Keywords

1 Introduction

Tweakable block ciphers are constructions that have an additional input called tweak compared to traditional block ciphers, which can be defined as a function \(C=E(P, K, T)\) from \(\mathbb {F}_{2}^{n}\times \mathbb {F}_{2}^{\kappa }\times \mathbb {F}_{2}^{t}\rightarrow \mathbb {F}_{2}^{n}\) when the tweak length is t bits. The concept of tweakable block ciphers was first introduced by Schroeppel in the Hasty Pudding Cipher [32], and was later formalized by Liskov et al. [23, 24]. They aimed to move the randomization of symmetric primitives by bringing the high-level mode operations, like \({\Theta }\)CB3 [18] or Counter-in-Tweak [29], directly to the design of block ciphers. Unlike the secret key, the tweak is entirely public and offers attackers more flexibility. Designers must therefore handle the tweak more carefully than the key without reducing efficiency. Responding to the high demand, Jean et al. [13] introduced the TWEAKEY framework to bridge the gap between key and tweak inputs by providing a unified framework in ASIACRYPT 2014, which can be viewed as a straightforward generalization of key-alternating ciphers, where the key and tweak basically treated as a whole called tweakey. Based on this framework, there are several dedicated tweakable block ciphers, such as Joltik-BC [14], Deoxys-BC [15], SKINNY [3]. Furthermore, with the development of tweakable block cipher, its design also becomes diversified, such as QARMA [1], CARFT [4], and some other tweakable block ciphers based on Tweak-aNd-Tweak [9] and Elastic-Tweak [6].

Impossible differential cryptanalysis was independently introduced by Biham et al. [5] and Knudsen [17] to evaluate the security of Skipjack and DEAL. In contrast to differential cryptanalysis, impossible differential cryptanalysis aims to identify a differential characteristic that has zero probability. Due to the limitations of manual derivation, various automatic methods have been developed to search for impossible differentials, including the \(\mathcal {U}\)-method [16], the UID-method [27], and the \(\mathcal{W}\mathcal{W}\)-method [34]. Unfortunately, these methods handle the underlying S-box as ideal and cannot consider its details. However, this problem was soon settled with the Mixed Integer Linear Programming (MILP) application for cryptanalysis. It was first proposed by Mouha et al. [28] to evaluate the lower bound on the number of the differential and linear active S-boxes and then improved by Sun et al. [33] to search for the differential characteristics of bit-oriented block ciphers. Based on this, Cui et al. [7] proposed a MILP-based tool to search the impossible differentials for lightweight block ciphers and an algorithm to verify the impossible differentials. Soon after, Sasaki and Todo [31] presented a MILP-based tool to search the impossible differential for SPN block ciphers by treating the large S-boxes as permutations so that their tool was valid to detect the contradiction in linear components.

However, the above methods are all based on the propagation of the differences and can not evaluate the effect of key schedules in the single-key setting. Hu et al. [12] solved this problem by using the equivalence between the impossible \((s+1)\)-polytopic transitions and impossible differentials. They transformed the differential propagation to the propagation of constraint values. This new approach enables the possibility of handling large state S-boxes or value-dependent operations that are difficult to realize in the traditional sense. Additionally, this approach is applicable to all differential cryptanalysis methods, such as searching for differential trails or differential active S-boxes, which facilitates a more accurate analysis of a block cipher to resist differential cryptanalysis.

Our Contributions. For the majority of current tweakable block ciphers, adversaries have the ability to manipulate tweak values. Drawing inspiration from Hu et al.’s contributions in [12], we present an automatic search model for related-tweakey impossible differentials. Specifically, we transform the problem of identifying an impossible differential into the Satisfiability Modulo Theories (SMT) problem by explicating the propagation of states and the tweakey update function with specific constraints, which can efficiently evaluate the resistance against impossible differential analysis for most of the block ciphers.

Unfortunately, it leads to a significant loss of efficiency with an increase in the state space and number of search rounds if considering all the details of round functions and tweakey update functions. To address this, we propose a generalized search model by introducing the Locality Constraint Analysis (LCA) technique. The optimized model has two significant advantages: improving the search efficiency for long trails and identifying the contradictory positions of impossible differentials.

In terms of practical implementation, we have employed our automatic search model in the evaluation of several tweakable block ciphers. The outcomes of these evaluations are presented below.

  • For Joltik-BC, we have discovered several 6-round and 7-round related-tweakey impossible differentials for Joltik-BC-128 and Joltik-BC-192, respectively. These differentials were previously unknown.

  • For SKINNY, we have identified related-tweakey impossible differentials for SKINNY-64-64, SKINNY-64-128, and SKINNY-64-192, with 12-round, 14-round, and 16-round, respectively. Notably, the majority of these differentials had not been previously reported by Sadeghi et al. in [30].

  • For QARMA-64, we have derived several 7-round asymmetric related-tweak impossible differential distinguishers spanning from the 6th to the 12th round. Particularly, the majority of these distinguishers were not identified using Zong’s method in [36].

  • For CRAFT, we have successfully derived 12-round related-tweak impossible differentials and 15-round related-tweakey impossible differentials, assuming the condition that only one nibble is active in the tweakey differences. It is noteworthy that these differential properties have not been reported before.

Outline. In Sect. 2, we provide a brief overview of the necessary preliminaries utilized in the present paper. Subsequently, in Sect. 3, we introduce an automatic search model for related-tweakey impossible differentials based on the SAT solver. Section 4 is dedicated to the application of our tool in the search for related-tweakey impossible differentials in some tweakable block ciphers, followed by a concise evaluation of our model in Sect. 5. Finally, we conclude this work in Sect. 6. The source codes are publicly available at https://github.com/Rainy1024/ImpossibleDifferentialAnalysis.git.

2 Preliminaries

2.1 Notations

The following notations are used in the present paper. Throughout the paper, we use \(\oplus \) to denote the bitwise XOR of two vectors or XOR of two bits.

  • \(\mathbb {F}^n_2\): the vectors space over the finite field \(\mathbb {F}_2\) with dimension n.

  • \(\varDelta _{m}^{n}\): the set that \(\{(a, a') \in \mathbb {F}_{2}^{n}\times \mathbb {F}_{2}^{n} | a \oplus a' = m, m \in \mathbb {F}_{2}^{n}\setminus \{0\} \}\).

  • BC(nml): the set of iterated block ciphers whose block cipher is n-bit, master key size is m-bit, and round key size is l-bit.

  • \(TBC(n,\kappa ,t)\): the set of tweakable block cipher whose cipher size is n-bit, master key size is \(\kappa \)-bit and initial tweak size is t-bit.

  • \(TK_{j}^{r}[i]\): the i-th nibble of the j-th subtweakey of the r-th round. The difference donates as \(\triangle TK_{j}^{r}[i]\).

  • DR: the length of an impossible differential distinguisher.

  • ConR: the round index where the contradiction occurs.

  • ConPs: The specific location of the contradiction. For instance, \(S_i\) means the contradiction is in the S-box with the index i.

2.2 Related-Tweakey Impossible Differential

Related-key impossible differential cryptanalysis is a variant of impossible differential cryptanalysis where an attacker can control the key schedule. In this attack, the attacker can choose two related keys and use them to generate a specific input difference that produces a target output difference with zero probability. Here, we first recall some definitions of impossible 2-polytopic transitions proposed in [12].

For an iterated block cipher \(E\in BC(n,m,l)\), the tuple \((x, x')\) with \(x,x' \in \mathbb {F}_{2}^{n}\) is called a 2-polygon in \(\mathbb {F}_{2}^{n}\). The 2-polygon \((x_{r_b}, x'_{r_b})\) propagates through round by round. If there exits an r-round related-key 2-polygonal trail

$$\begin{aligned} ((x_{r_b},x'_{r_b}), (E_{k_{r_b}}^{1}(x_{r_b}),E_{k'_{r_b}}^{1}(x'_{r_b})),\ldots , (E_{k_{r_b+r-1}}^{r}(x_{r_b+r-1}),E_{k'_{r_b+r-1}}^{r}(x'_{r_b+r-1}))) \end{aligned}$$

such that the equations of \((x_{r_e}, x'_{r_e}) = (E_{k_{r_b+r-1}}^{r}(x_{r_b+r-1}), E_{k'_{r_b+r-1}}^{r}(x'_{r_b+r-1})),\) are always satisfied, then the triplet \(((x_{r_b},x'_{r_b}), (k_{r_b},k'_{r_b}), (x_{r_e},x'_{r_e}))\) is called an r-round dependent-key possible 2-polygons. Otherwise, it is an r-round dependent-key impossible 2-polygons of E. Based on this, we redefine the related-tweakey impossible differential for tweakable block ciphers.

Definition 1 (Related-tweakey Impossible Differential)

For a tweakable block cipher \(E \in TBC(n,\kappa ,t)\), if \(((s_{r_b},s'_{r_b}),(tk,tk'), (s_{r_e},s'_{r_e}))\) is an \((r_{e}-r_{b})\)-round dependent-tweakey impossible 2-polygons, where tk is the initial tweakey and \(\forall (s_{r_b}, s'_{r_b})\in \varDelta _{\alpha }^{n}\), \(\forall (s_{r_e}, s'_{r_e})\in \varDelta _{\beta }^{n}\), \(\forall (tk,tk')\in \varDelta _{\delta }^{\kappa +t}\), the triplet \((\alpha , \beta , \delta )\) is called an \((r_{e}-r_{b})\)-round related-tweakey impossible differential.

According to Definition 1, instead of describing the differential propagation, we pay attention to the propagation of values with certain constraints in the present paper. Specifically, referring to the automatic search model proposed in [12], we give an automatic search model for the \((r_e-r_b)\)-round related-tweakey impossible differentials by considering the propagation of states from the \(r_b\)-th round to the \(r_e\)-th round, which is shown in Algorithm 1.

figure a

2.3 Boolean Satisfiability Problem

The Boolean Satisfiability Problem (SAT) is to find whether a set of variables, which if plugged into a boolean expression, will result in “True”. Any boolean expression can be converted to normal form and the conjunctive normal form (CNF) is one of them. The CNF expression is a bunch of clauses consisting of variables, ORs, and NOTs, all of which are then glued together with AND into a full expression. SAT solver is merely a solver of huge boolean equations in CNF form. It just gives the answer, if there is a set of input values that can satisfy CNF expression, and what input values must be. There have been some heuristic SAT solvers. Most support CNF files as the standard input format, such as Cryptominisat [19].

The Satisfiability Modulo Theories (SMT) problem is an extension of the SAT problem, in which CNF formulas are enriched by binary-valued functions over a suitable set of binary and (or) non-binary variables. Many works searching for the differential and linear characteristics are based on the SMT problem, where STPFootnote 1 is a common solver for SMT problems. STP supports the CVC format and starts from an initial assignment for the literals, then builds a search tree using systematic backtracking until all conflicting clauses are resolved. An SMT problem is unsatisfiable if returning either an assignment of variables for a satisfiable set of clauses or a predicate indicates. However, when invoking STP to solve an SMT problem, the solver first interprets SMT instances in CVC format into SAT instances with CNF and then determines its satisfiability.

3 The Optimized Automatic Search Model

By utilizing Algorithm 1 to investigate related-tweakey impossible differentials, we observe that with an increase in the number of search rounds, the equation system employed to represent the state propagation expands correspondingly. This leads to an exponential escalation in both the runtime and memory requirements caused by the augmented amount of data acquired during the database query process. To overcome these impediments and enhance the efficiency of Algorithm 1, we propose an optimized automatic search model based on the LCA technique in the section.

3.1 Application of LCA in Impossible Differential Cryptanalysis

Locality Constraint Analysis (LCA) is an analytical method that uses the properties of local variables to deduce global features. In the impossible differential analysis, if \(E_{r_1}^{k}(\varDelta _{\alpha }^{n}) = D_{r_2}^{k}(\varDelta _{\beta }^{n})\) is never satisfied under any k for \(E\in BC(n,m,l)\), the differential \((\alpha , \beta )\) is called an impossible differential. However, according to the security criterion for confusion and diffusion in the design of a block cipher, with the exception of some positions in which contradictions may occur, the value of the other positions almost reaches full diffusion after several rounds of iteration, which means that the values in those positions can traverse the entire space. Therefore, we can use the LCA technique to determine an impossible differential by considering some of the positions instead of the full state.

From the perspective of theoretical analysis, let \({x} = (x_0,x_1, \cdots , x_{n-1})\), \(x_i\in \mathbb {F}_2\) be inactive if \(\bigvee _{0\le i\le n-1}x_i=0\). Otherwise, x is active. Then we can obtain Theorem 1 according to Definition 1. The proof is omitted in the paperFootnote 2.

Theorem 1

Let \(E(x,tk)\in TBC(n,\kappa ,t)\) be a tweakable block cipher and \(\mathbb{C}\mathbb{P}\) be a tuple that includes the sets of possible contradictory positions that need to be constrained in the search model. For any \(\alpha ,\beta \in \mathbb {F}_2^n\), \(\delta \in \mathbb {F}_2^{\kappa +t}\setminus \{0\}\), if there exists a set \(\mathbb {P} \subset \mathbb{C}\mathbb{P}\), such that

$$\begin{aligned} LCA := \bigvee _{i\in \mathbb {P}}C_i(x,y,tk)\oplus C_i(x\oplus \alpha ,y\oplus \beta ,tk\oplus \delta ) \end{aligned}$$

is active for \(\forall x,y\in \mathbb {F}_2^n\) and \(\forall tk\in \mathbb {F}_2^{\kappa +t}\), where \(C_i(x,y,tk) := E_{r_1}(x,tk)[i] \oplus D_{r_2}(y,tk)[i]\) and \(D_r(E_r(x,tk),tk)=x\). Then \((\alpha , \beta , \delta )\) is an \((r_{1}+r_{2})\)-round related-tweakey impossible differential of E(xtk).

The Idea of Our Approach. We use the “miss-in-the-middle” method to find impossible differential distinguishers of block ciphers. In contrast, we weaken the conditions of the intermediate constraints. As shown in Fig. 1, we split an \((r_1+r_2)\)-round impossible differential into an \(r_1\)-round encryption and \(r_2\)-round decryption and only pay attention to the values of a few bits in the middle with the LCA technique.

In particular, suppose that \(\mathbb {P}=\{i_{0}, i_{1}, \cdots , i_{m}\}\) is a set in which contradictions may occur. Then, if the equation

$$ \bigvee _{i\in \mathbb {P}}E_{r_{1}}(x,tk)[i]\oplus E_{r_{1}}(x',tk')[i] \oplus D_{r_{2}}(y,tk)[i] \oplus D_{r_{2}}(y',tk')[i] = 0 $$

is never satisfied for \(\forall (x,x')\in \varDelta _{\alpha }^{n}\), \(\forall (y,y')\in \varDelta _{\beta }^{n}\) and \(\forall (tk,tk')\in \varDelta _{\delta }^{\kappa +t}\), the triplet \((\alpha , \beta , \delta )\) is an \((r_1+r_2)\)-round related-tweakey impossible differential. However, it is worth noting that a differential triplet \((\alpha ,\beta ,\delta )\) satisfying Theorem 1 is a related-tweakey impossible differential, not vice versa.

Fig. 1.
figure 1

The Optimization Scheme of Our Automatic Search Model

Full size image

3.2 The Optimized Automatic Search Model for Related-Tweakey Impossible Differentials

Based on the preceding analysis, we present an optimized automatic search model for related-tweakey impossible differentials, outlined in Algorithm 2.

Specifically, given a tweakable block cipher \(E\in TBC(n,\kappa ,t)\), the determination of whether a triplet \((\alpha , \beta , \delta )\) is an \((r_{e}-r_{b})\)-round related-tweakey impossible differential can be accomplished through three phases: search space determination, statements generation, and STP invocation. Initially, the input parameters are the starting round number \(r_b\), the termination round number \(r_{e}\), and \(r_m\) where the constraints are added. For each triplet \((\alpha , \beta , \delta )\) in the search space \(\varOmega \), whether \((\alpha , \beta , \delta )\) constitutes an \((r_{e}-r_{b})\)-round related-tweakey impossible differential is transformed into the corresponding SMT problem using the CVC language and solved by invocation of the STP solver. Finally, Algorithm 2 outputs the length of distinguishers and the corresponding input and output differentials. Further details of Algorithm 2 are presented below.

figure b

Specification of the Search Space Determination Phase. The efficacy of our automated search approach hinges predominantly on two factors, as demonstrated in Lines 6 and 7 of Algorithm 2: the duration needed to complete a search and the magnitude of the search space. As the search time is restricted by the size of the cipher and the hardware used, enhancing search efficiency can be challenging under limited resources. Consequently, selecting the search space judiciously so that a minimal number of elements reflect a greater number of differential properties will be pivotal in increasing search efficiency.

The Choice of \(\boldsymbol{\varOmega }\). The utilization of linear tweak schedules and XOR operations for the purpose of mixing subtweakeys with internal states, as observed in numerous state-of-the-art tweakable block ciphers, can inadvertently benefit potential attackers. Specifically, under the related-tweakey setting, an attacker can manipulate certain state values by XORing the same difference of subtweakeys at corresponding positions, thereby nullifying the difference of internal states. This, in turn, enables the attacker to pass one round function without incurring any additional cost, as depicted in Fig. 2.

Fig. 2.
figure 2

The differential model under the related-tweakey setting (This is a TWEAKEY framework proposed by Jean et al. [13] to bridge the gap between key and tweak inputs in the design of tweakable block ciphers, which can be viewed as a straightforward generalization of key-alternating ciphers. In the model, f is the round function and h represents the tweakey update function).

Full size image

Furthermore, Sasaki and Todo [31] have observed that all existing ciphers have the longest impossible differentials with only one active word in both input and output. In light of this, it is common practice to set the input and output difference to zero and only introduce differences to the tweakeys, that is, \(\varOmega = \{(\alpha , \beta , \delta )|\alpha =0, \beta = 0, \delta \in \mathbb {F}_2^{\kappa +t}\setminus \{0\}\}\). The specific choice of \(\delta \) depends on the cipher’s structure, with one bit being active for bit-oriented encryption and one cell being active for cell-oriented encryption.

The Choice of \(\boldsymbol{r_{m}}\) and \(\boldsymbol{\mathbb{C}\mathbb{P}}\). The parameters \(r_{m}\) and \(\mathbb{C}\mathbb{P}\) jointly determine the locations of the contradictions. Based on empirical observations and experimental tests, we observe that for a distinguisher of odd length, the contradictions typically manifest in the middle round; whereas for even length, they appear in the middle two rounds. As such, we derive the expression \(r_{m} = \lceil \frac{r_{b}+r_{e}}{2}\rceil \) if \((r_{e}-r_{b})\) is odd, and \(r_{m} \in \{\frac{r_{b}+r_{e}}{2}, \frac{r_{b}+r_{e}}{2}+1\}\) if \((r_{e}-r_{b})\) is even. The selection of the constrained position tuple \(\mathbb{C}\mathbb{P}\) is also informed by empirical evidence and experimental results.

Especially, for ARX-based block ciphers, we apply a constraint tuple \(\mathbb{C}\mathbb{P} = \{[i]|0\le i \le (n-1)\}\), where we constrain one bit of the intermediate state in each search. To verify the effectiveness of this approach, we utilized Algorithm 2 on SIMON and SPECK [2], and the results are presented in Table 1, where only one branch is constrained to define \(\mathbb{C}\mathbb{P}\) for ciphers based on the Feistel structure. For SPN-based block ciphers, we consider an S-box as a constraint unit in our modified model, i.e., \(\mathbb{C}\mathbb{P} = \{S_i|0 \le i \le (m-1)\}\), where \(S_i = \{i|0 \le i \le (m-1)\}\) for an m-bit S-box. Using this constraint, we applied Algorithm 2 to SKINNY, QARMA, and CRAFT. Notably, we define \(\mathbb{C}\mathbb{P} = \{\{S_{4i},S_{4i+1},S_{4i+2},S_{4i+3}\}|0 \le i \le 3\}\) when applying Algorithm 2 to Joltik-BC, since the matrix used in its MixNibbles operation is an MDS matrix.

Table 1. The experimental results for SIMON32/64 and SPECK32/64
Full size table

Specification of Statements Generation Phase. The statements generation phase is described in lines 8-16 of Algorithm 2. A detailed account of each step is then presented in the following.

−:

Line \(\boldsymbol{8}\). Declare the variables to describe the propagation of round functions and tweakey schedules, including the variables that represent the input 2-polygon and output 2-polygons, tweakey 2-polygons, and some other intermediate variables.

−:

Line \(\boldsymbol{9}\)-\(\boldsymbol{11}\). According to the propagation rules for Copy, Xor, Modular Addition, Binary Matrix Multiplication and S-box given in [12], construct the propagation from the input 2-polygons \((s_{r_{b}}, s_{r_{b}}')\) to the output 2-polygons \((s_{r_{m}}, s_{r_{m}}')\) with the aid of the tweakey 2-polygons and intermediate variables in CVC format. Especially, the tweakey 2-polygons is constrained according to the tweakey schedule.

−:

Line \(\boldsymbol{12}\). Generate the statements in CVC format such that the input and output 2-polygons satisfies that \(s_{r_{b}}\oplus s_{r_{b}}'=\alpha \) and \(s_{r_{e}}\oplus s_{r_{e}}'=\beta \), while the tweakey 2-polygons satisfies that \(tk_{r_{b}}\oplus tk_{r_{b}}'=\delta \).

−:

Line \(\boldsymbol{13}\)\(\boldsymbol{14}\). Generate the statements in CVC format such that the output 2-polygon of the first \((r_{m}-r_{b})\) rounds and the input 2-polygon of the last \((r_{e}-r_{m})\) rounds satisfies that \(s_{r_{m}}[i] \oplus s'_{r_{m}}[i] \oplus \hat{s}_{r_{m}}[i] \oplus \hat{s}'_{r_{m}}[i] = 0\) for \(\forall i\in \mathbb {P}\).

−:

Line \(\boldsymbol{15}\). Add the statements “QUERY(FALSE);” and “COUNTEREXAMPLE” to the statements system, which is a common predicate in STP to determine whether an SMT problem has a solution.

Specification of the STP Invocation Phase. We invoke STP to tackle the file, which comprises a system of statements. If the outcome of STP is “Valid,” this implies that no solution exists for the SMT problem. As such, the corresponding triplets \((\alpha , \beta , \delta )\) represent an \((r_{e}-r_{b})\)-round related-tweakey impossible differential, where \(r_{m}\) and \(\mathbb {P}\) ascertain the contradictory positions. Alternatively, if STP returns “Invalid” along with a collection of solutions, the triplets \((\alpha , \beta , \delta )\) do not denote an \((r_{e}-r_{b})\)-round related-tweakey impossible differential, and these solutions constitute the corresponding differential characteristic from round \(r_{b}\) to round \(r_{e}\) for E.

4 Applications from Cryptanalysis Aspect

In this section, we apply our automatic search model to Joltik-BC, SKINNY, QARMA, and CRAFT from the cryptanalysis aspect. Especially, when searching for related-tweakey impossible differentials, only the tweakey is modified while keeping the input and output differences at zero, that is, \(\varOmega =\{(0, 0, \delta )|\delta \in \mathbb {F}_{2}^{\kappa +t}\setminus \{0\}\}\), where \(\kappa \) and t are constants. Consequently, by exploiting the relationship between the tweakey and the state of a cipher, an impossible differential can be derived for the \((r+2)\)-round if a r-round related-tweakey impossible differential is found within the search space \(\varOmega \). Furthermore, \(\varDelta _{in}\) and \(\varDelta _{out}\) denote the input and output difference of the operation AddRoundTweakey, respectively.

4.1 Application to Joltik-BC

Joltik-BC is an iterative substitution-permutation network that transforms the initial plaintext through a series of round functions (that depend on the key and the tweak) to a ciphertext. The cipher exists in two variations, namely Joltik-BC-128, with a total key and tweak size of 128 bits, and Joltik-BC-192, with a combined key and tweak size of 192 bits. Additional information regarding Joltik-BC can be found in [14]. Notably, the construction of Joltik-BC is based on the Superposition TWEAKEY design [13], with the tweakey schedule satisfying Proposition 1. This property allows for greater differential properties when assessing differential propagation.

Proposition 1

(Cancellation of the Tweak Differences [14]) Cancellation of differences (in general since the key schedule is linear) in the chosen nibble of TK-p cannot occur more than \((p-1)\) times. For TK-2, this means that the cumulative difference from the subtweakeys can be canceled only once by XOR of the subtweakeys. For TK-3, this can happen twice.

Previous Cryptanalysis. To the best of our knowledge, the most extensive distinguisher discovered for Joltik-BC-128 is a 6-round related-tweak impossible differential proposed in [36]. This particular impossible differential exhibits two active nibbles for both input and output differences. For Joltik-BC-192, no public impossible differential has been identified, apart from a 7-round meet-in-the-middle distinguisher constructed in [20].

List of \(\boldsymbol{6}\)-Round Related-Tweakey Impossible Differentials for Joltik-BC-128. By introducing the difference to \(TK_{1}^{r}\) and \(TK_{2}^{r}\) in a single nibble, we applied Algorithm 1 to Joltik-BC-128 and discovered a 6-round related-tweakey impossible differential with a time of 4.43 s. To confirm the absence of a 7-round impossible differential in the search space, we conducted a verification process by traversing the entire search space, which took approximately 23.4 h. Based on Proposition 1, the search results can be classified into three cases. The corresponding values are presented in Table 2.

Table 2. The 6-round related-tweakey impossible differentials for Joltik-BC-128
Full size table

List of \(\boldsymbol{7}\)-Round Related-Tweakey Impossible Differentials for Joltik-BC-192. By introducing differences to the same nibble of \(TK_{1}^{r}\), \(TK_{2}^{r}\), and \(TK_{3}^{r}\), respectively, a 7-round related-tweakey impossible differential is obtained with a time of 2403.67 s. It required approximately 25 daysFootnote 3 to verify the non-existence of an 8-round impossible differential in the search space. As Proposition 1 suggests, the tweakey differences can be canceled twice. The search results can be categorized into the following five cases, as shown in Table 3.

Table 3. The 7-round related-tweakey impossible differentials for Joltik-BC-192
Full size table

4.2 Application to SKINNY

SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint, which was proposed at CRYPTO 2016 by Beierle et al. [3]. It has 6 main variants for SKINNY. Particularly, SKINNY-n-t is a block cipher that operates on n-bit blocks with t-bit tweakey, where \(n=64\) or 128 and \(t = n,2n\) or 3n. More details can be found in [3]. This section will apply our model in Algorithm 2 to search the related-tweakey impossible differential for SKINNY.

Previous Cryptanalysis. To the best of our knowledge, the longest related-tweakey impossible differentials obtained assuming a single active nibble are 12-, 14-, and 16-round for SKINNY-64-64, SKINNY-64-128, and SKINNY-64-192, respectively, as reported in [25]. Although Sadeghi et al. [30] claimed that they found 13- and 15-round related-tweakey impossible differential for SKINNY-64-64 and SKINNY-64-128, the length of distinguishers in the mode of \((0,0,\delta )\) was the same as our results. In their results, the extra round was not eligible in our opinion because the input difference of the extra round is not certain.

The \(\boldsymbol{12}\)-Round Related-Tweakey Impossible Differentials for SKINNY-64-64. By introducing the difference to one nibble of \(TK^{r}_{1}\), we apply Algorithm 2 to find a 10-round related-tweakey impossible differential (including 10 SubCells operations) with 817.69 s. It took about 1.01 h to prove that there is no 11-round impossible differential in the search space. According to the relationship between the tweakey schedule and the round function, we can further extend the 10-round related-tweakey impossible differentials to the 12-round related-tweakey impossible differentials in the mode of \((\alpha ,\beta ,\delta )\), which is shown in Table 4.

Table 4. The related-tweakey impossible differentials for SKINNY-64-64
Full size table

The \(\boldsymbol{14}\)-Round Related-Tweakey Impossible Differentials for SKINNY-64-128. By introducing differences to the same nibble of \(TK_{1}^{r}\) and \(TK_{2}^{r}\), we have discovered a 12-round related-tweakey impossible differential with a duration of 5.96 h using Algorithm 2. It took approximately 26.89 h to establish the absence of a 13-round impossible differential in the search space. Based on the relationship between the tweakey schedule and the round function, we have extended the 12-round related-tweakey impossible differentials in the \((0,0,\delta )\) mode to 14-round related-tweakey impossible differentials in the \((\alpha ,\beta ,\delta )\) mode. Here, \(\varDelta _{in} = \triangle TK_{1}^{r}\oplus \triangle TK_{2}^{r}\), \(\triangle TK_{1}^{r}\oplus L_{2}(\triangle TK_{2}^{r}) = 0\), and \(\varDelta _{out} = \triangle TK_{1}^{r+14}\oplus \triangle TK_{2}^{r+14}\). The values are presented in Table 5.

Table 5. The related-tweakey impossible differentials for SKINNY-64-128
Full size table

The \(\boldsymbol{16}\)-Round Related-Tweakey Impossible Differentials for SKINNY-64-192. By introducing the differences to the same nibble of \(TK_{1}^{r}\), \(TK_{2}^{r}\), and \(TK_{3}^{r}\), respectively, we applied our tool to discover the 14-round related-tweakey impossible differential with 6.9 days in the search space. Moreover, we extended the 14-round related-tweakey impossible differentials in the mode of \((0,0,\delta )\) to the 16-round related-tweakey impossible differentials in the mode of \((\alpha ,\beta ,\delta )\), where \(\varDelta _{in} = \triangle TK_{1}^{r}\oplus \triangle TK_{2}^{r}\oplus \triangle TK_{3}^{r}\) and \(\varDelta _{out} = \triangle TK_{1}^{r+16}\oplus \triangle TK_{2}^{r+16}\oplus \triangle TK_{2}^{r+16}\). Due to the cancellation among the differences between the tweakeys, the search results can be divided into two cases, where \(L_{i}^{j}\) means the LFSR used in \(TK_{i}\) after j rounds.

  • Case 1. The values of \((\triangle TK_{1}^{r}, \triangle TK_{2}^{r}, \triangle TK_{3}^{r})\) are subject to the constraint that \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{1}(\triangle TK_{2}^{r}[i])\oplus L_{3}^{1}(\triangle TK_{3}^{r}[i]) = 0\) and \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{2}(\triangle TK_{2}^{r}[i])\) \( \oplus L_{3}^{2}(\triangle TK_{3}^{r}[i]) = 0\) for \(i\in \{0,\cdots ,7\}\).

  • Case 2. The tuple of values \((\triangle TK_{1}^{r}, \triangle TK_{2}^{r}, \triangle TK_{3}^{r})\) is constrained so that \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{1}(\triangle TK_{2}^{r}[i])\oplus L_{3}^{1}(\triangle TK_{3}^{r}[i]) = 0\) and \(\triangle TK_{1}^{r}[i]\oplus L_{2}^{7}(\triangle TK_{2}^{r}[i])\oplus L_{3}^{7}(\triangle TK_{3}^{r}[i]) = 0\) for \(i\in \{0,\cdots ,7\}\).

4.3 Application to QARMA

The QARMA block cipher, designed by Avanzi at ToSC’17, is a lightweight tweakable block cipher with three-round Even-Mansour construction. There are two variants of QARMA that support block sizes of \(n = 64\) and \(n = 128\) bits, denoted by QARMA-64 and QARMA-128, respectively. The tweak is also n bits long and the key is always 2n bits long. In the present paper, we pay attention to QARMA-64.

Previous Cryptanalysis. Since the proposal of the tweakable block cipher QARMA, various attacks have been employed to assess its security, such as meet-in-the-middle attacks [22], impossible differential attacks [26, 35, 36] and statistical saturation attacks [21]. However, the longest related-tweak impossible differential of QARMA is 7-round proposed by Zong et al. [36] by considering the differential relationship between the tweak and a single-tweak impossible differential.

List of \(\boldsymbol{7}\)-Round Related-Tweakey Impossile Differentials for QARMA-64. By modifying a single nibble in the initial tweak, we apply Algorithm 2 to derive several related-tweakey impossible differentials for QARMA-64, ranging from the 7-th to the 11-th round, some of which were not previously discovered. By taking into account the impact of the tweak update function, we further obtain some 7-round related-tweak impossible differentials for QARMA-64, which is covering rounds from the 6-th to the 12-th, as tabulated in Table 6.

Table 6. The 7-round related-tweak impossible differentials for QARMA-64
Full size table

4.4 Application to CRAFT

CRAFT is a lightweight tweakable block cipher introduced by Beierle et al. [4] at FSE 2019, which follows the SPN design with 32 rounds. The main goal of CRAFT was to efficiently protect its implementations against Differential Fault Analysis (DFA) attacks. It consists of a 64-bit block, a 128-bit key K and 64-bit tweak T, where the 128-bit key is split into two 64-bit keys \(K_0\) and \(K_1\). Using the permutation Q on the tweak, four 64-bit tweakeys \(TK_0\), \(TK_1\), \(TK_2\) and \(TK_3\) are derived from the tweak T and keys \(K_0\), \(K_1\). Then in each round, without any key update, the tweakey \(TK_{i\; \text {mode}\; 4}\) is XORed to the cipher state. More information can be obtained in [4].

Previous Cryptanalysis. In the specification file, Hadipour et al. [4] conducted an extensive analysis of the security of CRAFT. Specifically, they identified the 13-round impossible differential under the single-key setting as the longest one in the analysis until now. Subsequently, many studies have been conducted to evaluate the security of round-reduced CRAFT under both the single-key mode and related-key mode. However, the majority of research has been centered on differential attacks, as documented in [8, 10, 11]. Furthermore, Hadipour et al. [11] have reported a 14-round zero-correlation linear distinguisher under the related-tweak setting in previous research, in addition to some probability-type attacks.

List of \(\boldsymbol{12}\)-Round Related-Tweak Impossible Differentials for CRAFT. When searching the related-tweak impossible differentials for CRAFT, we activate a single nibble of the initial tweak while other differences remain inactive. Specifically, the active set is denoted as \(\varOmega =\{(0,0,\delta )|\delta \in \mathbb {F}_{2}^{\kappa }\setminus \{0\}\}\) and \(\triangle K_{0} = \triangle K_{1} =0\). By utilizing Algorithm 2, we discovered several 10-round related-tweak impossible differentials for the first time in a total time of 891.34 s, which also can be extended to 12-round, as shown in Table 7. Additionally, we have proven that there is no 13-round related-tweak impossible differentials in the search space, which required a total time of 4698.06 s.

Table 7. The 12-round related-tweak impossible differentials for CRAFT
Full size table

List of \(\boldsymbol{15}\)-Round Related-Tweakey Impossible Differentials for CRAFT. By setting the input and output differences to zero and modifying only one single nibble of \(K_0\), \(K_1\), and T, i.e., \(\varOmega =\{(0,0,\delta )|\delta \in \mathbb {F}_{2}^{64}\setminus \{0\}\}\) and \(\triangle K_{0} = \triangle K_{1} =\triangle T = \delta \), we apply Algorithm 2 to CRAFT and identify the 13-round related-tweakey impossible differentials for the first time within 3263.46 s, which can also be extended to the 15-round with \(\delta = (0000\; 0000\; 000a\; 0000)\), \(\varDelta _{in} = \varDelta _{out} = (0000\; 0000 \; a00a\; 0000)\). Additionally, we have proven that there are no 16-round related-tweakey impossible differentials within the search space with a total search time of 7040.3 s.

5 Evaluation of the Automatic Search Models

The LCA technique is an analysis method that explicates the complete attributes by way of partial features. Consequently, when juxtaposed with conventional search methods, utilizing the LCA technique can alleviate the interdependence among variables. Subsequently, we will present an assessment of Algorithm 2 compared with Algorithm 1 based on the search results.

Improving the Search Efficiency for Long Trials. The utilization of the LCA technique may enhance search efficiency and significantly reduce time costs, especially when exploring distinguishers with long trails. An illustrative example is provided in Table 8, which presents the computational time required for Algorithm 1 and Algorithm 2 to ascertain the existence of a related-tweakey impossible differential for CRAFT. The experimental evaluation was performed on the platform: Inter(R) Core i7-9700 CPU@3.00 GHz \(\times \) 8, 8 GB RAM, 64-bit Ubuntu VMware. As evidenced by Table 8, when the number of rounds is limited, Algorithm 2 must sequentially traverse the constraint set and intermediate rounds, resulting in a total time cost comparable to Algorithm 1. However, as the number of rounds increases, the time complexity of Algorithm 1 escalates nearly exponentially, whereas Algorithm 2 maintains a relatively constant and gradual growth trend.

Table 8. The time for the related-tweakey impossible differentials of CRAFT
Full size table

Additionally, Algorithm 2 exhibits considerably superior performance to Algorithm 1 when applied to the cipher SKINNY, as indicated in Table 9. However, it should be noted that Algorithm 2 does not consistently outperform Algorithm 1. Specifically, in scenarios where the length of the distinguisher is relatively short for QARMA and Joltik-BC, Algorithm 2 provides a lesser advantage over Algorithm 1 when searching for distinguishers. For instance, in the case of QARMA, Algorithm 1 required 1631.37 s to establish the absence of 8-round related-tweak impossible differentials, whereas Algorithm 2 necessitated 1624.66 s. In this particular case, the search efficiency was comparable. However, the discrepancy in efficiency becomes evident for Joltik-BC-128, where Algorithm 1 required 84447.57 s to prove the nonexistence of 7-round related-tweakey impossible differentials, whereas Algorithm 2 demanded 476278.89 s.

Table 9. The time for related-tweakey impossible differentials of SKINNY
Full size table

Determining the Contradictory Positions. In cryptanalysis, the “miss-in-the-middle” method has traditionally been employed to manually deduce the contradictory positions of an impossible differential. However, the process becomes challenging if the length of a distinguisher is too long or the cipher with sound diffusions. Therefore, there is a need for automatic tools to assist in determining the locations of contradictions. To this end, similar to the one used for verifying impossible differential distinguishers in [7] and [12], the LCA technique can be also used to derive the contradictory positions. Specifically, if there exists an impossible differential under the constraint set \(\mathbb {P}\), then the contradictory occurs in the positions of \(\mathbb {P}\). Here, we provide an example of SIMON128, which is obtained by Algorithm 2.

Example 1

The differential \((0x0000000000000000,0x8000000000000000)\nrightarrow (0x\)

4000000000000000, 0x0000000000000000) is a 19-round impossible differential for SIMON128, where the contradictory occurs in the second bit of the 11-th round.

6 Conclusion

This paper evaluates the security of tweakable block ciphers against the related-tweakey impossible differential analysis. The main approach involves constructing a differential propagation system using the SAT method, which describes the propagation of corresponding states under specific constraints and determines whether the transition is invalid. To achieve this goal, an automatic search model is proposed for related-tweakey impossible differentials based on the SMT problem. Subsequently, this method has been employed to identify the related-tweakey impossible differentials for QARMA-64 and Joltik-BC, respectively.

Furthermore, the paper introduces a novel analytical strategy known as Locality Constraint Analysis (LCA), which aims to improve the efficiency of searching the distinguisher with long trails or ciphers with large sizes. A generalized automatic search model is constructed based on LCA, and the proposed method is applied to various ciphers such as SIMON, SPECK, QARMA, CRAFT, Joltik-BC, and SKINNY. Based on the search results, it is demonstrated that introducing the LCA technique to impossible differential cryptanalysis significantly improves the search efficiency and provides much more convenience for deriving the locations of the contradictory positions.