method to look for differential characteristics of ARX, including constant additions, and we provide an open-source tool ArxPy to find ARX differential characteristics in a fully automated way. To provide some examples, we have searched for related-key differential characteristics of TEA, XTEA, HIGHT, and LEA, obtaining better results than previous works. Our differential model and our automated tool allow cipher designers to select the best constant inputs for modular additions and cryptanalysts to evaluate the resistance of ARX ciphers against differential attacks.acceptedVersio

A new intelligent hybrid encryption algorithm for IoT data based on modified PRESENT-Speck and novel 5D chaotic system

Modern application based on IoT sensors/devices are growth in several fields. In several cases, the sensing data needs to be secure in transmission to control / administrator side. In this paper, the proposed secure Internet of Things data sensing and proposed algorithms will be explained, based on the main overarching novel 5-D Hyper chaotic system and new encryption mechanisms (contains hybrid encryption and two modified encryption algorithms) controlled by Fuzzy rules. The encryption mechanism combined by using the structure of PRESENT and SPECK algorithm with novel 5-D chaotic system. Also, for encryption will use the modified mechanisms of Round steps in PRESENT algorithm by SPEECK which were adopted on an IoT sensing data transferring. This proposed system provides a high level of security for any sensitive information that may be generated from sensors that may be installed in an important location to protect buildings and offices from theft by making certain modifications to the algorithms necessary to maintain the safety and security of the information, etc., which must be protected from Attacks. This system is designed to be effective in providing security features for data contents that include confidentiality, authentication and non-repudiation, and is compatible with all types of remote sensing data and sensors to send the final notification to the final administrator view. The proposed system is designed to provide users with high flexibility and ease in managing change operations, speeding up encryption operations and intruding the contents of message packets (types and forms of different sensor data) at the point of origin and decrypting and checking packet integrity messages upon receipt. These features make users of this system more confident with each other. The proposed encryption mechanism and novel chaotic system passed different testes. The generated chaos key space at least 22560probable different combinations of the secret keys to break the system used brute force attack