Abstract
The design and analysis of dedicated tweakable block ciphers constitute a dynamic and relatively recent research field in symmetric cryptanalysis. The assessment of security in the related-tweakey model is of utmost importance owing to the existence of a public tweak. This paper proposes an automatic search model for identifying related-tweakey impossible differentials based on the propagation of states under specific constraints, which is inspired by the research of Hu et al. in ASIACRYPT 2020. Our model is universally applicable to block ciphers, but its search efficiency may be limited in some cases. To address this issue, we introduce the Locality Constraint Analysis (LCA) technique to impossible differential cryptanalysis and propose a generalized automatic search model. Technically, we transform our models into Satisfiability Modulo Theories (SMT) problems and solve them using the STP solver. We have applied our tools to several tweakable block ciphers, such as Joltik-BC, SKINNY, QARMA, and CRAFT, to evaluate their effectiveness and practicality. Specifically, we have discovered 7-round related-tweakey impossible differentials for Joltik-BC-192, and 12-round related-tweak impossible differentials, as well as 15-round related-tweakey impossible differentials for CRAFT for the first time. Based on the search results, we demonstrate that the LCA technique can be effectively performed when searching and determining the contradictory positions for the distinguisher with long trails or ciphers with large sizes in impossible differential cryptanalysis.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Tweakable block ciphers are constructions that have an additional input called tweak compared to traditional block ciphers, which can be defined as a function \(C=E(P, K, T)\) from \(\mathbb {F}_{2}^{n}\times \mathbb {F}_{2}^{\kappa }\times \mathbb {F}_{2}^{t}\rightarrow \mathbb {F}_{2}^{n}\) when the tweak length is t bits. The concept of tweakable block ciphers was first introduced by Schroeppel in the Hasty Pudding Cipher [32], and was later formalized by Liskov et al. [23, 24]. They aimed to move the randomization of symmetric primitives by bringing the high-level mode operations, like \({\Theta }\)CB3 [18] or Counter-in-Tweak [29], directly to the design of block ciphers. Unlike the secret key, the tweak is entirely public and offers attackers more flexibility. Designers must therefore handle the tweak more carefully than the key without reducing efficiency. Responding to the high demand, Jean et al. [13] introduced the TWEAKEY framework to bridge the gap between key and tweak inputs by providing a unified framework in ASIACRYPT 2014, which can be viewed as a straightforward generalization of key-alternating ciphers, where the key and tweak basically treated as a whole called tweakey. Based on this framework, there are several dedicated tweakable block ciphers, such as Joltik-BC [14], Deoxys-BC [15], SKINNY [3]. Furthermore, with the development of tweakable block cipher, its design also becomes diversified, such as QARMA [1], CARFT [4], and some other tweakable block ciphers based on Tweak-aNd-Tweak [9] and Elastic-Tweak [6].
Impossible differential cryptanalysis was independently introduced by Biham et al. [5] and Knudsen [17] to evaluate the security of Skipjack and DEAL. In contrast to differential cryptanalysis, impossible differential cryptanalysis aims to identify a differential characteristic that has zero probability. Due to the limitations of manual derivation, various automatic methods have been developed to search for impossible differentials, including the \(\mathcal {U}\)-method [16], the UID-method [27], and the \(\mathcal{W}\mathcal{W}\)-method [34]. Unfortunately, these methods handle the underlying S-box as ideal and cannot consider its details. However, this problem was soon settled with the Mixed Integer Linear Programming (MILP) application for cryptanalysis. It was first proposed by Mouha et al. [28] to evaluate the lower bound on the number of the differential and linear active S-boxes and then improved by Sun et al. [33] to search for the differential characteristics of bit-oriented block ciphers. Based on this, Cui et al. [7] proposed a MILP-based tool to search the impossible differentials for lightweight block ciphers and an algorithm to verify the impossible differentials. Soon after, Sasaki and Todo [31] presented a MILP-based tool to search the impossible differential for SPN block ciphers by treating the large S-boxes as permutations so that their tool was valid to detect the contradiction in linear components.
However, the above methods are all based on the propagation of the differences and can not evaluate the effect of key schedules in the single-key setting. Hu et al. [12] solved this problem by using the equivalence between the impossible \((s+1)\)-polytopic transitions and impossible differentials. They transformed the differential propagation to the propagation of constraint values. This new approach enables the possibility of handling large state S-boxes or value-dependent operations that are difficult to realize in the traditional sense. Additionally, this approach is applicable to all differential cryptanalysis methods, such as searching for differential trails or differential active S-boxes, which facilitates a more accurate analysis of a block cipher to resist differential cryptanalysis.
Our Contributions. For the majority of current tweakable block ciphers, adversaries have the ability to manipulate tweak values. Drawing inspiration from Hu et al.’s contributions in [12], we present an automatic search model for related-tweakey impossible differentials. Specifically, we transform the problem of identifying an impossible differential into the Satisfiability Modulo Theories (SMT) problem by explicating the propagation of states and the tweakey update function with specific constraints, which can efficiently evaluate the resistance against impossible differential analysis for most of the block ciphers.
Unfortunately, it leads to a significant loss of efficiency with an increase in the state space and number of search rounds if considering all the details of round functions and tweakey update functions. To address this, we propose a generalized search model by introducing the Locality Constraint Analysis (LCA) technique. The optimized model has two significant advantages: improving the search efficiency for long trails and identifying the contradictory positions of impossible differentials.
In terms of practical implementation, we have employed our automatic search model in the evaluation of several tweakable block ciphers. The outcomes of these evaluations are presented below.
-
For Joltik-BC, we have discovered several 6-round and 7-round related-tweakey impossible differentials for Joltik-BC-128 and Joltik-BC-192, respectively. These differentials were previously unknown.
-
For SKINNY, we have identified related-tweakey impossible differentials for SKINNY-64-64, SKINNY-64-128, and SKINNY-64-192, with 12-round, 14-round, and 16-round, respectively. Notably, the majority of these differentials had not been previously reported by Sadeghi et al. in [30].
-
For QARMA-64, we have derived several 7-round asymmetric related-tweak impossible differential distinguishers spanning from the 6th to the 12th round. Particularly, the majority of these distinguishers were not identified using Zong’s method in [36].
-
For CRAFT, we have successfully derived 12-round related-tweak impossible differentials and 15-round related-tweakey impossible differentials, assuming the condition that only one nibble is active in the tweakey differences. It is noteworthy that these differential properties have not been reported before.
Outline. In Sect. 2, we provide a brief overview of the necessary preliminaries utilized in the present paper. Subsequently, in Sect. 3, we introduce an automatic search model for related-tweakey impossible differentials based on the SAT solver. Section 4 is dedicated to the application of our tool in the search for related-tweakey impossible differentials in some tweakable block ciphers, followed by a concise evaluation of our model in Sect. 5. Finally, we conclude this work in Sect. 6. The source codes are publicly available at https://github.com/Rainy1024/ImpossibleDifferentialAnalysis.git.
2 Preliminaries
2.1 Notations
The following notations are used in the present paper. Throughout the paper, we use \(\oplus \) to denote the bitwise XOR of two vectors or XOR of two bits.
-
\(\mathbb {F}^n_2\): the vectors space over the finite field \(\mathbb {F}_2\) with dimension n.
-
\(\varDelta _{m}^{n}\): the set that \(\{(a, a') \in \mathbb {F}_{2}^{n}\times \mathbb {F}_{2}^{n} | a \oplus a' = m, m \in \mathbb {F}_{2}^{n}\setminus \{0\} \}\).
-
BC(n, m, l): the set of iterated block ciphers whose block cipher is n-bit, master key size is m-bit, and round key size is l-bit.
-
\(TBC(n,\kappa ,t)\): the set of tweakable block cipher whose cipher size is n-bit, master key size is \(\kappa \)-bit and initial tweak size is t-bit.
-
\(TK_{j}^{r}[i]\): the i-th nibble of the j-th subtweakey of the r-th round. The difference donates as \(\triangle TK_{j}^{r}[i]\).
-
DR: the length of an impossible differential distinguisher.
-
ConR: the round index where the contradiction occurs.
-
ConPs: The specific location of the contradiction. For instance, \(S_i\) means the contradiction is in the S-box with the index i.
2.2 Related-Tweakey Impossible Differential
Related-key impossible differential cryptanalysis is a variant of impossible differential cryptanalysis where an attacker can control the key schedule. In this attack, the attacker can choose two related keys and use them to generate a specific input difference that produces a target output difference with zero probability. Here, we first recall some definitions of impossible 2-polytopic transitions proposed in [12].
For an iterated block cipher \(E\in BC(n,m,l)\), the tuple \((x, x')\) with \(x,x' \in \mathbb {F}_{2}^{n}\) is called a 2-polygon in \(\mathbb {F}_{2}^{n}\). The 2-polygon \((x_{r_b}, x'_{r_b})\) propagates through round by round. If there exits an r-round related-key 2-polygonal trail
such that the equations of \((x_{r_e}, x'_{r_e}) = (E_{k_{r_b+r-1}}^{r}(x_{r_b+r-1}), E_{k'_{r_b+r-1}}^{r}(x'_{r_b+r-1})),\) are always satisfied, then the triplet \(((x_{r_b},x'_{r_b}), (k_{r_b},k'_{r_b}), (x_{r_e},x'_{r_e}))\) is called an r-round dependent-key possible 2-polygons. Otherwise, it is an r-round dependent-key impossible 2-polygons of E. Based on this, we redefine the related-tweakey impossible differential for tweakable block ciphers.
Definition 1 (Related-tweakey Impossible Differential)
For a tweakable block cipher \(E \in TBC(n,\kappa ,t)\), if \(((s_{r_b},s'_{r_b}),(tk,tk'), (s_{r_e},s'_{r_e}))\) is an \((r_{e}-r_{b})\)-round dependent-tweakey impossible 2-polygons, where tk is the initial tweakey and \(\forall (s_{r_b}, s'_{r_b})\in \varDelta _{\alpha }^{n}\), \(\forall (s_{r_e}, s'_{r_e})\in \varDelta _{\beta }^{n}\), \(\forall (tk,tk')\in \varDelta _{\delta }^{\kappa +t}\), the triplet \((\alpha , \beta , \delta )\) is called an \((r_{e}-r_{b})\)-round related-tweakey impossible differential.
According to Definition 1, instead of describing the differential propagation, we pay attention to the propagation of values with certain constraints in the present paper. Specifically, referring to the automatic search model proposed in [12], we give an automatic search model for the \((r_e-r_b)\)-round related-tweakey impossible differentials by considering the propagation of states from the \(r_b\)-th round to the \(r_e\)-th round, which is shown in Algorithm 1.
2.3 Boolean Satisfiability Problem
The Boolean Satisfiability Problem (SAT) is to find whether a set of variables, which if plugged into a boolean expression, will result in “True”. Any boolean expression can be converted to normal form and the conjunctive normal form (CNF) is one of them. The CNF expression is a bunch of clauses consisting of variables, ORs, and NOTs, all of which are then glued together with AND into a full expression. SAT solver is merely a solver of huge boolean equations in CNF form. It just gives the answer, if there is a set of input values that can satisfy CNF expression, and what input values must be. There have been some heuristic SAT solvers. Most support CNF files as the standard input format, such as Cryptominisat [19].
The Satisfiability Modulo Theories (SMT) problem is an extension of the SAT problem, in which CNF formulas are enriched by binary-valued functions over a suitable set of binary and (or) non-binary variables. Many works searching for the differential and linear characteristics are based on the SMT problem, where STPFootnote 1 is a common solver for SMT problems. STP supports the CVC format and starts from an initial assignment for the literals, then builds a search tree using systematic backtracking until all conflicting clauses are resolved. An SMT problem is unsatisfiable if returning either an assignment of variables for a satisfiable set of clauses or a predicate indicates. However, when invoking STP to solve an SMT problem, the solver first interprets SMT instances in CVC format into SAT instances with CNF and then determines its satisfiability.
3 The Optimized Automatic Search Model
By utilizing Algorithm 1 to investigate related-tweakey impossible differentials, we observe that with an increase in the number of search rounds, the equation system employed to represent the state propagation expands correspondingly. This leads to an exponential escalation in both the runtime and memory requirements caused by the augmented amount of data acquired during the database query process. To overcome these impediments and enhance the efficiency of Algorithm 1, we propose an optimized automatic search model based on the LCA technique in the section.
3.1 Application of LCA in Impossible Differential Cryptanalysis
Locality Constraint Analysis (LCA) is an analytical method that uses the properties of local variables to deduce global features. In the impossible differential analysis, if \(E_{r_1}^{k}(\varDelta _{\alpha }^{n}) = D_{r_2}^{k}(\varDelta _{\beta }^{n})\) is never satisfied under any k for \(E\in BC(n,m,l)\), the differential \((\alpha , \beta )\) is called an impossible differential. However, according to the security criterion for confusion and diffusion in the design of a block cipher, with the exception of some positions in which contradictions may occur, the value of the other positions almost reaches full diffusion after several rounds of iteration, which means that the values in those positions can traverse the entire space. Therefore, we can use the LCA technique to determine an impossible differential by considering some of the positions instead of the full state.
From the perspective of theoretical analysis, let \({x} = (x_0,x_1, \cdots , x_{n-1})\), \(x_i\in \mathbb {F}_2\) be inactive if \(\bigvee _{0\le i\le n-1}x_i=0\). Otherwise, x is active. Then we can obtain Theorem 1 according to Definition 1. The proof is omitted in the paperFootnote 2.
Theorem 1
Let \(E(x,tk)\in TBC(n,\kappa ,t)\) be a tweakable block cipher and \(\mathbb{C}\mathbb{P}\) be a tuple that includes the sets of possible contradictory positions that need to be constrained in the search model. For any \(\alpha ,\beta \in \mathbb {F}_2^n\), \(\delta \in \mathbb {F}_2^{\kappa +t}\setminus \{0\}\), if there exists a set \(\mathbb {P} \subset \mathbb{C}\mathbb{P}\), such that
is active for \(\forall x,y\in \mathbb {F}_2^n\) and \(\forall tk\in \mathbb {F}_2^{\kappa +t}\), where \(C_i(x,y,tk) := E_{r_1}(x,tk)[i] \oplus D_{r_2}(y,tk)[i]\) and \(D_r(E_r(x,tk),tk)=x\). Then \((\alpha , \beta , \delta )\) is an \((r_{1}+r_{2})\)-round related-tweakey impossible differential of E(x, tk).
The Idea of Our Approach. We use the “miss-in-the-middle” method to find impossible differential distinguishers of block ciphers. In contrast, we weaken the conditions of the intermediate constraints. As shown in Fig. 1, we split an \((r_1+r_2)\)-round impossible differential into an \(r_1\)-round encryption and \(r_2\)-round decryption and only pay attention to the values of a few bits in the middle with the LCA technique.
In particular, suppose that \(\mathbb {P}=\{i_{0}, i_{1}, \cdots , i_{m}\}\) is a set in which contradictions may occur. Then, if the equation
is never satisfied for \(\forall (x,x')\in \varDelta _{\alpha }^{n}\), \(\forall (y,y')\in \varDelta _{\beta }^{n}\) and \(\forall (tk,tk')\in \varDelta _{\delta }^{\kappa +t}\), the triplet \((\alpha , \beta , \delta )\) is an \((r_1+r_2)\)-round related-tweakey impossible differential. However, it is worth noting that a differential triplet \((\alpha ,\beta ,\delta )\) satisfying Theorem 1 is a related-tweakey impossible differential, not vice versa.
3.2 The Optimized Automatic Search Model for Related-Tweakey Impossible Differentials
Based on the preceding analysis, we present an optimized automatic search model for related-tweakey impossible differentials, outlined in Algorithm 2.
Specifically, given a tweakable block cipher \(E\in TBC(n,\kappa ,t)\), the determination of whether a triplet \((\alpha , \beta , \delta )\) is an \((r_{e}-r_{b})\)-round related-tweakey impossible differential can be accomplished through three phases: search space determination, statements generation, and STP invocation. Initially, the input parameters are the starting round number \(r_b\), the termination round number \(r_{e}\), and \(r_m\) where the constraints are added. For each triplet \((\alpha , \beta , \delta )\) in the search space \(\varOmega \), whether \((\alpha , \beta , \delta )\) constitutes an \((r_{e}-r_{b})\)-round related-tweakey impossible differential is transformed into the corresponding SMT problem using the CVC language and solved by invocation of the STP solver. Finally, Algorithm 2 outputs the length of distinguishers and the corresponding input and output differentials. Further details of Algorithm 2 are presented below.
Specification of the Search Space Determination Phase. The efficacy of our automated search approach hinges predominantly on two factors, as demonstrated in Lines 6 and 7 of Algorithm 2: the duration needed to complete a search and the magnitude of the search space. As the search time is restricted by the size of the cipher and the hardware used, enhancing search efficiency can be challenging under limited resources. Consequently, selecting the search space judiciously so that a minimal number of elements reflect a greater number of differential properties will be pivotal in increasing search efficiency.
The Choice of \(\boldsymbol{\varOmega }\). The utilization of linear tweak schedules and XOR operations for the purpose of mixing subtweakeys with internal states, as observed in numerous state-of-the-art tweakable block ciphers, can inadvertently benefit potential attackers. Specifically, under the related-tweakey setting, an attacker can manipulate certain state values by XORing the same difference of subtweakeys at corresponding positions, thereby nullifying the difference of internal states. This, in turn, enables the attacker to pass one round function without incurring any additional cost, as depicted in Fig. 2.
Furthermore, Sasaki and Todo [31] have observed that all existing ciphers have the longest impossible differentials with only one active word in both input and output. In light of this, it is common practice to set the input and output difference to zero and only introduce differences to the tweakeys, that is, \(\varOmega = \{(\alpha , \beta , \delta )|\alpha =0, \beta = 0, \delta \in \mathbb {F}_2^{\kappa +t}\setminus \{0\}\}\). The specific choice of \(\delta \) depends on the cipher’s structure, with one bit being active for bit-oriented encryption and one cell being active for cell-oriented encryption.
The Choice of \(\boldsymbol{r_{m}}\) and \(\boldsymbol{\mathbb{C}\mathbb{P}}\). The parameters \(r_{m}\) and \(\mathbb{C}\mathbb{P}\) jointly determine the locations of the contradictions. Based on empirical observations and experimental tests, we observe that for a distinguisher of odd length, the contradictions typically manifest in the middle round; whereas for even length, they appear in the middle two rounds. As such, we derive the expression \(r_{m} = \lceil \frac{r_{b}+r_{e}}{2}\rceil \) if \((r_{e}-r_{b})\) is odd, and \(r_{m} \in \{\frac{r_{b}+r_{e}}{2}, \frac{r_{b}+r_{e}}{2}+1\}\) if \((r_{e}-r_{b})\) is even. The selection of the constrained position tuple \(\mathbb{C}\mathbb{P}\) is also informed by empirical evidence and experimental results.
Especially, for ARX-based block ciphers, we apply a constraint tuple \(\mathbb{C}\mathbb{P} = \{[i]|0\le i \le (n-1)\}\), where we constrain one bit of the intermediate state in each search. To verify the effectiveness of this approach, we utilized Algorithm 2 on SIMON and SPECK [2], and the results are presented in Table 1, where only one branch is constrained to define \(\mathbb{C}\mathbb{P}\) for ciphers based on the Feistel structure. For SPN-based block ciphers, we consider an S-box as a constraint unit in our modified model, i.e., \(\mathbb{C}\mathbb{P} = \{S_i|0 \le i \le (m-1)\}\), where \(S_i = \{i|0 \le i \le (m-1)\}\) for an m-bit S-box. Using this constraint, we applied Algorithm 2 to SKINNY, QARMA, and CRAFT. Notably, we define \(\mathbb{C}\mathbb{P} = \{\{S_{4i},S_{4i+1},S_{4i+2},S_{4i+3}\}|0 \le i \le 3\}\) when applying Algorithm 2 to Joltik-BC, since the matrix used in its MixNibbles operation is an MDS matrix.
Specification of Statements Generation Phase. The statements generation phase is described in lines 8-16 of Algorithm 2. A detailed account of each step is then presented in the following.
- −:
-
Line \(\boldsymbol{8}\). Declare the variables to describe the propagation of round functions and tweakey schedules, including the variables that represent the input 2-polygon and output 2-polygons, tweakey 2-polygons, and some other intermediate variables.
- −:
-
Line \(\boldsymbol{9}\)-\(\boldsymbol{11}\). According to the propagation rules for Copy, Xor, Modular Addition, Binary Matrix Multiplication and S-box given in [12], construct the propagation from the input 2-polygons \((s_{r_{b}}, s_{r_{b}}')\) to the output 2-polygons \((s_{r_{m}}, s_{r_{m}}')\) with the aid of the tweakey 2-polygons and intermediate variables in CVC format. Especially, the tweakey 2-polygons is constrained according to the tweakey schedule.
- −:
-
Line \(\boldsymbol{12}\). Generate the statements in CVC format such that the input and output 2-polygons satisfies that \(s_{r_{b}}\oplus s_{r_{b}}'=\alpha \) and \(s_{r_{e}}\oplus s_{r_{e}}'=\beta \), while the tweakey 2-polygons satisfies that \(tk_{r_{b}}\oplus tk_{r_{b}}'=\delta \).
- −:
-
Line \(\boldsymbol{13}\)–\(\boldsymbol{14}\). Generate the statements in CVC format such that the output 2-polygon of the first \((r_{m}-r_{b})\) rounds and the input 2-polygon of the last \((r_{e}-r_{m})\) rounds satisfies that \(s_{r_{m}}[i] \oplus s'_{r_{m}}[i] \oplus \hat{s}_{r_{m}}[i] \oplus \hat{s}'_{r_{m}}[i] = 0\) for \(\forall i\in \mathbb {P}\).
- −:
-
Line \(\boldsymbol{15}\). Add the statements “QUERY(FALSE);” and “COUNTEREXAMPLE” to the statements system, which is a common predicate in STP to determine whether an SMT problem has a solution.
Specification of the STP Invocation Phase. We invoke STP to tackle the file, which comprises a system of statements. If the outcome of STP is “Valid,” this implies that no solution exists for the SMT problem. As such, the corresponding triplets \((\alpha , \beta , \delta )\) represent an \((r_{e}-r_{b})\)-round related-tweakey impossible differential, where \(r_{m}\) and \(\mathbb {P}\) ascertain the contradictory positions. Alternatively, if STP returns “Invalid” along with a collection of solutions, the triplets \((\alpha , \beta , \delta )\) do not denote an \((r_{e}-r_{b})\)-round related-tweakey impossible differential, and these solutions constitute the corresponding differential characteristic from round \(r_{b}\) to round \(r_{e}\) for E.
4 Applications from Cryptanalysis Aspect
In this section, we apply our automatic search model to Joltik-BC, SKINNY, QARMA, and CRAFT from the cryptanalysis aspect. Especially, when searching for related-tweakey impossible differentials, only the tweakey is modified while keeping the input and output differences at zero, that is, \(\varOmega =\{(0, 0, \delta )|\delta \in \mathbb {F}_{2}^{\kappa +t}\setminus \{0\}\}\), where \(\kappa \) and t are constants. Consequently, by exploiting the relationship between the tweakey and the state of a cipher, an impossible differential can be derived for the \((r+2)\)-round if a r-round related-tweakey impossible differential is found within the search space \(\varOmega \). Furthermore, \(\varDelta _{in}\) and \(\varDelta _{out}\) denote the input and output difference of the operation AddRoundTweakey, respectively.
4.1 Application to Joltik-BC
Joltik-BC is an iterative substitution-permutation network that transforms the initial plaintext through a series of round functions (that depend on the key and the tweak) to a ciphertext. The cipher exists in two variations, namely Joltik-BC-128, with a total key and tweak size of 128 bits, and Joltik-BC-192, with a combined key and tweak size of 192 bits. Additional information regarding Joltik-BC can be found in [14]. Notably, the construction of Joltik-BC is based on the Superposition TWEAKEY design [13], with the tweakey schedule satisfying Proposition 1. This property allows for greater differential properties when assessing differential propagation.
Proposition 1
(Cancellation of the Tweak Differences [14]) Cancellation of differences (in general since the key schedule is linear) in the chosen nibble of TK-p cannot occur more than \((p-1)\) times. For TK-2, this means that the cumulative difference from the subtweakeys can be canceled only once by XOR of the subtweakeys. For TK-3, this can happen twice.
Previous Cryptanalysis. To the best of our knowledge, the most extensive distinguisher discovered for Joltik-BC-128 is a 6-round related-tweak impossible differential proposed in [36]. This particular impossible differential exhibits two active nibbles for both input and output differences. For Joltik-BC-192, no public impossible differential has been identified, apart from a 7-round meet-in-the-middle distinguisher constructed in [20].
List of \(\boldsymbol{6}\)-Round Related-Tweakey Impossible Differentials for Joltik-BC-128. By introducing the difference to \(TK_{1}^{r}\) and \(TK_{2}^{r}\) in a single nibble, we applied Algorithm 1 to Joltik-BC-128 and discovered a 6-round related-tweakey impossible differential with a time of 4.43 s. To confirm the absence of a 7-round impossible differential in the search space, we conducted a verification process by traversing the entire search space, which took approximately 23.4 h. Based on Proposition 1, the search results can be classified into three cases. The corresponding values are presented in Table 2.
List of \(\boldsymbol{7}\)-Round Related-Tweakey Impossible Differentials for Joltik-BC-192. By introducing differences to the same nibble of \(TK_{1}^{r}\), \(TK_{2}^{r}\), and \(TK_{3}^{r}\), respectively, a 7-round related-tweakey impossible differential is obtained with a time of 2403.67 s. It required approximately 25 daysFootnote 3 to verify the non-existence of an 8-round impossible differential in the search space. As Proposition 1 suggests, the tweakey differences can be canceled twice. The search results can be categorized into the following five cases, as shown in Table 3.
4.2 Application to SKINNY
SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint, which was proposed at CRYPTO 2016 by Beierle et al. [3]. It has 6 main variants for SKINNY. Particularly, SKINNY-n-t is a block cipher that operates on n-bit blocks with t-bit tweakey, where \(n=64\) or 128 and \(t = n,2n\) or 3n. More details can be found in [3]. This section will apply our model in Algorithm 2 to search the related-tweakey impossible differential for SKINNY.
Previous Cryptanalysis. To the best of our knowledge, the longest related-tweakey impossible differentials obtained assuming a single active nibble are 12-, 14-, and 16-round for SKINNY-64-64, SKINNY-64-128, and SKINNY-64-192, respectively, as reported in [25]. Although Sadeghi et al. [30] claimed that they found 13- and 15-round related-tweakey impossible differential for SKINNY-64-64 and SKINNY-64-128, the length of distinguishers in the mode of \((0,0,\delta )\) was the same as our results. In their results, the extra round was not eligible in our opinion because the input difference of the extra round is not certain.
The \(\boldsymbol{12}\)-Round Related-Tweakey Impossible Differentials for SKINNY-64-64. By introducing the difference to one nibble of \(TK^{r}_{1}\), we apply Algorithm 2 to find a 10-round related-tweakey impossible differential (including 10 SubCells operations) with 817.69 s. It took about 1.01 h to prove that there is no 11-round impossible differential in the search space. According to the relationship between the tweakey schedule and the round function, we can further extend the 10-round related-tweakey impossible differentials to the 12-round related-tweakey impossible differentials in the mode of \((\alpha ,\beta ,\delta )\), which is shown in Table 4.
The \(\boldsymbol{14}\)-Round Related-Tweakey Impossible Differentials for SKINNY-64-128. By introducing differences to the same nibble of \(TK_{1}^{r}\) and \(TK_{2}^{r}\), we have discovered a 12-round related-tweakey impossible differential with a duration of 5.96 h using Algorithm 2. It took approximately 26.89 h to establish the absence of a 13-round impossible differential in the search space. Based on the relationship between the tweakey schedule and the round function, we have extended the 12-round related-tweakey impossible differentials in the \((0,0,\delta )\) mode to 14-round related-tweakey impossible differentials in the \((\alpha ,\beta ,\delta )\) mode. Here, \(\varDelta _{in} = \triangle TK_{1}^{r}\oplus \triangle TK_{2}^{r}\), \(\triangle TK_{1}^{r}\oplus L_{2}(\triangle TK_{2}^{r}) = 0\), and \(\varDelta _{out} = \triangle TK_{1}^{r+14}\oplus \triangle TK_{2}^{r+14}\). The values are presented in Table 5.
The \(\boldsymbol{16}\)-Round Related-Tweakey Impossible Differentials for SKINNY-64-192. By introducing the differences to the same nibble of \(TK_{1}^{r}\), \(TK_{2}^{r}\), and \(TK_{3}^{r}\), respectively, we applied our tool to discover the 14-round related-tweakey impossible differential with 6.9 days in the search space. Moreover, we extended the 14-round related-tweakey impossible differentials in the mode of \((0,0,\delta )\) to the 16-round related-tweakey impossible differentials in the mode of \((\alpha ,\beta ,\delta )\), where \(\varDelta _{in} = \triangle TK_{1}^{r}\oplus \triangle TK_{2}^{r}\oplus \triangle TK_{3}^{r}\) and \(\varDelta _{out} = \triangle TK_{1}^{r+16}\oplus \triangle TK_{2}^{r+16}\oplus \triangle TK_{2}^{r+16}\). Due to the cancellation among the differences between the tweakeys, the search results can be divided into two cases, where \(L_{i}^{j}\) means the LFSR used in \(TK_{i}\) after j rounds.
-
Case 1. The values of \((\triangle TK_{1}^{r}, \triangle TK_{2}^{r}, \triangle TK_{3}^{r})\) are subject to the constraint that \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{1}(\triangle TK_{2}^{r}[i])\oplus L_{3}^{1}(\triangle TK_{3}^{r}[i]) = 0\) and \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{2}(\triangle TK_{2}^{r}[i])\) \( \oplus L_{3}^{2}(\triangle TK_{3}^{r}[i]) = 0\) for \(i\in \{0,\cdots ,7\}\).
-
Case 2. The tuple of values \((\triangle TK_{1}^{r}, \triangle TK_{2}^{r}, \triangle TK_{3}^{r})\) is constrained so that \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{1}(\triangle TK_{2}^{r}[i])\oplus L_{3}^{1}(\triangle TK_{3}^{r}[i]) = 0\) and \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{7}(\triangle TK_{2}^{r}[i])\oplus L_{3}^{7}(\triangle TK_{3}^{r}[i]) = 0\) for \(i\in \{0,\cdots ,7\}\).
4.3 Application to QARMA
The QARMA block cipher, designed by Avanzi at ToSC’17, is a lightweight tweakable block cipher with three-round Even-Mansour construction. There are two variants of QARMA that support block sizes of \(n = 64\) and \(n = 128\) bits, denoted by QARMA-64 and QARMA-128, respectively. The tweak is also n bits long and the key is always 2n bits long. In the present paper, we pay attention to QARMA-64.
Previous Cryptanalysis. Since the proposal of the tweakable block cipher QARMA, various attacks have been employed to assess its security, such as meet-in-the-middle attacks [22], impossible differential attacks [26, 35, 36] and statistical saturation attacks [21]. However, the longest related-tweak impossible differential of QARMA is 7-round proposed by Zong et al. [36] by considering the differential relationship between the tweak and a single-tweak impossible differential.
List of \(\boldsymbol{7}\)-Round Related-Tweakey Impossile Differentials for QARMA-64. By modifying a single nibble in the initial tweak, we apply Algorithm 2 to derive several related-tweakey impossible differentials for QARMA-64, ranging from the 7-th to the 11-th round, some of which were not previously discovered. By taking into account the impact of the tweak update function, we further obtain some 7-round related-tweak impossible differentials for QARMA-64, which is covering rounds from the 6-th to the 12-th, as tabulated in Table 6.
4.4 Application to CRAFT
CRAFT is a lightweight tweakable block cipher introduced by Beierle et al. [4] at FSE 2019, which follows the SPN design with 32 rounds. The main goal of CRAFT was to efficiently protect its implementations against Differential Fault Analysis (DFA) attacks. It consists of a 64-bit block, a 128-bit key K and 64-bit tweak T, where the 128-bit key is split into two 64-bit keys \(K_0\) and \(K_1\). Using the permutation Q on the tweak, four 64-bit tweakeys \(TK_0\), \(TK_1\), \(TK_2\) and \(TK_3\) are derived from the tweak T and keys \(K_0\), \(K_1\). Then in each round, without any key update, the tweakey \(TK_{i\; \text {mode}\; 4}\) is XORed to the cipher state. More information can be obtained in [4].
Previous Cryptanalysis. In the specification file, Hadipour et al. [4] conducted an extensive analysis of the security of CRAFT. Specifically, they identified the 13-round impossible differential under the single-key setting as the longest one in the analysis until now. Subsequently, many studies have been conducted to evaluate the security of round-reduced CRAFT under both the single-key mode and related-key mode. However, the majority of research has been centered on differential attacks, as documented in [8, 10, 11]. Furthermore, Hadipour et al. [11] have reported a 14-round zero-correlation linear distinguisher under the related-tweak setting in previous research, in addition to some probability-type attacks.
List of \(\boldsymbol{12}\)-Round Related-Tweak Impossible Differentials for CRAFT. When searching the related-tweak impossible differentials for CRAFT, we activate a single nibble of the initial tweak while other differences remain inactive. Specifically, the active set is denoted as \(\varOmega =\{(0,0,\delta )|\delta \in \mathbb {F}_{2}^{\kappa }\setminus \{0\}\}\) and \(\triangle K_{0} = \triangle K_{1} =0\). By utilizing Algorithm 2, we discovered several 10-round related-tweak impossible differentials for the first time in a total time of 891.34 s, which also can be extended to 12-round, as shown in Table 7. Additionally, we have proven that there is no 13-round related-tweak impossible differentials in the search space, which required a total time of 4698.06 s.
List of \(\boldsymbol{15}\)-Round Related-Tweakey Impossible Differentials for CRAFT. By setting the input and output differences to zero and modifying only one single nibble of \(K_0\), \(K_1\), and T, i.e., \(\varOmega =\{(0,0,\delta )|\delta \in \mathbb {F}_{2}^{64}\setminus \{0\}\}\) and \(\triangle K_{0} = \triangle K_{1} =\triangle T = \delta \), we apply Algorithm 2 to CRAFT and identify the 13-round related-tweakey impossible differentials for the first time within 3263.46 s, which can also be extended to the 15-round with \(\delta = (0000\; 0000\; 000a\; 0000)\), \(\varDelta _{in} = \varDelta _{out} = (0000\; 0000 \; a00a\; 0000)\). Additionally, we have proven that there are no 16-round related-tweakey impossible differentials within the search space with a total search time of 7040.3 s.
5 Evaluation of the Automatic Search Models
The LCA technique is an analysis method that explicates the complete attributes by way of partial features. Consequently, when juxtaposed with conventional search methods, utilizing the LCA technique can alleviate the interdependence among variables. Subsequently, we will present an assessment of Algorithm 2 compared with Algorithm 1 based on the search results.
Improving the Search Efficiency for Long Trials. The utilization of the LCA technique may enhance search efficiency and significantly reduce time costs, especially when exploring distinguishers with long trails. An illustrative example is provided in Table 8, which presents the computational time required for Algorithm 1 and Algorithm 2 to ascertain the existence of a related-tweakey impossible differential for CRAFT. The experimental evaluation was performed on the platform: Inter(R) Core i7-9700 CPU@3.00 GHz \(\times \) 8, 8 GB RAM, 64-bit Ubuntu VMware. As evidenced by Table 8, when the number of rounds is limited, Algorithm 2 must sequentially traverse the constraint set and intermediate rounds, resulting in a total time cost comparable to Algorithm 1. However, as the number of rounds increases, the time complexity of Algorithm 1 escalates nearly exponentially, whereas Algorithm 2 maintains a relatively constant and gradual growth trend.
Additionally, Algorithm 2 exhibits considerably superior performance to Algorithm 1 when applied to the cipher SKINNY, as indicated in Table 9. However, it should be noted that Algorithm 2 does not consistently outperform Algorithm 1. Specifically, in scenarios where the length of the distinguisher is relatively short for QARMA and Joltik-BC, Algorithm 2 provides a lesser advantage over Algorithm 1 when searching for distinguishers. For instance, in the case of QARMA, Algorithm 1 required 1631.37 s to establish the absence of 8-round related-tweak impossible differentials, whereas Algorithm 2 necessitated 1624.66 s. In this particular case, the search efficiency was comparable. However, the discrepancy in efficiency becomes evident for Joltik-BC-128, where Algorithm 1 required 84447.57 s to prove the nonexistence of 7-round related-tweakey impossible differentials, whereas Algorithm 2 demanded 476278.89 s.
Determining the Contradictory Positions. In cryptanalysis, the “miss-in-the-middle” method has traditionally been employed to manually deduce the contradictory positions of an impossible differential. However, the process becomes challenging if the length of a distinguisher is too long or the cipher with sound diffusions. Therefore, there is a need for automatic tools to assist in determining the locations of contradictions. To this end, similar to the one used for verifying impossible differential distinguishers in [7] and [12], the LCA technique can be also used to derive the contradictory positions. Specifically, if there exists an impossible differential under the constraint set \(\mathbb {P}\), then the contradictory occurs in the positions of \(\mathbb {P}\). Here, we provide an example of SIMON128, which is obtained by Algorithm 2.
Example 1
The differential \((0x0000000000000000,0x8000000000000000)\nrightarrow (0x\)
4000000000000000, 0x0000000000000000) is a 19-round impossible differential for SIMON128, where the contradictory occurs in the second bit of the 11-th round.
6 Conclusion
This paper evaluates the security of tweakable block ciphers against the related-tweakey impossible differential analysis. The main approach involves constructing a differential propagation system using the SAT method, which describes the propagation of corresponding states under specific constraints and determines whether the transition is invalid. To achieve this goal, an automatic search model is proposed for related-tweakey impossible differentials based on the SMT problem. Subsequently, this method has been employed to identify the related-tweakey impossible differentials for QARMA-64 and Joltik-BC, respectively.
Furthermore, the paper introduces a novel analytical strategy known as Locality Constraint Analysis (LCA), which aims to improve the efficiency of searching the distinguisher with long trails or ciphers with large sizes. A generalized automatic search model is constructed based on LCA, and the proposed method is applied to various ciphers such as SIMON, SPECK, QARMA, CRAFT, Joltik-BC, and SKINNY. Based on the search results, it is demonstrated that introducing the LCA technique to impossible differential cryptanalysis significantly improves the search efficiency and provides much more convenience for deriving the locations of the contradictory positions.
Notes
- 1.
- 2.
The proof of Theorem 1 can refer to the full version of this paper in https://eprint.iacr.org.
- 3.
The size of the search space is about \((16*15)^3 \approx 2^{23.7}\).
References
Avanzi, R.: The QARMA block cipher family. Almost MDS matrices over rings with zero divisors, nearly symmetric even-mansour constructions with non-involutory central rounds, and search heuristics for low-latency s-boxes. IACR Trans. Symmetric Cryptol. 4–44 (2017). https://doi.org/10.13154/tosc.v2017.i1.4-44
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK lightweight block ciphers. In: Proceedings of the 52nd Annual Design Automation Conference, pp. 1–6 (2015). https://doi.org/10.1145/2744769.2747946
Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Yu., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Beierle, C., Leander, G., Moradi, A., Rasoolzadeh, S.: CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks. IACR Trans. Symmetric Cryptol. 2019(1), 5–45 (2019). https://doi.org/10.13154/tosc.v2019.i1.5-45
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_2
Chakraborti, A., Datta, N., Jha, A., Mancillas-López, C., Nandi, M., Sasaki, Yu.: Elastic-Tweak: a framework for short tweak tweakable block cipher. In: Adhikari, A., Küsters, R., Preneel, B. (eds.) INDOCRYPT 2021. LNCS, vol. 13143, pp. 114–137. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92518-5_6
Cui, T., Chen, S., Jia, K., Fu, K., Wang, M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. Sci. China Inf. Sci. 64(2) (2021). https://doi.org/10.1007/s11432-018-1506-4
ElSheikh, M., Youssef, A.M.: Related-key differential cryptanalysis of full round CRAFT. In: Bhasin, S., Mendelson, A., Nandi, M. (eds.) SPACE 2019. LNCS, vol. 11947, pp. 50–66. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35869-3_6
Guo, C., Guo, J., List, E., Song, L.: Towards closing the security gap of tweak-aNd-tweak (TNT). In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 567–597. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_19
Guo, H., et al.: Differential attacks on craft exploiting the involutory s-boxes and tweak additions. IACR Trans. Symmetric Cryptol. 2020(3), 119–151 (2020). https://doi.org/10.13154/tosc.v2020.i3.119-151
Hadipour, H., Sadeghi, S., Niknam, M.M., Song, L., Bagheri, N.: Comprehensive security analysis of CRAFT. IACR Trans. Symmetric Cryptol. 290–317 (2019). https://doi.org/10.13154/tosc.v2019.i4.290-317
Hu, X., Li, Y., Jiao, L., Tian, S., Wang, M.: Mind the propagation of states. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part I. LNCS, vol. 12491, pp. 415–445. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_14
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15
Jean, J., Nikolic, I., Peyrin, T.: Joltik v1.3. Submission to the CAESAR competition (2015). https://competitions.cr.yp.to/round2/joltikv13.pdf
Jean, J., Nikolić, I., Peyrin, T., Seurin, Y.: The Deoxys AEAD family. J. Cryptol. 34(3), 31 (2021). https://doi.org/10.1007/s00145-021-09397-w
Kim, J., Hong, S., Lim, J.: Impossible differential cryptanalysis using matrix method. Discret. Math. 310(5), 988–1002 (2010). https://doi.org/10.1016/j.disc.2009.10.019
Knudsen, L.: Deal - a 128-bit block cipher. NISI AES Proposal (1998)
Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_18
Leventi-Peetz, A.M., Zendel, O., Lennartz, W., Weber, K.: CryptoMiniSat switches-optimization for solving cryptographic instances. arXiv preprint arXiv:2112.11484 (2021)
Li, M., Chen, S.: Improved meet-in-the-middle attacks on reduced-round Joltik-BC. IET Inf. Secur. 15(3), 247–255 (2021)
Li, M., Hu, K., Wang, M.: Related-tweak statistical saturation cryptanalysis and its application on QARMA. IACR Trans. Symmetric Cryptol. 2019(1), 236–263 (2019). https://doi.org/10.13154/tosc.v2019.i1.236-263
Li, R., Jin, C.: Meet-in-the-middle attacks on reduced-round QARMA-64/128. Comput. J. 61(8), 1158–1165 (2018)
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_3
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24, 588–613 (2011). https://doi.org/10.1007/s00145-010-9073-y
Liu, G., Ghosh, M., Song, L.: Security analysis of skinny under related-tweakey settings. Cryptology ePrint Archive (2016)
Liu, Y., Zang, T., Gu, D., Zhao, F., Li, W., Liu, Z.: Improved cryptanalysis of reduced-version QARMA-64/128. IEEE Access 8, 8361–8370 (2020). https://doi.org/10.1109/ACCESS.2020.2964259
Luo, Y., Lai, X., Wu, Z., Gong, G.: A unified method for finding impossible differentials of block cipher structures. Inf. Sci. 263, 211–220 (2014). https://doi.org/10.1016/j.ins.2013.08.051
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_5
Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_2
Sadeghi, S., Mohammadi, T., Bagheri, N.: Cryptanalysis of reduced round skinny block cipher. IACR Trans. Symmetric Cryptol. 124–162 (2018). https://doi.org/10.13154/tosc.v2018.i3.124-162
Sasaki, Yu., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_7
Schroeppel, R., Orman, H.: The hasty pudding cipher. AES candidate submitted to NIST, p. M1 (1998)
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9
Wu, S., Wang, M.: Automatic search of truncated impossible differentials for word-oriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7_17
Yang, D., Qi, W.F., Chen, H.J.: Impossible differential attack on QARMA family of block ciphers. Cryptology ePrint Archive (2018)
Zong, R., Dong, X.: MILP-aided related-tweak/key impossible differential attack and its applications to QARMA, Joltik-BC. IEEE Access 7, 153683–153693 (2019). https://doi.org/10.1109/ACCESS.2019.2946638
Acknowledgements
We thank the associate editor and the anonymous reviewers for their useful feedback that improved this paper. This research was supported by the National Natural Science Foundation of China (Grant No. 12371525) and the National Key Research and Development Program of China (Grant No. 2022YFF0604702).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, H., Li, Y., Hu, X., Liu, Z., Jiao, L., Wang, M. (2023). Automatic Search Model for Related-Tweakey Impossible Differential Cryptanalysis. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-41181-6_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41180-9
Online ISBN: 978-3-031-41181-6
eBook Packages: Computer ScienceComputer Science (R0)