Keywords

1 Introduction

Differential attack is one of the most powerful techniques for the cryptanalysis of block ciphers [4]. For new block ciphers, it is a mandatory design criterion to provide proof of resistance against the differential attack [6]. The high probability relations between the input and output differences of a block cipher are utilized to distinguish it from the uniform distribution [5]. We need a differential characteristic with the probability of \(2^{-p}\), where \(p\lll n\), to mount the attack on n-bit block cipher [16]. To estimate the strength of a block cipher against differential attack, we calculate a lower bound on the number of active S-boxes in a differential characteristic. Then, an upper bound on the probability is estimated using this lower bound and maximum differential probability of the S-box [18]. Initially, branch-and-bound based techniques were used to search the high probability differential characteristics [19, 23]. Nowadays, automated solvers based on mixed integer linear programming (MILP) [24], satisfiability modulo theory (SAT/SMT) [10], constraint programming (CP) problems [13, 33], and machine learning based techniques [14, 34] are used to test the differential attack resistance. In 2012, MILP-aided differential cryptanalysis for block ciphers was proposed by Mouha et al. This technique proved to be very successful to mount the differential attack on block ciphers.

Mixed integer linear programming is used frequently to solve optimization problems. MILP deals with optimizing the objective function \(f(x_1,x_2,\cdots ,x_n)\) subject to a set of linear inequalities \(Ax \le b\) which involves decision variables \(x_i, 1\le i \le n\) with restrictions on certain variables to take integer values. We can convert the differential characteristic search problem into a MILP model [24]. Then, optimization problem solvers (viz. Gurobi [15] and CIPLEX [11]) are used to solve the MILP model to get a lower bound on the number of active S-boxes and search for high probability differential characteristics. The linear layers (viz. key addition and permutation layer) of a block cipher are easily converted into linear inequalities. The S-box is a non-linear component of the block cipher and DDT of the S-box is used to write the linear inequalities satisfying each possible propagation. This set contains a large number of inequalities and it becomes hard to solve the MILP model based on this set. Therefore it is required to minimize the number of inequalities to obtain the solution efficiently. Various methods have been proposed in the literature to optimize the number of inequalities in this set.

Mouha et al. showed the use of MILP in differential cryptanalysis of block ciphers and used optimization solvers to get the security bounds [24]. They presented a framework to get the least number of active S-boxes in a differential characteristic of word oriented ciphers. This technique was illustrated on Advanced Encryption Standard (AES) and least number of active S-boxes in 4-round differential characteristic of AES were obtained by solving the MILP model.

Sun et al. extended the use of MILP for bit oriented ciphers and two methods based on logical condition modeling and convex hull computation were proposed to get the MILP model of S-box [27, 28]. The DDT of S-box was used to write the linear inequalities for possible propagations using the SageMath tool [29]. Then greedy search algorithm was used to reduce the number of inequalities in this model. For a 4-bit S-box, the reduced set contains about 30 inequalities. Due to the limitation of SageMath, this method is not practical for the S-box of size greater than 6-bit. Sasaki and Todo proposed another method for MILP modeling of S-box to reduce the number of inequalities [30,31,32]. They proposed a MILP based method to reduce the inequalities using impossible propagations in the DDT. For a 4-bit S-box, this method provides around 20 linear inequalities that are used to minimize the number of active S-boxes. This method was also used to model the MILP problem for lightweight block cipher WARP [20]. This method uses SageMath to write the inequalities, therefore it also does not work for S-boxes of size more than 6-bit.

For 8-bit S-box, 16 variables are needed to write the linear inequalities for possible and impossible difference transitions in the DDT. For large S-boxes, Abdelkhalek et al. generated the linear inequalities using Logic Friday [22] (based on Espresso algorithm). The pb-DDT approach was proposed to optimize the probability of a differential characteristic by separating the DDT into multiple tables according to the probabilities. Boura and Coggia [8] proposed another approach to generate and minimize the number of linear inequalities for 8-bit S-boxes based on the impossible transitions in the DDT. This method was used to minimize the number of linear inequalities for AES S-box in [8]. The time complexity to get the 2882 linear inequalities for AES S-box was 22 d. They did not mention about the number of linear inequalities for partial or full DDT that will be required to optimize the probability of differential characteristics.

Our Contribution: The existing works focused on minimizing the number of linear inequalities to represent the DDT of large S-boxes. Whereas, the time complexity to minimize the number of inequalities for large S-boxes was several days [8]. Our aim is to generate a minimized set of linear inequalities within the practical time limit (\(\le \)5 h). We present a new method to generate the additional set of linear inequalities using intermediate output of the QM algorithm and get the minimized set of linear inequalities in practical time. We also solve the MILP model to optimize the number of active S-boxes in PIPO using two different set of linear inequalities. These experiments show that there is no significant difference in the time complexity to solve the MILP problem using large or small set of linear inequalities. For probability optimization part, we generate the linear inequalities for full DDT using our tool MILES (based on Espresso). We show the application of MILES to search the differential, impossible differential and related-key differential characteristics of lightweight block cipher PIPO-64/128 [17]. We achieve the designer’s bound for differential and impossible differential characteristics. We present the full round related-key differential distinguishers and mount a key recovery attack on full round PIPO-64/128. Using MILES and MILP modeling of related-key differential search, we show the collisions in PIPO-64/128.

Organisation: The paper is organised as follows. In Sect. 2, we discuss MILP modeling of block ciphers with 8-bit S-boxes. We present approaches based on QM and Espresso algorithms to minimize the number of linear inequalities and compare the results for AES, SKINNY and PIPO S-boxes. In Sect. 3, we show the application of MILES to model the MILP problem to optimize the probability of differential characteristics in lightweight block cipher PIPO-64/128. The impossible differential characteristics search procedure is discussed and a full round related-key differential attack is presented. The paper is summarised with conclusion in Sect. 4.

2 MILP Based Differential Characteristic Search

To search the differential characteristics of a block cipher, the problem of optimizing the probability of differential characteristics is converted into the MILP problem. The objective function is the optimization of probabilities subject to the constraints based on linear inequalities. SPN and Feistel based block ciphers mainly consist of round key addition, substitution and permutation layers. The key addition layer does not contribute in the MILP model to search the differential characteristics. The input and output variables corresponding to the permutation layer are easily represented by linear inequalities. The substitution layer uses a non-linear S-box which cannot be easily represented by linear inequalities. SageMath is a popular tool that is used to obtain the linear inequalities using possible difference transitions in the DDT. In [31, 32], Sasaki and Todo proposed the impossible transitions based approach to design a MILP problem to minimize the number of linear inequalities. This approach was later used by many researchers to design the MILP models of various 4-bit S-boxes [35]. The linear inequalities of permutation and substitution layers are used to model the MILP problem, that is solved by MILP solver GUROBI [15] or CPLEX [11].

In general, MILP based differential characteristics search is two stage process. Firstly, number of active S-boxes is minimized and then probability of differential characteristic is optimized using these active S-boxes. The outer and inner modules of MILP are designed corresponding to these stages. The outer module minimizes the number of active S-boxes while inner module optimizes the probabilities of differential characteristics.

2.1 Modeling Large S-box

An S-box is a non-linear component and its DDT is converted into linear inequalities to model the MILP problem. SageMath is used to generate the linear inequalities for DDT of the S-box. For m-bit S-box, the size of DDT is \(2^m \times 2^m\) and it represents the number of occurrences of possible output differences corresponding to each input difference. SageMath uses the H-representation of convex hull to generate linear inequalities for the S-box. SageMath has practical-time limitation on the dimension of such convex hulls, so this method can be used to generate the linear inequalities for small S-boxes only. Therefore, this method cannot be used to model the outer module of MILP problem for S-boxes of size greater than 6 bits.

For large (8-bit) S-boxes, Abdelkhalek et al. [1] addressed this problem using the Espresso based tool Logic Friday [22] that reduces the inequalities by minimizing the product of sum of boolean functions. Boura and Coggia [8] proposed another method, inspired from QM algorithm, to reduce the number of linear inequalities of AES [26] and SKINNY [9] S-boxes. The proposed methods minimize the number of inequalities significantly in comparison to the existing approaches but at the cost of time and resources. The minimization process may take several days to get the reduced set of linear inequalities. The techniques presented in [1] and [8], were used to minimize the number of active S-boxes for 8-bit S-box based ciphers.

To optimize the probability of differential characteristic, Abdelkhalek et al. used pb-DDT based approach by separating the DDT for each probability [1]. These DDTs are represented by 8-bit input difference and 8-bit output difference. The method was proposed due to limitation of logic friday to process the input with dimension more than 16. Although, this method is used to optimize the probability of differential characteristic, it may not be efficient due to the of use of pb-DDT instead of full DDT. Based on the full DDT of 4-bit S-box, Sun et al. [28] suggested the method of using extra variable for each unique probability. Using this method, linear inequalities will be generated in more than 16 input variable for 8-bit S-box. As Logic Friday is unable to handle more than 16 input variable, we use a Espresso based tool namely MILESFootnote 1 (Appendix B and C) that handles more than 16 variables to minimize the set of linear inequalities. Linear inequalities generated from MILES are used to design the outer and inner modules of MILP model which optimizes the probability of differential characteristic.

2.2 Linear Inequalities for Minimization of Active S-boxes

Constructing linear inequalities for S-box is the first step towards the MILP modeling of differential attack. To minimize the number of active S-boxes, the MILP model requires linear inequalities corresponding to all possible transitions in DDT. Some of the existing approaches e.g. H-representation of convex hull and QM algorithm are not time efficient for large (\(n\ge 8\)-bit) S-boxes due to large dimension (2n). Espresso algorithm works efficiently for large S-boxes but provides a large set of minimized inequalities. To minimize the set of inequalities, Boura and Coggia [8] used prime implicants of QM algorithm to get an initial set of inequalities and proposed an algorithm to introduce a new set of inequalities. The combined set of linear inequalities is minimized by removing the impossible transitions [8, 28]. The proposed method reduces the number of inequalities significantly but the time complexity to achieve this reduction is very high. Although, smaller MILP model with lesser inequalities does not guarantee a faster solution, yet MILP model having less number of inequalities is a preferred choice.

We present a new methodFootnote 2 to minimize the number of linear inequalities for large S-box within the practical time limit. This method uses the output of QM algorithm partially and introduce a novel approach to add a better set of linear inequalities. The QM algorithm can be divided into three parts. In first part (\(QM_1\)), it constructs prime implicants from impossible transitions of the DDT. In second part (\(QM_2\)), prime implicants are reduced to get the essential prime implicants. These essential prime implicants are further reduced using the coverage approach in third part (\(QM_3\)). In our method, we use the output of \(QM_2\) and introduce an inequality corresponding to each essential prime implicant \(a = (a_0,a_1,\cdots ,a_{n-1})\) (Eq. 1). Our method is applied in four phases as described in Algorithm 1. The set of initial inequalities (L) is constructed in phase 1 and a new set of linear inequalities is introduced using L in phase 2. For each impossible transition in DDT, we add the inequalities which remove that impossible transition. We introduce an additional inequality corresponding to all possible transitions in DDT. This inequality is constructed by adding all the inequalities in the set L. This inequality with new linear inequalities (\(L_{new}\)) are combined with initial set (L) to get a larger set of inequalities. In phase 3, we construct the MILP model to minimize the number of linear inequalities using the approach proposed in [28]. For each impossible transition, we add a constraint such that at least one inequality removing this transition remains in the minimized set. Using such constraints, we want to ensure that all impossible transitions are removed using the minimum number of linear inequalities. The objective of this MILP problem is minimization of the set of linear inequalities (L). In phase 4, we solve the MILP model using GUROBI solver to get the minimized set of linear inequalities \((L_{min})\).

$$\begin{aligned} \sum _{i=0}^{n-1} (1-a_i)x_i + a_i(1-x_i) \ge 1 \end{aligned}$$
(1)

We compare the number of linear inequalities and time complexity of our algorithm with existing results for 8-bit S-boxes of AES, SKINNY-128 and PIPO-64/128 in Table 1. It is evident that our algorithm optimizes the trade-off between number of inequalities and time efficiency. For PIPO-64/128, we have solved the MILP model for active S-box minimization with 4476 inequalities constructed by MILES and 3276 inequalities constructed using Algorithm 1. The comparison of time to reach the lower bound is presented in Table 2. \(T_{OB}\) and \(T_{OS}\) represent the time to reach the optimal bound(OB) and time to conclude that the given optimal bound is the optimal solution respectively. It can be observed from Table 2 that the \(T_{OS}\) is always lesser for the larger set of inequalities(Model 1) which suggests that more constraints speeds up the process to eliminate impossible space. There is no such relation in \(T_{OB}\) that means smaller set of inequalities may not reach the optimal bound faster. The comparison concludes that lesser inequalities construct smaller model but may not always yield a faster solution.

figure a
Table 1. Comparison of time required to minimize linear inequalities of S-box
Full size table
Table 2. Comparison of time required (in seconds) to attain optimal bound/solution for PIPO-64/128 osing different sets of linear inequalities
Full size table

2.3 Linear Inequalities for Optimization of Probability

Once active S-boxes are minimized, the next step is to optimize the probability corresponding to these active S-boxes. To optimize the probability, construction of linear inequalities corresponding to each possible probabilistic transition in DDT is required. To construct such linear inequalities, Abdelkhalek et al. [1] used the approach to construct separate DDT for each probability. These pb-DDTs are used to construct linear inequalities in the same manner as described in Sect. 2.2. Linear inequalities for each pb-DDT can be generated either using Espresso or QM algorithm. QM based reduction depends on the characteristics of impossible transitions of the S-box and it needs to run for several days to provide a result. The algorithm proposed in [8] also suffers from similar drawback due to large number of impossible transitions in pb-DDTs. Due to the use of essential prime implicants in Algorithm 1, we get faster results than the existing approaches but still lack the time efficiency. There are some cases (Table 3) where the Algorithm 1 is not able to produce the result due to lesser number of possible transitions in DDT. The time complexity to produce the sets of minimized linear inequalities for each pb-DDT using MILES is less but each set contains the large number of inequalities. We compare the number of inequalities and execution time for pb-DDTs of AES, SKINNY and PIPO in Table 3.

The pb-DDT approach was proposed to overcome the limitation of Logic Friday since it becomes computationally infeasible to reduce the higher dimension inequalities of full DDT using Logic Friday. MILES uses the Espresso in its original form for reduction in higher dimension inequalities. Therefore, we can use the full DDT of S-box instead of pb-DDT. We use the approach proposed in [28] to construct the probability based possible transitions and introduce additional variable for each probability. We use MILES to construct the linear inequalities for these transitions and show that reduction using Espresso in higher dimension is faster than pb-DDT approach. Although, the use of full DDT may produce larger set of linear inequalities but it simplifies the MILP model as there is no need to choose different pb-DDT each time for an active S-box. We have already discussed (Table 2) that smaller set of linear inequalities doesn’t guarantee the faster solution for optimal bound but may take more time to conclude the optimal solution. For PIPO-64/128, we use the approach of additional variables to utilize full DDT and apply the Espresso to construct a minimized set of inequalities. These inequalities will be used to optimize the probability of differential characteristics in the next section.

Table 3. Comparison of time required (in seconds) to get minimized set of linear inequalities to represent pb-DDT, p-TT and f-TT
Full size table

3 Application to Lightweight Block Cipher PIPO-64/128

Lightweight cryptography has become an important topic in cryptology [7] and NIST has also called for a competition to design the lightweight cryptographic primitives [25]. PIPO-64/128 is a lightweight block cipher which was recently proposed by Kim et al. at ICISC 2020 [17]. The design highlights are its security for side-channel protected and unprotected environments. Its diffusion layer is designed to optimize the efficiency in hardware as well as software applications. Its diffusion layer can be implemented in software using the cyclic shift rotations. For hardware applications, its diffusion layer can be visualised as bit permutation on 64 bits and can be implemented using wiring only. The 8-bit S-box is specifically designed for PIPO-64/128 so that it can be represented using the minimum number of non-linear equations. This also ensures the protection of the design against side channel attacks.

3.1 Specification of PIPO-64/128

PIPO-64/128 is a 64-bit lightweight block cipher with 128 and 256 bits key sizes [17]. It consists of 13/17 rounds for 128/256 bits key variants respectively. It is based on substitution permutation network (SPN) structure. The lightweight 8-bit S-box, having differential branch number 3, is specifically designed to use in the confusion layer of PIPO-64/128. For each 8-bit word, diffusion layer uses a cyclic rotation with different shift values for each word. The round function of PIPO-64/128 is explained by dividing it into an 8\(\times \)8 matrix. It applies the diffusion layer row-wise and 8-bit S-box is applied column-wise. For each variant, a simple key selection algorithm is used. For 128-bit key \(K = (K_1 \parallel K_0)\), the rounds keys are selected as \(RK_i = K_{i (mod 2)}, 0\le i \le 13\). For 256-bit key \(K = (K_3 \parallel K_2 \parallel K_1 \parallel K_0)\), the rounds keys are selected as \(RK_i = K_{i (mod 4)}, 0\le i \le 17\).

figure b

For MILP modeling, we describe the encryption algorithm of PIPO-64/128 in a different way (Algorithm 2). Round function is described using substitution layer, permutation layer and add round key operations. Substitution layer applies 8-bit S-box (S) (Table 4) on 8 bits extracted from eight different positions of input and output bits from S-box are sent back to the same positions. Permutation layer uses a 64-bit permutation \((B_P)\) (Table 5) on the output from S-box layer. The round keys \((RK_i)\) and constants \((i=round\,number)\) are simply XOR-ed with the output of diffusion layer.

Table 4. 8-bit S-box of PIPO-64/128
Full size table
Table 5. Bit permutation in PIPO-64/128
Full size table
Table 6. Difference distribution table of PIPO-64/128
Full size table

3.2 MILP Modeling for PIPO-64/128

The model for valid differential propagations of PIPO-64/128 is constructed bit-wise. In each round, subkey addition, S-box, and bit permutation operations are used. Block size in PIPO-64/128 is 64-bit and it consists of 13 rounds. For 64-bit plaintext difference, binary variables \(u_{63}, u_{62}, \cdots u_{0}\) represent active or inactive bits for first round. The variables to represent active or inactive bits in the difference after first round are updated to \(u_{127}, u_{126}, \cdots u_{64}\) and so on. The variables \(u_{832}, u_{831}, \cdots u_{768}\) represent the active or inactive bits in the ciphertext difference after 13 rounds. In first round, the variables representing the bits of input and output differences to S-box layer are represented as follows:

$$\begin{bmatrix} u_{7} &{} u_{6} &{} u_{5} &{} u_{4} &{} u_{3} &{} u_{2} &{} u_{1} &{} u_{0}\\ u_{15} &{} u_{14} &{} u_{13} &{} u_{12} &{} u_{11} &{} u_{10} &{} u_{9} &{} u_{8}\\ u_{23} &{} u_{22} &{} u_{21} &{} u_{20} &{} u_{19} &{} u_{18} &{} u_{17} &{} u_{16}\\ u_{31} &{} u_{30} &{} u_{29} &{} u_{28} &{} u_{27} &{} u_{26} &{} u_{25} &{} u_{24}\\ u_{39} &{} u_{38} &{} u_{37} &{} u_{36} &{} u_{35} &{} u_{34} &{} u_{33} &{} u_{32}\\ u_{47} &{} u_{46} &{} u_{45} &{} u_{44} &{} u_{43} &{} u_{42} &{} u_{41} &{} u_{40}\\ u_{55} &{} u_{54} &{} u_{53} &{} u_{52} &{} u_{51} &{} u_{50} &{} u_{49} &{} u_{48}\\ u_{63} &{} u_{62} &{} u_{61} &{} u_{60} &{} u_{59} &{} u_{58} &{} u_{57} &{} u_{56}\\ \end{bmatrix}\begin{matrix}\rightarrow \end{matrix} \begin{bmatrix} u_{71} &{} u_{70} &{} u_{69} &{} u_{68} &{} u_{67} &{} u_{66} &{} u_{65} &{} u_{64}\\ u_{78} &{} u_{77} &{} u_{76} &{} u_{75} &{} u_{74} &{} u_{73} &{} u_{72} &{} u_{79}\\ u_{83} &{} u_{82} &{} u_{81} &{} u_{80} &{} u_{87} &{} u_{86} &{} u_{85} &{} u_{84}\\ u_{90} &{} u_{89} &{} u_{88} &{} u_{95} &{} u_{94} &{} u_{93} &{} u_{92} &{} u_{91}\\ u_{101} &{} u_{100} &{} u_{99} &{} u_{98} &{} u_{97} &{} u_{96} &{} u_{103} &{} u_{102}\\ u_{108} &{} u_{107} &{} u_{106} &{} u_{105} &{} u_{104} &{} u_{111} &{} u_{110} &{} u_{109}\\ u_{112} &{} u_{119} &{} u_{118} &{} u_{117} &{} u_{116} &{} u_{115} &{} u_{114} &{} u_{113}\\ u_{121} &{} u_{120} &{} u_{127} &{} u_{126} &{} u_{125} &{} u_{124} &{} u_{123} &{} u_{122}\\ \end{bmatrix}$$

The permutation layer is applied on the output from S-box layer and output of the permutation layer which acts as an input to the second round is represented as follows:

$$ \begin{bmatrix} u_{71} &{} u_{70} &{} u_{69} &{} u_{68} &{} u_{67} &{} u_{66} &{} u_{65} &{} u_{64}\\ u_{79} &{} u_{78} &{} u_{77} &{} u_{76} &{} u_{75} &{} u_{74} &{} u_{73} &{} u_{72}\\ u_{87} &{} u_{86} &{} u_{85} &{} u_{84} &{} u_{83} &{} u_{82} &{} u_{81} &{} u_{80}\\ u_{95} &{} u_{94} &{} u_{93} &{} u_{92} &{} u_{91} &{} u_{90} &{} u_{89} &{} u_{88}\\ u_{103} &{} u_{102} &{} u_{101} &{} u_{100} &{} u_{99} &{} u_{98} &{} u_{97} &{} u_{96}\\ u_{111} &{} u_{110} &{} u_{109} &{} u_{108} &{} u_{107} &{} u_{106} &{} u_{105} &{} u_{104}\\ u_{119} &{} u_{118} &{} u_{117} &{} u_{116} &{} u_{115} &{} u_{114} &{} u_{113} &{} u_{112}\\ u_{127} &{} u_{126} &{} u_{125} &{} u_{124} &{} u_{123} &{} u_{122} &{} u_{121} &{} u_{120}\\ \end{bmatrix} $$

We describe all possible propagation patterns for S-box with a system of linear inequalities.

$$e.g. (u_7,u_6,u_5,u_4, u_3,u_2,u_1,u_0 \rightarrow u_{71},u_{70},u_{69},u_{68},u_{67},u_{66},u_{65},u_{64})$$

The variables corresponding to bits having the difference takes ‘1’ and it takes ‘0’ otherwise. A constraint \(u_0 + u_1 + \cdots + u_{63} \ge 1\) is added to ensure that plaintext difference has at least one active bit.

Modeling 8-bit S-box. To model the 8-bit S-box of PIPO-64/128, we generate the DDT (Table 6) for each possible input and output difference (\(\varDelta _i, \varDelta _j\)) using MILES. The entries (ij) in the Table 6 corresponds to the number of occurrences for output differences \(\varDelta _j\) when the input differences were set as \(\varDelta _i\). We get a 256\(\,\times \,\)256 DDT for an 8-bit S-box. The non-zero values in the DDT corresponds to a possible difference propagation and zero values indicates an impossible propagation.

Linear Inequalities for Outer Module of MILP Model. The DDT generated in previous step is used in MILES to derive the truth table (\(\star \)-TT). The \(\star \)-TT of PIPO-64/128 contains 20621 entries which are further minimized by our tool. MILES minimizes the \(\star \)-TT to \(\star \)-TT\(_{min}\) with 4474 entries. We convert each entry of \(\star \)-TT\(_{min}\) into a linear inequality. We represent each entry of \(\star \)-TT\(_{min}\) using 16 binary variables (\(x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7, y_0, y_1, y_2, y_3, y_4, y_5, y_6, y_7\)), where first eight variables (\(x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7\)) represent the input difference and remaining variables (\(y_0, y_1, y_2, y_3, y_4, y_5, y_6, y_7\)) represent the output difference. These linear inequalities are used as constraints in the outer module and minimization of number of active S-boxes is used as objective function.

Linear Inequalities for Inner Module of MILP Model. Differential probability of S-box was used to design MILP model by Sun et al. in [27] and this technique was also used by Zhu et al. to present the MILP based differential attack on round-reduced GIFT in [35]. We optimize the probability of differential characteristics in the inner module of MILP model. For this purpose, we need the linear inequalities for all non-zero entries in the DDT which corresponds to the possible difference propagation and their probabilities. In the DDT of PIPO-64/128 S-box, there are seven different values for the probability of possible difference propagations i.e. \(2^{-0}\), \(2^{-4.00}\), \(2^{-4.41}\), \( 2^{-4.67}\), \( 2^{-5.00}\), \(2^{-5.41}\), \(2^{-6.00} \), \(2^{-7.00} \) (Table 7). This requires seven extra binary variables to represent the probability of each possible propagation. MILES uses DDT to generate truth table (f-TT) with 20621 entries. Each entry of the f-TT is represented by 23 binary variables where 16 input variables (\(x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7, y_0, y_1, y_2, y_3, y_4, y_5, y_6, y_7\)) represents the input and output differences. The remaining seven input variables (\(p_0, p_1, p_2, p_3, p_4, p_5, p_6\)) represent the probabilities of corresponding difference propagations. MILES minimizes the f-TT to f-TT\(_{min}\) which results in 6035 entries in f-TT\(_{min}\). Each entry of f-TT\(_{min}\) is converted into the linear inequality using Eq. 1. This set of linear inequalities is used to optimize the probability of differential characteristics in the block cipher PIPO-64/128.

Table 7. Binary variables to encode the probabilities in DDT of PIPO-64/128
Full size table

3.3 Differential Cryptanalysis of PIPO-64/128

We solve the MILP model using Gurobi solver [15] to optimize the probability of differential characteristics for PIPO-64/128. In the outer-MILP module, the objective function is to minimize the number of active S-boxes in the differential characteristics. We get 13 active S-boxes for 7 rounds differential characteristics in PIPO-64/128. The objective function for the inner-MILP module is to maximize the probability of differential characteristics using the positions of active S-boxes obtained in the outer module. The objective function is defined as minimization of Eq. 2 over active S-boxes (AS).

$$\begin{aligned} \sum _{\forall AS}\sum ^{6}_{i=0} -\log _2(Pr_i)\times (p_0 + p_1 + p_2 + p_3 + p_4 + p_5 + p_6) \end{aligned}$$
(2)

We constructedFootnote 3 many differential characteristics for PIPO-64/128 reduced to 6/7 rounds. There does not exist any 6-round differential characteristic with the probability better than \(2^{-54.4}\) and best differential characteristics for 7-round PIPO-64/128 exists with the probability of \(2^{-65}\). We constructed the 7-round differential characteristics for PIPO-64/128 using the inequalities generated with MILES which is shown in Table 8.

Table 8. 7-round differential characteristics for PIPO-64/128
Full size table

3.4 Impossible Differential Cryptanalysis of PIPO-64/128

Impossible differential attack is opposite to differential attack. The basic idea is to use zero probability differential characteristics in place of a high probability characteristic to filter out the wrong keys [3]. For this purpose, the zero probability characteristics are constructed by proving a contradiction between the two differential characteristics of probability one each. This approach is known as miss-in-the-middle technique to search an impossible differential characteristic. Nowadays, the MILP based technique is used to search these zero probability differential characteristics. The MILP model to search the high probability differential characteristics with some added constraint is used to search the impossible differential characteristic.

To search the impossible differential, we iterate all \((\varDelta _i,\varDelta _o)\) pairs with one active bit in the input and output. For this purpose, additional constraints to fix the input and output differences are added in the MILP model. The gurobi solver is used to solve the outer module of MILP model as discussed in Sect. 3.2. The input and output differences corresponding to infeasible solution are considered as impossible differential characteristic. Using this methodFootnote 4, we obtain the following 4-round impossible differential characteristics \((\varDelta _0,\varDelta _4)\). However, our bound for impossible differential attack is similar to that of the designers claim.

0000000000000000000000000000000000000000000000000000000000000001\(\rightarrow \)

0000000000000000000000000000000000000000000000000000000000010000

3.5 Related-Key Differential Distinguisher for PIPO-64/128

Resistance to related-key attacks was not considered by the designers of PIPO-64/128 and any security claim in the related-key setting is not provided. In differential attack, the adversary is allowed to choose a difference in the plaintexts and observe the differences in ciphertexts. In related-key differential attack, the adversary is allowed to choose a relation (difference) in the key together a relation (difference) in the plaintexts [2, 21]. The adversary is allowed to get the encryption of first plaintext using the secret key and a key related to this key is used to encrypt the another plaintext. We model an MILP problem to search the related-key differential characteristic in PIPO-64/128.

3.5.1 MILP Model for Related-Key Differential Characteristic.

The secret key K is divided into the two 64-bit keys \(K_0\) and \(K_1\) which are used as round subkeys in PIPO-64/128. We model the similar MILP problem to search the related-key differential characteristic as described in Sect. 3.2. Additionally, we need to model the key addition layer and solve the MILP model in order to get the optimal related-key characteristics in PIPO-64/128 [27].

Modeling Key Addition Layer. We need to introduce the additional constraints in the MILP model corresponding to the round keys. The 128 new variables are introduced corresponding to the 128-bit secret key. The 64 key variables are added in one round and the other 64 key variables are added in the subsequent round. To add the constraints for key addition layer, for each bit of input \(x_i\) and key k, we follow the conditions on bit variables to exclude the impossible patterns (Eq. 3). Here, \(x_i\) and k refer to the input bit and corresponding key bit. The bit variable \(x_{i+1}\) is an output of the XOR operation i.e. \(x_{i+1} = k \oplus x_i\).

$$\begin{aligned} \begin{aligned} x_i + k - x_{i+1}\ge 0\\ x_i - k + x_{i+1}\ge 0\\ -x_i + k + x_{i+1} \ge 0\\ x_i + k + x_{i+1} \le 2\\ \end{aligned} \end{aligned}$$
(3)

3.5.2 Full-Round Related-Key Differential Distinguisher.

We solveFootnote 5 the MILP model to search the related-key differential characteristics using gurobi solver. We get a 2-round iterative related-key characteristic with the probability of \(2^{-4}\). The optimal related-key differential characteristic for full round PIPO-64/128 is obtained with a probability of \(2^{-24}\) using 2-round iterative characteristic (Table 9). We also get full-round characteristics with probability of \(2^{-28}\) under zero difference in the plaintext as well as in the ciphertext (Table 10).

3.5.3 Collisions in PIPO-64/128.

The zero difference related-key characteristics will lead to a collision in the hash function designed using PIPO-64/128. We searched for the existence of input and output pairs under different keys following zero difference characteristic (collision). We encrypt the \(2^{28}\) random samples under related keys and one such pair is expected in each experiment. Therefore, we can construct as many samples providing us the collision in the input and output under the different keys. We have verified these plaintext and ciphertext samples by using the designers program. One such collision in PIPO-64/128 is presented in the Table 10. We have also provided other samples showing a collision in the Appendix A.

Table 9. 13-round (related-key) differential characteristic for PIPO-64/128 with probability \(2^{-24}\)
Full size table
Table 10. Zero difference characteristics with an example of collision
Full size table
Table 11. Related-key differential attack on 13-round PIPO-64/128
Full size table

3.6 Related-Key Differential Attack on Full-round PIPO-64/128

We use the related-key differential characteristic described in the Table 10 to present a full-round differential attack on PIPO-64/128. We used 11-round differential characteristics \((\varDelta _1 \rightarrow \varDelta _{12})\) with the probability of \(2^{-20}\)and added one round at the beginning as well as at the end of the characteristic (Table 11). Using the 11-round differential characteristic, we can launch a key recovery attack on the 13-round PIPO-64/128. The 11-round characteristic is chosen in particular to maximize the number of recovered key bits. In each round, 64-bit round key is required and it is extracted directly from the 128-bit key \(K= (K_1,K_0\)). The key \(K_0\) is used for whitening and for even numbered rounds while the odd numbered rounds use the key \(K_1\). We need to guess the round keys which correspond to the actives S-boxes.

3.6.1 Data Collection

We can build \(2^n (n \le 56)\) structures corresponding to the fixed bits in the input difference (\(\varDelta _0\)). The objective is to minimize the value of n such that sufficient number of right pairs are left for key guessing phase. Each structure traverses the 8 undetermined (?) bits in \(\varDelta _0\) (Table 11). Thus, each structure generates \(2^{8*2-1} (= 2^{15})\) pairsFootnote 6 satisfying the differential. Therefore, the total number of pairs generated by the \(2^n\) structures are \(2^{n+15}\). In Table 11, such a pair will meet the second round differential with an average probability of \(2^{-8}\). The probability of obeying the differential after \(12^{th}\) round for the pair encrypted with the right key is \(2^{-20}\). Therefore, the number of pairs satisfying the differential after \(12^{th}\) round for a right key guess will be \(2^{n+15}\times 2^{-8}\times 2^{-20} (= 2^{n-13})\). Hence, we choose \(n=17\) so that we could get at least \(2^4(=16)\) right pairs under the correct key guessing.

3.6.2 Key Recovery

In this phase, we guess the key bits corresponding to the undetermined bits(?) in \(\varDelta _0\) and \(\varDelta _{13}\) and nonzero fix difference. This guess includes \(K_0^5, K_0^{13}, K_0^{21}, K_0^{29}, K_0^{37}, K_0^{45}, K_0^{53}, K_0^{61}, K_1^{12}, K_1^{24}, K_1^{35}, K_1^{54}\) in \(1^{st}\) round and \(K_1^5, K_1^{12}, K_1^{17}, K_1^{24}, K_1^{35}, K_1^{42}, K_1^{54}, K_1^{63}\) in \(13^{th}\) round. Since \(K_1^{12}, K_1^{24}, K_1^{35}, K_1^{54}\) are involved in \(1^{st}\) and \(13^{th}\) round, total 16 unique key bits are involved in the key recovery phase. Hence, we construct \(2^{16}\) counters corresponding to the possible values of 16 bits of the key.

With n = 17, we repeat the key guessing procedure for each of the \(2^{17+15}(=2^{32})\) pairs. We experimented with \(2^{32}\) pairs and find that there are at least \(2^{4}\) pairs remaining after filtered by zero difference in \(\varDelta _{13}\). Therefore, the expected counter value for a wrong key guess will be \(2^{4-8-8} (= 2^{-12})\) after filtered by the undetermined bits in \(\varDelta _0\) and \(\varDelta _{13}\). As discussed in Sect. 3.6.1, there are at least 16 right pairs remaining after \(12^{th}\) round. These right pairs will be used for key guessing and a key with the highest counter value will be the correct key.

3.6.3 Complexity

There are \(2^n\) structures and \(2^{8}\) pairs(fixing the undetermined bits in \(\varDelta _0\)) can be generated for each structure. As discussed in Sect. 3.6.2, we need \(2^{32}\) pairs to get \(2^{4}\) right pairs. Therefore, we choose n(=24) structure and the data complexity of the 13-round related-key differential attack on PIPO-64/128 becomes \(2^{24+8}(=2^{32})\). We need to store the counters corresponding to 16 bits of the key, so the memory complexity of the attack becomes \(2^{16}\). In the first round, for each of the \(2^{4}\) pairs, we need to guess the 12 bits of the key corresponding to the active S-box. Therefore, time complexity of the first round becomes \(2^{4+12}(=2^{16})\). Similarly time complexity of the \(13^{th}\) round is \(2^{4+4}(=2^{8})\) because four bits of the key are already guessed in the first round. Hence, the time complexity of the whole attack is bounded by the \(2^{32}\) chosen plaintexts.

4 Conclusion

In this paper, we have presented the approaches to construct the linear inequalities corresponding to the DDT of 8-bit S-boxes. These inequalities are used to minimize the number of active S-boxes in PIPO-64/128. The experimental results indicate that there is no significant difference in the time complexity to solve the MILP models with a smaller set of linear inequalities. Therefore, we have used full DDT to construct a simplified MILP model for probability optimization instead of using the existing pb-DDT approach. The linear inequalities corresponding to the full DDT of PIPO-64/128 are constructed using the MILES tool. These linear inequalities are used to model the MILP problem for searching the differential, impossible differential and related-key differential characteristics. We have presented the full-round related-key differential distinguisher and a key recovery attack on full-round PIPO-64/128 with \(2^{32}\) data complexity. We have also presented several collisions in the plaintext and ciphertext using different keys.