A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis

Seyyed Arash Azimi; Adrián Ranea; Mahmoud Salmasizadeh; Javad Mohajeri; Mohammad Reza Aref; Vincent Rijmen

doi:10.1007/s10623-022-01074-8

. 2022 Jul 5;90(8):1797–1855. doi: 10.1007/s10623-022-01074-8

A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis

Seyyed Arash Azimi ^1,^✉, Adrián Ranea ², Mahmoud Salmasizadeh ³, Javad Mohajeri ³, Mohammad Reza Aref ¹, Vincent Rijmen ^2,⁴

PMCID: PMC9255531 PMID: 35813599

Abstract

ARX algorithms are a class of symmetric-key algorithms constructed by Addition, Rotation, and XOR. To evaluate the resistance of an ARX cipher against differential and impossible-differential cryptanalysis, the recent automated methods employ constraint satisfaction solvers to search for optimal characteristics or impossible differentials. The main difficulty in formulating this search is finding the differential models of the non-linear operations. While an efficient bit-vector differential model was obtained for the modular addition with two variable inputs, no differential model for the modular addition by a constant has been proposed so far, preventing ARX ciphers including this operation from being evaluated with automated methods. In this paper, we present the first bit-vector differential model for the n-bit modular addition by a constant input. Our model contains $O ({log}_{2} (n))$ basic bit-vector constraints and describes the binary logarithm of the differential probability. We describe an SMT-based automated method that includes our model to search for differential characteristics of ARX ciphers including constant additions. We also introduce a new automated method for obtaining impossible differentials where we do not search over a small pre-defined set of differences, such as low-weight differences, but let the SMT solver search through the space of differences. Moreover, we implement both methods in our open-source tool ArxPy to find characteristics and impossible differentials of ARX ciphers with constant additions in a fully automated way. As some examples, we provide related-key impossible differentials and differential characteristics of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2, which achieve better results compared to previous works.

Keywords: Modular addition, ARX, SMT, Automated tool, Differential cryptanalysis, Impossible differential

Introduction

Low-end devices such as RFID tags, sensor networks, and the Internet of Things (IoT) are becoming ubiquitous. In 2018, Gartner, Inc. forecasted that there would be more than 25 billion connected devices forming the IoT by 2021 [24], and following the COVID-19 lockdowns Gartner also revealed that the unprecedented event led IoT implementers to increase IoT investments to reduce costs [25]. Traditional cryptographic algorithms are not suitable for these resource-constrained devices, and several lightweight cryptographic algorithms have been recently proposed to meet this growing demand. In this regard, the National Institute of Standards and Technology (NIST) has started a process to evaluate and standardize lightweight cryptographic algorithms [59].

ARX primitives, composed exclusively of modular Additions, cyclic Rotations, and XORs, are a promising class of lightweight cryptographic algorithms with the most efficient software implementations on low-end microcontrollers [17]. There are many noteworthy ARX algorithms, such as the hash function BLAKE [1], the stream cipher Salsa20 [7], the MAC algorithm Chaskey [58] and notable block ciphers like HIGHT [31], LEA [32], SPECK [6], SPARX [16] or CHAM [41]. Usually, ciphers that are exclusively composed of ARX operations and other common bit-vector operations (e.g., modular multiplication or logical shifts) are also considered in the class of ARX ciphers, such as IDEA [43], TEA [73], or XTEA [60].

The security of ARX ciphers is evaluated by analysing their robustness against various attacks. Some of the most successful attacks applied to ARX algorithms are differential cryptanalysis and their variants, such as boomerang or related-key differential attacks [32, 41]. These attacks exploit differences in the inputs that propagate through the cipher with high probability. Another powerful attack based on non-random propagation of differences is impossible-differential cryptanalysis [8, 37], which exploits input differences propagating to differences in the outputs with zero probability.

The standard approach to show an ARX cipher is secure against differential and impossible-differential attacks is by finding the optimal characteristics (i.e., trails of differences with the highest probabilities) and the longest impossible differentials and checking that no high-probability characteristic and no impossible differential cover most rounds of the cipher [31, 32]. When the best attack in the design stage is a differential or an impossible-differential attack, the number of rounds of the cipher is determined by the longest observed high-probability characteristic or impossible differential. Thus, searching for optimal characteristics and impossible differentials is a crucial step in the design and security analysis of a cipher.

Two main techniques have been applied to search for optimal characteristics of ARX algorithms: branch-and-bound algorithms [11, 13] based on Matsui’s algorithm [54], and the recent automated methods based on Constraint Satisfaction Problems (CSP), such as SMT (Satisfiability Modulo Theories) or MILP (Mixed Integer Linear Programming) problems [21, 57]. CSP-based methods have also been recently applied to find impossible differentials [14, 65, 66]. These automated methods formulate the characteristic or impossible-differential search problem as a CSP and delegate the solving task to one of the powerful off-the-shelf CSP solvers available nowadays [5, 49]. While some CSP-based open-source tools automate the search of ARX characteristics (e.g., CryptoSMT [38]), no CSP-based open-source tool has been published to search for impossible differentials of ARX ciphers.

The main difficulty in formulating a CSP-based search problem lies in the differential models of the non-linear operations, that is, the constraints describing the differential probability of the non-linear operations of the cipher. ARX ciphers can be efficiently described using the bit-vector theory of SMT, and several bit-vector differential models have been proposed so far [39, 47, 48]. For the modular addition with two n-bit operands, the foremost non-linear operation in ARX primitives, Lipmaa and Moriai found a bit-vector algorithm for computing the differential probability with complexity $O ({log}_{2} n)$ [47]. This algorithm can be straightforwardly translated to a bit-vector differential model, and it has been used in several SMT-based methods to search for characteristics [48, 57, 68] and impossible differentials [65] of ARX ciphers.

However, no CSP-based differential model has been proposed for the modular addition with a constant input, preventing from searching for characteristics or impossible differentials of ARX ciphers that contain constant additions. Lipmaa’s algorithm is restricted to the modular addition with two operands, and it cannot be applied when one of the inputs is fixed to a constant, as we will discuss later. Machado proposed an algorithm to compute the differential probability of the constant addition [53], but it cannot be translated to an efficient bit-vector differential model due to its recursive nature and the use of floating-point arithmetic.

Contributions

We propose an efficient bit-vector differential model for the modular addition by an n-bit constant. Our model contains $O ({log}_{2} n)$ basic bit-vector constraints and it is composed of a bit-vector formula that determines whether a differential over the constant addition has non-zero probability, and a bit-vector function that computes the binary logarithm of the differential probability. Our bit-vector model exploits the properties of the carry chain of the modular addition and relies on efficient well-known bit-vector functions, such as the Hamming weight or the bit-reversal, and new bit-vector functions that we have developed for the binary logarithm.

Furthermore, we describe an SMT-based automated method to search for characteristics of ARX ciphers, including constant additions. Our method is composed of an iterated search of optimal characteristics of round-reduced versions of the cipher and an automated encoding technique that formulates the SMT problems from the cipher’s Single Static Assignment (SSA) form. Moreover, we describe a new automated method to search for impossible differentials of ARX ciphers which does not depend on any pre-defined sets of input and output differences.

We have implemented our methods in an SMT-based open-source tool ArxPy,1 which fully automated the search of ARX characteristics and impossible differentials. ArxPy is the first open-source tool that can search for the characteristics of ARX ciphers with constant additions, and it is also the first CSP-based open-source tool that automates the search of ARX impossible differentials. ArxPy offers a simple interface to represent any ARX cipher, different types of characteristics and impossible differentials to search, and a complete documentation.

We have applied our characteristic and impossible-differential search methods to several ARX ciphers containing constant additions to provide some examples. In particular, we have searched for different types of related-key characteristics alongside related-key impossible differentials of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2. With our automated approach, we have revisited results previously found with manual and ad-hoc techniques. We have obtained better characteristics in terms of probability and number of rounds, and longer impossible differentials.

With our bit-vector model for the constant addition, the SMT-based automated methods, and our open-source tool ArxPy, we provide cipher designers with the resources to design ARX ciphers, including constant additions that are secure against differential and impossible-differential attacks. Thus, cipher designers can choose the best constants for the modular additions and optimize the number of rounds to balance security and efficiency.

Differences to the conference version

This paper is an extended full version of the conference paper [3]. Thus, the content of the conference paper is included in this paper, namely the bit-vector differential model for the constant addition, the SMT-based method and tool to search for ARX differential characteristics and the related-key differential characteristics found for TEA, XTEA, HIGHT, and LEA. Apart from this content, the rest of this paper is new material. This new content includes the SMT-based method to search for impossible differentials of ARX ciphers, the tool to search for ARX impossible differentials, the related-key differential characteristics found for SHACAL-1 and SHACAL-2 and the related-key impossible differentials found for TEA, XTEA, HIGHT, LEA, SHACAL-1 and SHACAL-2. Furthermore, this paper enhances the description of the bit-vector differential model of the constant addition with improved proofs and new examples.

Outline

The notations and preliminaries are introduced in Sect. 2, and the bit-vector model for the modular addition by a constant is described in Sect. 3. Section 4 illustrates the formulation of the search of characteristics and impossible differentials as sequences of SMT problems. Section 5 presents the characteristics and impossible differentials found for TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2 using our automated approaches. Finally, Sect. 6 concludes the paper and addresses future works.

Preliminaries

Notations

Let x be an integer such that its n-bit vector representation when $0 \leq x < 2^{n}$ is $x = (x [n - 1], \dots, x [0])$ , where x[0] and $x [n - 1]$ denote respectively the least and the most significant bit. For ease of notation, we define $x [i] = 0$ when $i < 0$ and the symbol $*$ stands for an undetermined bit. The usual integer operations are denoted by $(+, -, \times, /)$ and the basic bit-vector operations are gathered in Table 1.

Table 1.

Basic bit-vector operations for n-bit vectors

x[i, j]	The bit-vector $(x [i], \dots, x [j])$ , $n > i \geq j \geq 0$
$\neg x$	Bit-wise NOT of x
$x ‖ y$	Concatenation of x and y
$x \land y$	Bit-wise AND of x and y
$x \lor y$	Bit-wise OR of x and y
$x \oplus y$	Bit-wise XOR of x and y
$x ≪ i$	(Logical) left shift of x by i bits
$x ≫ i$	Right shift of x by i bits
$x ⋘ i$	Left cyclic rotation of x by i bits
$x ⋙ i$	Right cyclic rotation of x by i bits
$x ⊞ y$	Modular addition of x and y
$x ⊟ y$	Modular subtraction of x and y
$Equals (x, y)$	Bit-vector equality of x and y, returning True
	If x and y are the same, otherwise False

Open in a new tab

A mathematical expression only involving bit-vector variables and basic bit-vector operations is called a bit-vector expression. A bit-vector formula is a bit-vector expression returning $True$ or $False$ , such as $Equals$ , whereas an n-bit vector function is a bit-vector expression returning an n-bit vector. In order to measure the complexity of the bit-vector differential model that we propose in this paper, we define the bit-vector complexity of a bit-vector expression as the number of basic bit-vector operations that the expression is composed of.

In the literature of the bit-vector theory, the set of basic bit-vector operations usually includes the operations gathered in Table 1 and few additional operations, such as modular multiplication or modular division [42]. However, modular multiplication and modular division are much more costly than the other operations in practice, and we have excluded them from our set of basic bit-vector operations, which resembles the unit-cost RAM model used in [47].

Apart from the basic bit-vector operations listed in Table 1, we will also employ the following well-known bit-vector functions: $Carry, Rev, RevCarry, HW$ and $LZ$ . The carry function $c = Carry (x, y)$ returns the n-bit carry chain of the n-bit modular addition $x ⊞ y$ . It is defined iteratively as $c [0] = 0$ and $c [i + 1] = (x [i] \land y [i]) \oplus (x [i] \land c [i]) \oplus (y [i] \land c [i])$ for $0 < i < n - 1$ . Note that the carry has bit-vector complexity O(1), since $Carry (x, y) = x \oplus y \oplus (x ⊞ y)$ . The carry function is an efficient function that allows propagating information from the least significant bits to the most significant bits, a property that we will exploit for our bit-vector differential model.

The bit-reversal function $Rev (x)$ reverses the order of bits of x, i.e., $Rev (x) = (x [0], x [1], \dots, x [n - 1])$ . This function can be computed using a divide and conquer method with bit-vector complexity $O ({log}_{2} n)$ [29, Fig. 7-1]. We will use this function to define the reverse carry, $RevCarry (x, y) = Rev (Carry (Rev (x), Rev (y)))$ , which allows to propagate information from right to left and also has bit-vector complexity $O ({log}_{2} n)$ .

The Hamming weight $HW (x)$ returns an n-bit vector denoting the number of non-zero bits of the n-bit input x. Similar to the bit-reversal, the Hamming weight can be computed using a divide and conquer approach with bit-vector complexity $O ({log}_{2} n)$ [29, Fig. 5-2]. The Hamming weight will be one of the main building blocks to obtain an efficient bit-vector representation of the binary logarithm.

The last bit-vector function we will consider is the leading zeros function $LZ (x)$ . This function marks the leading zeros of an n-bit input x, that is, for $0 \leq i < n$ , $LZ (x) [i] = 1 ⟺ x [n - 1, i] = 0$ . This function is used as a subroutine for the well-known function to compute the number of leading zeros. Similar to the previous bit-vector functions, $LZ$ can be computed with bit-vector complexity $O ({log}_{2} n)$ [29, Fig. 5-16].

Differential and impossible-differential cryptanalysis

A block cipher is a family of permutations parametrized by a $κ$ -bit key k, mapping n-bit plaintexts p to n-bit ciphertexts c. Most block ciphers consist of a key scheduling algorithm $KS$ , which derives round keys $k_{1}, \dots, k_{r}$ from the master key k, and an encryption algorithm $E_{k}$ , which processes the plaintext by iterating a round function f and injecting a round key at each round, i.e., $E_{k} = f_{k_{r}} \circ \dots \circ f_{k_{1}}$ .

Block ciphers are shown to be secure by analysing their resistance against all known attacks. One of the most potent attacks, especially to ARX primitives, is differential cryptanalysis [10]. It exploits the non-random propagation of differences in the input to recover the secret key.

Let F be an n-bit to n-bit function and $(Δ_{p}, Δ_{c})$ be the XOR of a pair of inputs $(p, p^{'})$ and their corresponding outputs $(c, c^{'})$ , i.e., $Δ_{p} = p \oplus p^{'}$ and $Δ_{c} = c \oplus c^{'}$ . The pair $(Δ_{p}, Δ_{c})$ is called a differential and its probability is defined as

\begin{matrix} Pr [Δ_{p}, \overset{F}{\to}, Δ_{c}] = \frac{# {p : F (p) \oplus F (p \oplus Δ_{p}) = Δ_{c}}}{2^{n}} . \end{matrix}

A differential is valid if it has non-zero probability. In this case, its weight is defined as

\begin{matrix} {weight}_{F} (Δ_{p}, Δ_{c}) = - {log}_{2} (Pr [Δ_{p}, \overset{F}{\to}, Δ_{c}]) . \end{matrix}

The differential $0 \overset{F}{\to} 0$ has probability 1 for any function F, and a differential with non-zero input difference over a random n-bit permutation has probability $2^{- n}$ . Differential cryptanalysis [10] exploits a differential over the n-bit block cipher with probability $p > 2^{- n}$ to recover the secret key with roughly $O (p^{- 1})$ encryption calls.

Related-key differential cryptanalysis [34] extends differential cryptanalysis by considering key differences. A related-key differential is given by a pair of differentials over the key schedule and the encryption function respectively,

\begin{matrix} (Δ_{k}, \overset{KS}{\to}, (Δ_{k_{1}}, \dots, Δ_{k_{r}})), (Δ_{p}, \overset{E}{\to}, Δ_{c}), \end{matrix}

where the ciphertext difference is computed using the related round-key pairs,

\begin{matrix} Δ_{c} = (f_{k_{r}} \circ \dots \circ f_{k_{1}}) (p) \oplus (f_{k_{r} \oplus Δ_{k_{r}}} \circ \dots \circ f_{k_{1} \oplus Δ_{k_{1}}}) (p \oplus Δ_{p}) . \end{matrix}

The probability of a related-key differential is the product of the probability of key schedule differential $p_{KS}$ and the probability of encryption differential $p_{E}$ .

A related-key attack exploits a related-key differential with $p_{KS} > 2^{- κ}$ and $p_{E} > 2^{- n}$ to recover the secret key with complexity $O ({(p_{KS} \times p_{E})}^{- 1})$ . The attacker takes about $p_{KS}^{- 1}$ key pairs to find one key, on average, that satisfies the key schedule differential. Next and for each key pair, the attacker runs a differential attack over the encryption using $O (p_{E}^{- 1})$ encryption calls.

Related-key differential cryptanalysis requires a very powerful attacker that can query the encryption function $E_{k \oplus Δ_{k}}$ for many keys $k \oplus Δ_{k}$ . In fact, if an adversary can query $E_{k \oplus Δ_{k}}$ for $2^{m}$ key differences $Δ_{k}$ , any block cipher is vulnerable to a related-key attack with complexity $O (2^{m} + 2^{n - m})$ [74]. Thus, we distinguish between weak related-key differentials (i.e., $p_{KS} < 1$ ) and strong related-key differentials (i.e., $p_{KS} = 1$ ), which can be exploited in practice with a single related-key pair. Furthermore, we define equivalent keys as pairs of related keys $(k, k \oplus Δ_{k})$ such that $\forall p, E_{k} (p) = E_{k \oplus Δ_{k}} (p \oplus Δ_{p}) \oplus Δ_{c}$ , for some $(Δ_{p}, Δ_{c})$ . Note that a related-key differential with $p_{E} = 1$ leads to $2^{κ} p_{KS}$ pairs of equivalent keys.

Lastly, we consider (related-key) impossible differentials. A differential $(Δ_{p}, Δ_{c})$ over a function F is called impossible if its probability is zero, and a related-key differential $(Δ_{k}, Δ_{p} \to Δ_{c})$ over a block cipher is called impossible if its probability is zero for all keys. Impossible-differential cryptanalysis [8] is an attack on block ciphers that exploits an impossible differential over the block cipher holding for every key. Related-key impossible-differential cryptanalysis is a combination of impossible-differential cryptanalysis and related-key cryptanalysis. Using the known difference of the key pairs and the input and the output of the impossible differential, the attacker discards the wrong keys to obtain the correct key.

Searching for characteristics and impossible differentials.

The most challenging step to launch a differential attack is finding a differential with high probability. The main approach is to analyse how differences traverse through the round function and search for a characteristic, that is, a trail of differences

\begin{matrix} Ω = (Δ_{p} = Δ_{x_{0}} \overset{f_{k_{1}}}{\to} Δ_{x_{1}} \to \dots \to Δ_{x_{r - 1}} \overset{f_{k_{r}}}{\to} Δ_{x_{r}} = Δ_{c}) . \end{matrix}

Similar to differentials, a characteristic $Ω$ is valid if it has non-zero probability and its weight is defined as $- {log}_{2} (Pr [Ω])$ . Furthermore, we denote a related-key characteristic by a pair of characteristics $(Ω_{KS}, Ω_{E})$ , where $Ω_{KS}$ is the key schedule characteristic containing the trail of differences from the master key to the round keys and $Ω_{E}$ is the encryption characteristic containing the trail of differences through the encryption.

Obtaining the exact probability of a characteristic is computationally infeasible. Thus, two assumptions are commonly made. First, it is assumed that the differential probabilities over each round are independent, which allows computing the weight of a characteristic by summing the round weights, i.e.,

\begin{matrix} weight (Ω) = \sum_{i = 0}^{r} weight (Δ_{x_{i}} \to Δ_{x_{i + 1}}) . \end{matrix}

Second, it is assumed that the probability of a characteristic does not strongly depend on the choice of the secret key, also known as the hypothesis of stochastic equivalence [44], which allows computing the weight of a characteristic by averaging over all keys.

On top of that, designers also assume that the probability of a differential $(Δ_{p}, Δ_{c})$ is close to the probability of the best characteristic $(Δ_{p} \to \dots \to Δ_{c})$ , and they prove a cipher is secure against differential cryptanalysis by showing that characteristics with high probability cannot cover most rounds of the cipher. While these assumptions do not always hold, currently this is the best systematic approach to argue security against differential cryptanalysis, and this heuristic approach is widely used for ARX ciphers in practice [21, 39, 57, 68–70].

Searching for characteristics is usually dependent on some assumptions, as mentioned earlier. In contrast, the process of obtaining an impossible differential typically results in a sound proof, guaranteeing that the probability of the achieved differential is equal to zero. Therefore, most of the impossible-differential search methods are sound but not complete. In other words, any differential found by these methods is assuredly impossible, yet there may be many impossible differentials that the search methods cannot detect.

SMT solvers

A recent approach to search for characteristics and impossible differentials of ARX ciphers is by formulating the search problem as an SMT problem in the bit-vector theory [2, 39, 48, 57, 65, 68]. Satisfiability Modulo Theories (SMT) refers to the problem of determining whether a first order formula is satisfiable with respect to some logical theory. SMT problems are a generalization of SAT problems; while the latter problems are expressed in propositional logic, SMT formulas can be expressed in richer logics, such as the theory of bit-vectors or the theory of integers.

SMT has grown in recent years into a very active research field, and several off-the-shelf SMT solvers are available nowadays [5]. Most SMT solvers can determine the satisfiability of a problem and obtain an assignment of the variables that satisfies the problem. This feature allows SMT solvers to be applied in search problems.

An SMT problem in the bit-vector theory is given by a set of bit-vector variables and a set of bit-vector formulas or constraints. The constraints can be defined with the usual logical operations (e.g., $Equals, NotEquals, Implies$ , etc.) and the usual bit-vector operations (e.g., $\oplus, ⊞, ⋘$ , etc.).

For example, a bit-vector SMT problem to find an 8-bit preimage of $y = f (x) = x \oplus ((x ⊞ x) \lor 1)$ , given the 8-bit image $y = 3 = 00000011$ , is the following:

\begin{matrix} \exists x \in {0, 1}^{8} : Equals (00000011, x \oplus ((x ⊞ x) \lor 1) . \end{matrix}

This problem is satisfiable and the only assignment that satisfies the problem is $x = 11111110$ .

Differential models

To represent a characteristic in a constraint satisfaction problem, it is necessary to find a differential model of the round function f. For an SMT problem in the bit-vector theory, a differential model of a function $y = f (x)$ is given by a bit-vector formula ${valid}_{f} (Δ_{x}, Δ_{y})$ and a bit-vector function ${weight}_{f} (Δ_{x}, Δ_{y})$ . The formula ${valid}_{f} (Δ_{x}, Δ_{y})$ is True if and only if the differential $(Δ_{x} \to Δ_{y})$ over f is valid, and the function ${weight}_{f} (Δ_{x}, Δ_{y})$ returns the weight of a valid differential $(Δ_{x} \to Δ_{y})$ .

Characteristics over ARX ciphers are usually defined by considering the difference after each ARX operation. The differential models of the XOR and the cyclic rotations are very simple since these operations propagate differences deterministically, that is,

\begin{matrix} \begin{matrix} Δ_{x_{1}}, Δ_{x_{2}} & \overset{f (x_{1}, x_{2}) = x_{1} \oplus x_{2}}{\to} Δ_{x_{1}} \oplus Δ_{x_{2}}, \\ Δ_{x} & \overset{f_{a} (x) = x ⋘ a}{\to} Δ_{x} ⋘ a, \end{matrix} \begin{matrix} Δ_{x} & \overset{f_{a} (x) = x \oplus a}{\to} Δ_{x}, \\ Δ_{x} & \overset{f_{a} (x) = x ⋙ a}{\to} Δ_{x} ⋙ a . \end{matrix} \end{matrix}

For the modular addition with two n-bit inputs, $y = f (x_{1}, x_{2}) = x_{1} ⊞ x_{2}$ , the algorithm by Lipmaa and Moriai [47] can be translated into the following differential model with bit-vector complexity $O ({log}_{2} n)$ .

Theorem 1

Let $((Δ_{x_{1}}, Δ_{x_{2}}), Δ_{y})$ be a differential over the modular addition $y = x_{1} ⊞ x_{2}$ and denote $\overset{\leftarrow}{x} = x ≪ 1$ and $eq (a, b, c) = (\neg a \oplus b) \land (\neg a \oplus c)$ . Then, the differential is valid if and only if the bit-vector formula

\begin{matrix} {valid}_{⊞} ((Δ_{x_{1}}, Δ_{x_{2}}), Δ_{y}) = Equals (0, eq (\overset{\leftarrow}{Δ_{x_{1}}}, \overset{\leftarrow}{Δ_{x_{2}}}, \overset{\leftarrow}{Δ_{y}}) \land (Δ_{x_{1}} \oplus Δ_{x_{2}} \oplus Δ_{y} \oplus \overset{\leftarrow}{Δ_{x_{2}}})) \end{matrix}

is True. In this case, the differential weight is given by the bit-vector function

\begin{matrix} {weight}_{⊞} ((Δ_{x_{1}}, Δ_{x_{2}}), Δ_{y}) = HW (\neg eq (Δ_{x_{1}}, Δ_{x_{2}}, Δ_{y}) ≪ 1) . \end{matrix}

For the modular addition with a constant input $⊞_{a} (x) = x ⊞ a$ , Machado [53] obtained the following algorithm to compute the differential probability [53].

Theorem 2

Let (u, v) be a differential over the n-bit constant addition $⊞_{a}$ . Then, the differential probability is given by

\begin{matrix} Pr [u \overset{⊞_{a}}{\to} v] = φ_{0} \times \dots \times φ_{n - 1}, \end{matrix}

where $φ_{i}$ depends on the $δ_{i - 1}$ and $S_{i}$ , each one defined for $0 \leq i < n$ by

\begin{matrix} S_{i} & = (u [i - 1], v [i - 1], u [i] \oplus v [i]), \\ δ_{i} & = \{\begin{matrix} (a [i - 1] + δ_{i - 1}) / 2, & S_{i} = 000 \\ 0, & S_{i} = 001 \\ a [i - 1], & S_{i} \in {010, 100, 110} \\ δ_{i - 1}, & S_{i} \in {011, 101} \\ 1 / 2, & S_{i} = 111 \end{matrix}) \\ φ_{i} & = \{\begin{matrix} 1, & S_{i} = 000 \\ 0, & S_{i} = 001 \\ 1 / 2, & S_{i} \in {010, 011, 100, 101} \\ 1 - (a [i - 1] + δ_{i - 1} - 2 a [i - 1] δ_{i - 1}), & S_{i} = 110 \\ (a [i - 1] + δ_{i - 1} - 2 a [i - 1] δ_{i - 1}), & S_{i} = 111, \end{matrix}) \end{matrix}

For $i = - 1$ , $S_{i}$ and $δ_{i}$ are defined by $S_{- 1} = ⊥$ and $δ_{- 1} = 0$ .

Unfortunately, the algorithm illustrated in Theorem 2 is not suitable for constraint satisfaction problems due to its recursive nature and the use of floating-point arithmetic.

Some authors [46, Corollary 2] [4] have adapted the differential model of the 2-input addition (i.e., the modular addition with two independent inputs) for the constant addition by setting the difference of the second operand to zero, that is,

\begin{matrix} \begin{matrix} {valid}_{⊞_{a}} (Δ_{x}, Δ_{y}) & \leftarrow {valid}_{⊞} ((Δ_{x}, 0), Δ_{y}), \\ {weight}_{⊞_{a}} (Δ_{x}, Δ_{y}) & \leftarrow {weight}_{⊞} ((Δ_{x}, 0), Δ_{y}) . \end{matrix} \end{matrix}

The approximation given by Eq. (1) models the differential $(Δ_{x} \overset{⊞_{a}}{\to} Δ_{y})$ by averaging over all a. While this approach can be used to model the constant addition by a round key, since the characteristic probability is also computed by averaging over all keys, for a fixed constant this approach is rather inaccurate.

Surprisingly, the differential properties of the 2-input addition and the constant addition are very different. The 2-input addition was shown to be CCZ-equivalent to a quadratic function [67], that is, the differential properties of the 2-input addition are the same as some quadratic functions. In particular, the set of inputs $(x_{1}, x_{2})$ satisfying a differential $((Δ_{x_{1}}, Δ_{x_{2}}) \to Δ_{y})$ over the 2-input addition forms a subspace of $F_{2}^{n}$ , which allows to describe its differential model using few basic operations.

On the other hand, the constant addition is not CCZ-equivalent to a quadratic function, since the set of inputs $(x_{1}, x_{2})$ satisfying a differential $(Δ_{x}, Δ_{y})$ over $⊞_{a}$ does not form a subspace for many a. In other words, the probability of a differential over the constant addition is not necessarily of the form $2^{- α}$ for a positive integer $α$ , and finding a differential model for the constant input addition is a much harder problem.

We experimentally checked the accuracy of the approximation given by Eq. (1) for 8-bit constants a. For most values of a, validity formulas differ roughly in $2^{13}$ out of all $2^{16}$ differentials. For those differentials where they did not differ, the difference between their weights was significantly high on average.

Consequently, no differential model of the constant addition suitable for constraint satisfaction problems has been proposed so far. In the next section, we present the first differential model of the constant addition for SMT problems in the bit-vector theory.

Bit-vector differential model of the constant addition

We present a bit-vector differential model of the constant addition, composed of a bit-vector formula to determine whether a given differential is valid and a bit-vector function that computes the weight of the valid differential. Our model takes benefit from Theorem 2 [53]; however, we avoid bit iterations, floating-point arithmetic, multiplications and look-up tables, in order to obtain efficient bit-vector constraints to be used in bit-vector SMT problems.

Before we illustrate our model, we remark an essential property of Theorem 2. When the state $S_{i}$ is not $110$ or $111$ , the probability of the step i, $φ_{i}$ , depends exclusively on $S_{i}$ ; otherwise, $φ_{i}$ depends on $S_{i}$ and $δ_{i - 1}$ . When $S_{i} = 11 *$ , $S_{i - 1} \in {010, 100, 110, 000}$ and for the first three cases, $δ_{i - 1}$ is equal to $a [i - 2]$ . However, considering the forth case, i.e., $S_{i - 1} = 000$ , $δ_{i - 1}$ depends on $δ_{i - 2}$ and this dependency will proceed until we obtain a state $S_{i - ℓ_{i}} \neq 000$ for some positive integer $ℓ_{i}$ . Thus, $δ_{i - 1}$ has the following expression when $S_{i} = 11 *$ ,

\begin{matrix} δ_{i - 1} = \frac{a [i - ℓ_{i} - 1]}{2^{ℓ_{i} - 1}} + \sum_{j = 2}^{ℓ_{i}} \frac{a [i - j]}{2^{j - 1}} . \end{matrix}

Therefore, when $S_{i} = 11 *$ , $φ_{i}$ also depends on the previous states $S_{i - 1}, \dots, S_{i - ℓ_{i}}$ , which motivates the following definition.

Definition 1

Let $S_{i} = 11 *$ . The chain $Γ_{i}$ is defined as the smallest set of previous states ${S_{i - 1}, S_{i - 2}, \dots, S_{i - ℓ_{i}}}$ that completely determine $φ_{i}$ , and the positive integer $ℓ_{i}$ is called the length of $Γ_{i}$ .

Given a chain $Γ_{i} = {S_{i - 1}, S_{i - 2}, \dots, S_{i - ℓ_{i}}}$ , note that $S_{i - ℓ_{i}} \neq 000$ and the remaining states in the chain (if any) are all equal to $000$ .

In the next example, we illustrate how to calculate the differential probability using the iterative method of Theorem 2 and we learn more about the intermediate variables used for obtaining the probability.

Example 1

Consider the differential $(u, v) = (1010001110, 1010001010)$ over the modular addition by the 10-bit constant $a = 1000101110$ . According to Theorem 2, the differential probability of (u, v) is given by

\begin{matrix} Pr [u \overset{⊞_{a}}{\to} v] = \frac{# {x : (x ⊞_{a}) \oplus ((x \oplus u) ⊞_{a}) = v}}{2^{10}} = \prod_{i = 0}^{9} φ_{i} . \end{matrix}

Table 2 displays the variables we need to compute to obtain the differential probability. As we mentioned earlier, if $S_{i} = (u_{i - 1}, v_{i - 1}, u_{i} \oplus v_{i}) \neq 11 *$ , each $φ_{i}$ can be computed in a straightforward way without any further dependencies of previous states.

Table 2.

The intermediate variables for finding the differential probability of Example 1

i	9	8	7	6	5	4	3	2	1	0	$- 1$
a[i]	1	0	0	0	1	0	1	1	1	0	0
u[i]	1	0	1	0	0	0	1	1	1	0	0
v[i]	1	0	1	0	0	0	1	0	1	0	0
$S_{i}$	$000$	$110$	$000$	$000$	$000$	$110$	$100$	$111$	$000$	$000$	$⊥$
$δ_{i}$	0	0	$\frac{3}{8}$	$\frac{3}{4}$	$\frac{1}{2}$	1	1	$\frac{1}{2}$	0	0	0
$φ_{i}$	1	$\frac{5}{8}$	1	1	1	1	$\frac{1}{2}$	1	1	1

Open in a new tab

For the remaining states equal to $110$ or $111$ , we first obtain their associated chains as

\begin{matrix} S_{2} & = 111, Γ_{2} = {S_{1} = 000, S_{0} = 000, S_{- 1} = ⊥}, ℓ_{2} = 3, \\ S_{4} & = 110, Γ_{4} = {S_{3} = 100}, ℓ_{4} = 1, \\ S_{8} & = 110, Γ_{8} = {S_{7} = 000, S_{6} = 000, S_{5} = 000, S_{4} = 110}, ℓ_{8} = 4 . \end{matrix}

Then, we compute the associated $δ_{i - 1}$ using Eq. (2), and finally we obtain $φ_{i}$ from the values of $a [i - 1]$ and the computed $δ_{i - 1}$ .

Multiplying each $φ_{i}$ listed in Table 2 leads to the differential probability,

\begin{matrix} Pr [u, \overset{⊞_{a}}{\to}, v] = \prod_{i = 0}^{9} φ_{i} = \frac{5}{16} . \end{matrix}

Validity

Let (u, v) be a differential over $⊞_{a}$ , the modular addition by n-bit constant a. According to Theorem 2, the differential probability of (u, v) can be expressed as $φ_{0} \times \dots \times φ_{n - 1}$ . Thus, (u, v) is a valid differential, i.e., with non-zero probability, if and only if all $φ_{i}$ are non-zero. If $φ_{i} = 0$ , note that $S_{i}$ must be $001, 110$ or $111$ . While $S_{i} = 001$ always implies $φ_{i} = 0$ , the other two cases require an extra condition to result in $φ_{i} = 0$ , as shown in the next lemma.

Lemma 1

Let the state $S_{i}$ be $11 b$ , for $b \in {0, 1}$ . Then, $φ_{i}$ is equal to 0 if and only if $\neg b \oplus a [i - 1] = a [i - 2] = \dots = a [i - ℓ_{i} - 1] .$

Proof

Having $S_{i} = 11 b$ , $φ_{i} = 0$ if and only if $\neg b = δ_{i - 1} \oplus a [i - 1]$ . Let $ℓ_{i}$ be the chain length of $S_{i}$ . The case for $ℓ_{i} = 1$ is trivial, since $δ_{i - 1} = a [i - 2]$ . To achieve $δ_{i - 1} = a [i - 1] \oplus \neg b$ when $ℓ_{i} > 1$ , the non-negative rational number $δ_{i - 1}$ must be equal to 0 or 1. Since $δ_{i - 1}$ is a monotonically increasing function of $(a [i - 2], \dots, a [i - ℓ_{i} - 1])$ regarding Eq. (2), $δ_{i - 1}$ reaches its extrema in $(0, \dots, 0)$ and $(1, \dots, 1)$ , that is,

\begin{matrix} δ_{i - 1} = c ⟺ a [i - 2] = a [i - 3] = \dots = a [i - ℓ_{i} - 1] = c, \forall c \in {0, 1}, \end{matrix}

Thus, $δ_{i - 1} = a [i - 1] \oplus \neg b ⟺ δ_{i - 1} = a [i - 2] = \dots = a [i - ℓ_{i}]$ . $□$

The next lemma provides a bit-vector expression to check Lemma 1 by exploiting the fact that the carry chain allows a bit to affect the bits to its left.

Lemma 2

Consider the following n-bit values,

\begin{matrix} s_{00 *} & = \neg (u ≪ 1) \land \neg (v ≪ 1), s_{* * 1} = u \oplus v, a^{'} = (a \oplus (a ≪ 1)) ≪ 1, \\ c & = Carry (s_{00 *} \land \neg a^{'}, \neg (s_{00 *} ≪ 1)), g = (s_{* * 1} \oplus a^{'}) \land (c \lor \neg (s_{00 *} ≪ 1)) . \end{matrix}

Then, for all states $S_{i} = 11 *$ , we have $φ_{i} = 0$ if and only if $g [i] = 1$ .

Proof

Let $S_{i} = 11 b$ with chain length $ℓ_{i}$ . Note that $a^{'} [i] = a [i - 1] \oplus a [i - 2]$ and that $s_{00 *} [i] = 1$ (resp. $s_{* * 1} [i] = 1$ ) if and only if $S_{i} = 00 *$ (resp. $S_{i} = * * 1$ ).

The first operand of g[i], i.e., $(s_{* * 1} \oplus a^{'}) [i]$ , is equal to one if and only if $b = \neg (a [i - 1] \oplus a [i - 2])$ . For $ℓ_{i} = 1$ it is easy to see that $S_{i - 1} \neq 00 *$ ; therefore, the second operand of g[i] is 1, and by Lemma 1 $g [i] = 1$ if and only if $φ_{i} = 0$ .

When $ℓ_{i} > 1$ , $S_{i - 1} = 000$ and the second major operand of g[i] reduces to c. In particular, the two major operands of the $Carry$ function of c are given by

\begin{matrix} (s_{00 *} \land \neg a^{'}) [i, i - ℓ_{i}] & = (\neg (a [i - 1] \oplus a [i - 2]), \dots, \neg (a [i - ℓ_{i}] \oplus a [i - ℓ_{i} - 1]), 0), \\ \neg (s_{00 *} ≪ 1) [i, i - ℓ_{i}] & = (0, \dots, 0, 1, *) . \end{matrix}

Thus, $c [i] = c [i - 1] \land \neg a^{'} [i - 1]$ and $c [i - ℓ_{i} + 1] = c [i - ℓ_{i}] \land \neg s_{00 *} [i - ℓ_{i} - 1] = 0$ ; otherwise, for $0 \leq j \leq i - ℓ_{i} - 1$ we will obtain $s_{00 *} [j] = 0$ which does not conform to $S_{0} = 00 *$ . By unrolling the recursive definition of c[i], we see that $c [i] = \neg a^{'} [i - 1] \land \dots \land \neg a^{'} [i - ℓ_{i} + 1]$ . In other words, $c [i] = 1$ if and only if $a [i - 2] = \dots = a [i - ℓ_{i} - 1]$ . Together with the condition for $(s_{* * 1} \oplus a^{'}) [i] = 1$ , we have that $g [i] = 1$ exactly when $φ_{i} = 0$ , regarding Lemma 1. $□$

Lemma 2 provides a bit-vector variable g that detects the states $S_{i} = 11 *$ leading to invalidity. The next theorem presents the final bit-vector formula for the validity by taking into account the states $S_{i} = 001$ as well.

Theorem 3

Let (u, v) be a differential over the n-bit constant addition $⊞_{a}$ . Consider the n-bit value g defined in Lemma 2 and the following n-bit values

\begin{matrix} s_{001} = \neg (u ≪ 1) \land \neg (v ≪ 1) \land (u \oplus v), s_{11 *} = (u ≪ 1) \land (v ≪ 1) . \end{matrix}

Then, the bit-vector formula ${valid}_{⊞_{a}} (u, v) = Equals (s_{001} \lor (s_{11 *} \land g), 0)$ is True if and only if the differential (u, v) is valid.

Proof

By the definition of $s_{001}$ and $s_{11 *}$ , $s_{001} [i] = 1$ (respectively $s_{11 *} [i] = 1$ ) if and only if $S_{i} = 001$ (respectively $S_{i} = 11 *$ ). Moreover, $φ_{i} = 0$ exactly when $S_{i} = 001$ , or when $S_{i} = 11 *$ and $g [i] = 1$ (Lemma 2). Thus, $φ_{i} = 0$ if and only if $s_{001} \lor (s_{11 *} \land g) [i] = 1$ . $□$

Since the number of basic bit-vector operations of our bit-vector validity formula is independent of the bit-size of the inputs, the bit-vector complexity of ${valid}_{⊞_{a}}$ is O(1).

Example 2

Consider the valid differential of Example 1, i.e. $a = 1000101110$ , $u = 1010001110$ , and $v = 1010001010$ . Previously, we showed that its differential probability is non-zero and equal to 5/16. In this example, we will illustrate our bit-vector validity formula step by step.

Table 3 provides some of the essential bit-vector values used in Theorem 3. Since there is no state equal to $001$ , $s_{001}$ is the all-zero bit-vector. As we have shown in Example 1, there are three states equal to $11 *$ , and the associated bit of $s_{11 *}$ is equal to one in the corresponding bits. In this example, no state $11 *$ leads to invalidity, and g is equal to the all-zero bit-vector. Thus, $s_{001} [i] \lor (s_{11 *} [i] \land g [i]) = 0$ for all i, and our validity formula

\begin{matrix} {valid}_{⊞_{a}} (u, v) = Equals (s_{001} \lor (s_{11 *} \land g), 0) \end{matrix}

evaluates to True.

Table 3.

The intermediate variables for evaluating the bit-vector validity formula of Example 2

i	9	8	7	5	4	3	2	1
a[i]	1	0	0	1	0	1	1	1
u[i]	1	0	1	0	0	1	1	1
v[i]	1	0	1	0	0	1	0	1
g[i]	0	0	0	0	0	0	0	0
$s_{11 *} [i]$	0	1	0	0	1	0	1	0
$s_{001} [i]$	0	0	0	0	0	0	0	0

Open in a new tab

Weight of a valid differential

In this section, we propose a bit-vector function that computes the weight of a valid differential over the constant addition. Working with differential weights has the advantage that multiple differential weights can be combined by adding them up, while probabilities need to be multiplied, a very costly operation in a bit-vector SMT problem.

The weight of a valid differential over the constant addition is an irrational value in general, and it cannot be represented as a fixed-sized bit-vector. Thus, our bit-vector function computes a close approximation of the weight, and we provide almost tight bounds for the approximation error.

Through the rest of the section, let (u, v) be a valid differential over the n-bit constant addition $⊞_{a}$ . According to Theorem 2, the weight can be obtained by

\begin{matrix} {weight}_{⊞_{a}} (u, v) = - {log}_{2} (\prod_{i = 0}^{n - 1}, φ_{i}) = - \sum_{i = 0}^{n - 1} {log}_{2} (φ_{i}) . \end{matrix}

Let $I$ denote the set of indices corresponding to the states $11 *$ with chain length bigger than one, i.e., $I = {1 \leq i \leq n - 1 | S_{i} = 11 *, ℓ_{i} > 1}$ . For $i \notin I$ , the probability $φ_{i}$ only depends on the current state $S_{i}$ and $φ_{i}$ is either 1 or 1/2. Based on the aforementioned fact, we show how to acquire the summation of all ${log}_{2} (φ_{i})$ when $i \notin I$ using bit-vector expressions.

Lemma 3

Let $I = {1 \leq i \leq n - 1 | S_{i} = 11 *, ℓ_{i} > 1}$ . Then,

\begin{matrix} - \sum_{i \notin I} {log}_{2} (φ_{i}) = HW ((u \oplus v) ≪ 1) . \end{matrix}

Proof

To prove the lemma, we divide the set ${i | i \notin I}$ into two parts as ${i | S_{i} \neq 11 *}$ and ${i | S_{i} = 11 *, ℓ_{i} = 1}$ . For each state $S_{i} \neq 11 *$ , there are two possible cases. If $S_{i}$ is equal to $000$ , the corresponding step probability is $φ_{i} = 1$ . Otherwise, $S_{i} \in {010, 011, 100, 101}$ and we obtain $φ_{i} = 1 / 2$ . Considering these two cases leads to

\begin{matrix} \sum_{\begin{matrix} i \\ S_{i} \neq 11 * \end{matrix}} {log}_{2} (φ_{i}) & = \sum_{\begin{matrix} i \\ S_{i} = 000 \end{matrix}} {log}_{2} (1) + \sum_{\begin{matrix} i \\ S_{i} \in {010, 011, 100, 101} \end{matrix}} {log}_{2} (1 / 2), \\ = - # {S_{i} \in {010, 011, 100, 101} : 0 \leq i < n} . \end{matrix}

Since the second case $S_{i} \in {010, 011, 100, 101}$ occurs when $u [i - 1] \oplus v [i - 1] = 1$ , we can use $HW ((u \oplus v) ≪ 1)$ to compute the number of times this case happens.

Now for $S_{i} = 11 *$ when $ℓ_{i} = 1$ , we know that $δ_{i - 1} = a [i - 2] \in {0, 1}$ . Since the probability is not equal to zero, we obtain $φ_{i} = 1$ . Thus we get

\begin{matrix} \sum_{\begin{matrix} i \\ S_{i} = 11 * \\ ℓ_{i} = 1 \end{matrix}} {log}_{2} (φ_{i}) = 0 . \end{matrix}

By and large, the sum of ${log}_{2} (φ_{i})$ when $i \notin I$ is

\begin{matrix} \sum_{i \notin I} {log}_{2} (φ_{i}) = \sum_{\begin{matrix} i \\ S_{i} \neq 11 * \end{matrix}} {log}_{2} (φ_{i}) + \sum_{\begin{matrix} i \\ S_{i} = 11 * \\ ℓ_{i} = 1 \end{matrix}} {log}_{2} (φ_{i}) = - HW ((u \oplus v) ≪ 1) . \end{matrix}

$□$

Lemma 3 describes the sum of ${log}_{2} (φ_{i})$ when $i \notin I$ as a bit-vector expression with complexity $O ({log}_{2} n)$ . To describe the logarithmic summation when $i \in I$ as a bit-vector, we will first show how to split $φ_{i}$ as the quotient of two integers.

Lemma 4

Let $i \in I$ and let $p_{i}$ be the positive integer defined by

\begin{matrix} p_{i} = \{\begin{matrix} a [i - 2, i - ℓ_{i}] + a [i - ℓ_{i} - 1], u [i] \oplus v [i] \oplus a [i - 1] = 1 \\ 2^{ℓ_{i} - 1} - (a [i - 2, i - ℓ_{i}] + a [i - ℓ_{i} - 1]), u [i] \oplus v [i] \oplus a [i - 1] = 0 \end{matrix}) \end{matrix}

where $ℓ_{i} > 1$ is the chain length of the state $S_{i} = 11 *$ . Then, $φ_{i} = \frac{p_{i}}{2^{ℓ_{i} - 1}}$ .

Proof

Considering the definition of $φ_{i}$ when $S_{i} = 11 *$ ,

\begin{matrix} φ_{i} = \{\begin{matrix} δ_{i - 1}, & u [i] \oplus v [i] \oplus a [i - 1] = 1 \\ 1 - δ_{i - 1}, & u [i] \oplus v [i] \oplus a [i - 1] = 0 \end{matrix}) \end{matrix}

and following the definition of $δ_{i - 1}$ given by Eq. (2),

\begin{matrix} 2^{ℓ_{i} - 1} δ_{i} = \sum_{j = 0}^{ℓ_{i} - 2} 2^{j} a [i - ℓ_{i} + j] + a [i - ℓ_{i} - 1] = a [i - 2, i - ℓ_{i}] + a [i - ℓ_{i} - 1], \end{matrix}

we obtain that $φ_{i} = p_{i} / 2^{ℓ_{i} - 1}$ . Moreover, having $0 < φ_{i} \leq 1$ and $ℓ_{i} > 1$ results in $0 < p_{i} \leq 2^{ℓ_{i} - 1}$ . Thus, $p_{i}$ is always a positive integer. $□$

Due to Lemma 4, we can decompose the logarithmic summation over $I$ as

\begin{matrix} \sum_{i \in I} {log}_{2} (φ_{i}) = \sum_{i \in I} {log}_{2} (p_{i}) - \sum_{i \in I} (ℓ_{i} - 1) . \end{matrix}

The next lemma shows how to describe the summation involving the chain lengths with basic bit-vector operations.

Lemma 5

Consider the n-bit vector $s_{000} = \neg (u ≪ 1) \land \neg (v ≪ 1)$ . Then,

\begin{matrix} \sum_{i \in I} (ℓ_{i} - 1) = HW (s_{000} \land \neg LZ (\neg s_{000})) . \end{matrix}

Proof

Recall that there are exactly $(ℓ_{i} - 1)$ states in each chain $Γ_{i}$ such that

\begin{matrix} S_{i - 1} = S_{i - 2} = \dots = S_{i - (ℓ_{i} - 1)} = 000 . \end{matrix}

Therefore, we have $\sum_{i \in I} (ℓ_{i} - 1) = # {S_{j} | S_{j} = 000 and \exists i \in I s . t . S_{j} \in Γ_{i}} .$ When $S_{j} = 000$ , the next state $S_{j + 1}$ will be a member of the set ${000, 11 *}$ . As a result, it is easy to see that for an arbitrary j, if $S_{j}$ is equal to $000$ , then either $S_{j}$ is included in some chain $Γ_{i}, i \in I$ , or $S_{j}$ belongs to the set $Γ^{'}$ defined by

\begin{matrix} Γ^{'} = {S_{n - 1} = 000, \dots, S_{n - k} = 000}, \end{matrix}

for some $k > 0$ , where $S_{n - k - 1} \neq 000$ . Concerning Definition 1, one can observe that $Γ^{'}$ is not a chain. Therefore, $\sum_{i \in I} (ℓ_{i} - 1) = # {S_{j} | S_{j} = 000 and S_{j} \notin Γ^{'}}$ .

Since we are assuming that the differential is valid, there are no states $S_{j} = 001$ , and $s_{000} [j] = 1$ if and only if $S_{j} = 000$ . On the other hand, the function $LZ$ can be used to detect the states from the set $Γ^{'}$ . In particular, $LZ (\neg s_{000}) [i]$ is equal to $1$ if and only if $S_{i} \in Γ^{'}$ . Therefore, we obtain

\begin{matrix} \sum_{i \in I} (ℓ_{i} - 1) = HW (s_{000} \land (\neg LZ (\neg s_{000}))) . \end{matrix}

$□$

Representing the sum of ${log}_{2} (p_{i})$ by a bit-vector expression is the most complex and challenging part of our differential model. Thus, we will proceed in several steps. First, we will show how to obtain a bit-vector w that contains all the $p_{i}$ as some sub-vectors.

Lemma 6

Consider the following n-bit values,

\begin{matrix} s_{000} = \neg (u ≪ 1) \land \neg (v ≪ 1), & s_{000}^{'} = s_{000} \land \neg LZ (\neg s_{000}), \\ t = \neg s_{000}^{'} \land (s_{000}^{'} ≫ 1), & t^{'} = s_{000}^{'} \land (\neg (s_{000}^{'} ≫ 1)), \\ s = ((a ≪ 1) \land t) ⊞ (a \land (s_{000}^{'} ≫ 1)), & q = ((\neg ((a ≪ 1) \oplus u \oplus v)) ≫ 1) \land t^{'}, \\ d = RevCarry (s_{000}^{'}, q) \lor q, & w = (q ⊟ (s \land d)) \lor (s \land \neg d) . \end{matrix}

Then, for all states $S_{i} = 11 *$ with $i \in I$ , $w [i - 1, i - ℓ_{i}] = p_{i}$ .

Proof

For each $i \in I$ and $0 \leq j < n$ , note that $s_{000}^{'} [j] = 1$ exactly when $S_{j} = 000$ and $S_{j} \in Γ_{i}$ , and $t [j] = 1$ (resp. $t^{'} [j] = 1$ ) if and only if $S_{j} = S_{i - ℓ_{i}}$ (resp. $S_{j} = S_{i - 1}$ ). Denoting $s = s_{1} ⊞ s_{2}$ , where $s_{1} = (a ≪ 1) \land t$ and $s_{2} = a \land (s_{000}^{'} ≫ 1)$ , when $i \in I$ the sub-vectors

\begin{matrix} \begin{matrix} s_{1} [i - 1, i - ℓ_{i} - 1] & = & (0, & 0, & \dots, & 0, & a [i - ℓ_{i} - 1], & 0), \\ s_{2} [i - 1, i - ℓ_{i} - 1] & = & (0, & a [i - 2], & \dots, & a [i - ℓ_{i} + 1], & a [i - ℓ_{i}], & 0), \end{matrix} \end{matrix}

result in $s [i - 1, i - ℓ_{i}] = a [i - 2, i - ℓ_{i}] + a [i - ℓ_{i} - 1]$ . In particular, $s [i - 1, i - ℓ_{i}] \leq 2^{ℓ_{i} - 1}$ and the equality holds when $s [i - 1, i - ℓ_{i}] = 10 \dots 0$ .

It is easy to see that $q [i - 1] = \neg (a [i - 2] \oplus u [i - 1] \oplus v [i - 1])$ when $i \in I$ and q is zero elsewhere. Then, the sub-vectors $d [i - 1, i - ℓ_{i}]$ are composed of repeated copies of $q [i - 1]$ when $i \in I$ , as shown by the following sub-vectors

\begin{matrix} \begin{matrix} s_{000}^{'} [i, i - ℓ_{i} - 1] & = & (0, & 1, & 1, & \dots, & 1, & 0, & *), \\ q [i, i - ℓ_{i} - 1] & = & (0, & q [i - 1], & 0, & \dots, & 0, & 0, & *), \\ RevCarry (s_{000}^{'}, q) [i, i - ℓ_{i} - 1] & = & (*, & 0, & q [i - 1], & \dots, & q [i - 1], & q [i - 1], & 0), \\ d [i, i - ℓ_{i} - 1] & = & (*, & q [i - 1], & q [i - 1], & \dots, & q [i - 1], & q [i - 1], & *) . \end{matrix} \end{matrix}

The only exception for the above equations is when $i - ℓ_{i} = - 1$ , where the two least significant bits of the above sub-vectors will be equal to zero.

Let $w = w_{1} \land w_{2}$ , where $w_{1} = q ⊟ (s \land d)$ and $w_{2} = s \land \neg d$ . Regarding the acquired patterns for q and d, we prove the following inequalities for $i \in I$

\begin{matrix} (s \land d) [i - 1, i - ℓ_{i}] & \leq q [i - 1, i - ℓ_{i}], \\ (s \land d) [i - ℓ_{i} - 1, 0] & \leq q [i - ℓ_{i} - 1, 0], \end{matrix}

which imply the identity $w_{1} [i - 1, i - ℓ_{i}] = q [i - 1, i - ℓ_{i}] ⊟ (s \land d) [i - 1, i - ℓ_{i}]$ .

The first inequality can be derived from the fact that $s [i - 1, i - ℓ_{i}] \leq 10 \dots 0$ . For the second inequality, consider the index set $J = {j | \forall i \in I, S_{j} \notin Γ_{i}}$ . Then, the second inequality holds since for $j \in J$ and $c \in {0, 1}$ we can see that

\begin{matrix} s_{000}^{'} [j + 1 - c] = 0 \Rightarrow s_{1} [j - c] = s_{2} [j - c] = 0 . \end{matrix}

We are now ready to evaluate $w [i - 1, i - ℓ_{i}]$ when $i \in I$ . If $q [i - 1] = 0$ , then $d [i - 1, i - ℓ_{i}] = (0, \dots, 0)$ , $w_{1} [i - 1, i - ℓ_{i}]$ reduces to 0, and

\begin{matrix} w [i - 1, i - ℓ_{i}] = w_{2} [i - 1, i - ℓ_{i}] = a [i - 2, i - ℓ_{i}] + a [i - ℓ_{i} - 1] . \end{matrix}

If $q [i - 1] = 1$ , then $d [i - 1, i - ℓ_{i}] = (1, \dots, 1)$ , $w_{2} [i - 1, i - ℓ_{i}]$ reduces to 0, and

\begin{matrix} w [i - 1, i - ℓ_{i}] & = w_{1} [i - 1, i - ℓ_{i}] = (1, 0, \dots, 0) ⊟ s [i - 1, i - ℓ_{i}] \\ = 2^{ℓ_{i} - 1} - (a [i - 2, i - ℓ_{i}] + a [i - ℓ_{i} - 1]) . \end{matrix}

Hence, for $q [i - 1] = \neg (a [i - 1] \oplus u [i] \oplus v [i])$ and regarding Lemma 4, we obtain that $w [i - 1, i - ℓ_{i}] = p_{i}$ . $□$

Recall that both $LZ$ and $RevCarry$ have bit-vector complexity $O ({log}_{2} n)$ . Therefore, w can be described with $O ({log}_{2} n)$ basic bit-vector operations.

Since $p_{i}$ is not always a power of two, ${log}_{2} (p_{i})$ cannot be represented by a fixed-sized bit-vector. Thus, we will use the following approximation for the binary logarithm of a positive integer x,

\begin{matrix} {apxlog}_{2} (x) ≜ m + \frac{Truncate (x [m - 1, 0])}{2^{4}}, \end{matrix}

where $m = ⌊ {log}_{2} (x) ⌋$ and $Truncate (z)$ for an m-bit vector z is defined by

\begin{matrix} Truncate (z) = \{\begin{matrix} z [m - 1, m - 4], & m \geq 4 \\ z [m - 1, 0] ‖ (\overset{4 - m}{\overset{⏞}{0, \dots, 0}}), & m < 4 \end{matrix}) \end{matrix}

In other words, ${apxlog}_{2}$ includes the integer part of the logarithm and takes the four bits right after the most significant one as the “fraction” bits. While $Truncate$ can be generalized to consider more fraction bits, we will show later that four fraction bits are enough to minimize the bounds of our approximation error.

To describe $\sum_{i \in I} {apxlog}_{2} (p_{i})$ with basic bit-vector operations, we will introduce in the next proposition two new bit-vector functions $ParallelLog$ and $ParallelTrunc$ . Given a bit-vector x with sub-vectors delimited by a bit-vector y, $ParallelLog (x, y)$ computes the sum of the integer part of the logarithm of the delimited sub-vectors, whereas $ParallelTrunc (x, y)$ calculates the sum of the four most significant bits of the delimited sub-vectors.

Proposition 1

Let x and y be n-bit vectors such that y has r sub-vectors

\begin{matrix} y [i_{t}, j_{t}] = (1, 1, \dots, 1, 0), t = 1, \dots, r \end{matrix}

where $i_{1} > j_{1} > i_{2} > j_{2} > \dots > i_{r} > j_{r} \geq 0$ , and y is equal to zero elsewhere.

We define the bit-vector functions $ParallelLog$ and $ParallelTrunc$ by

where $z_{λ} = x \land (y ≫ 0) \land \dots \land (y ≫ λ) \land \neg (y ≫ (λ + 1))$ .

If $x [i_{t}, j_{t}] > 0$ for $t = 1, \dots, r$ , then
$\begin{matrix} \sum_{t = 1}^{r} ⌊ {log}_{2} (x [i_{t}, j_{t}]) ⌋ = ParallelLog (x, y) . \end{matrix}$
If at least $⌊ {log}_{2} (n) ⌋ + 4$ bits are dedicated to $ParallelTrunc (x, y)$ , then
$\begin{matrix} \sum_{t = 1}^{r} Truncate (x [i_{t}, j_{t} + 1]) = ParallelTrunc (x, y) . \end{matrix}$

Proof

Case (a) Let $m = ⌊ {log}_{2} (x [i_{1}, j_{1}]) ⌋$ and $c = RevCarry (x \land y, y)$ . Note that $c [n - 1, i_{1}] = 0$ , since $y [n - 1, i_{1} + 1] = 0$ . For $m \geq 1$ , we obtain the sub-vectors

\begin{matrix} \begin{matrix} i_{1}, & \dots, & j_{1} + m + 1, & j_{1} + m, & j_{1} + m - 1, & \dots, & j_{1} + 1, & j_{1}, & j_{1} - 1 \\ y [i_{1}, j_{1} - 1] & = & (1, & \dots, & 1, & 1, & 1, & \dots, & 1, & 0, & *), \\ (x \land y) [i_{1}, j_{1} - 1] & = & (0, & \dots, & 0, & 1, & *, & \dots, & *, & 0, & *), \\ c [i_{1}, j_{1} - 1] & = & (0, & \dots, & 0, & 0, & 1, & \dots, & 1, & 1, & 0) . \end{matrix} \end{matrix}

In particular, $c [i_{1}, j_{1}]$ has m bits set to one. If $m = 0$ , $x [i_{1}, j_{1} + 1] = 0$ and $y [j_{1}] = 0$ , which implies that there is no carry chain, i.e., $c [i_{1}, j_{1}] = 0$ . Therefore, in both cases $HW (c) [i_{1}, j_{1}]) = m = ⌊ {log}_{2} (x [i_{1}, j_{1}]) ⌋$ .

Note that the reversed carry chain stops at $j_{1}$ , and $c [j_{1} - 1, i_{2}] = 0 \dots 0$ . Therefore, the same argument can be applied for $t = 2, \dots, r$ , obtaining

\begin{matrix} HW (c [i_{t}, j_{t}]) = ⌊ {log}_{2} (x [i_{t}, j_{t}]) ⌋, c [j_{t} - 1, i_{t + 1}] = 0 . \end{matrix}

Finally, it is easy to see that $c [j_{r} - 1, 0] = 0$ , concluding the proof for this case.

Case (b) First note that for $λ = 0, \dots, 3$ and $t = 1, \dots, r$ , the variable $z_{λ}$ is

\begin{matrix} z_{λ} [i] = \{\begin{matrix} x [i], & if i = i_{t} - λ > j_{t} \\ 0, & otherwise \end{matrix}) \end{matrix}

Therefore, the Hamming weight of $z_{λ}$ computes the following summation:

\begin{matrix} HW (z_{λ}) = \sum_{\begin{matrix} t \\ i_{t} - λ > j_{t} \end{matrix}} x [i_{t} - λ] . \end{matrix}

While we define $HW$ as a bit-vector function returning an n-bit output given an n-bit input, $⌊ {log}_{2} (n) ⌋ + 1$ bits are sufficient to represent the output of $HW$ . Therefore, by representing each $HW (z_{λ}) ≪ (3 - λ)$ in a $(⌊ {log}_{2} (n) ⌋ + 4)$ -bit variable $h_{λ}$ , the bit-vector expression $h_{0} ⊞ h_{1} ⊞ h_{2} ⊞ h_{3}$ does not overflow, and we obtain

\begin{matrix} \sum_{t = 1}^{r} Truncate (x [i_{t}, j_{t} + 1]) = \sum_{t = 1}^{r} \sum_{\begin{matrix} λ = 0 \\ i_{t} - λ > j_{t} \end{matrix}}^{3} x [i_{t} - λ] \times 2^{3 - λ} = h_{0} ⊞ h_{1} ⊞ h_{2} ⊞ h_{3}, \end{matrix}

which concludes the proof. $□$

Since both $HW$ and $Rev$ have $O ({log}_{2} n)$ bit-vector complexities, so do the functions $ParallelLog$ and $ParallelTrunc$ . The next lemma applies $ParallelLog$ and $ParallelTrunc$ to provide a bit-vector expression of the sum of ${apxlog}_{2} (p_{i})$ .

Lemma 7

Let r and f be the bit-vectors given by

If at least $⌊ {log}_{2} (n) ⌋ + 5$ bits are dedicated to r and f, then

\begin{matrix} 2^{4} \sum_{i \in I} {apxlog}_{2} (p_{i}) = (r ≪ 4) ⊞ f . \end{matrix}

Proof

Regarding Lemma 6, $w [i - 1, i - ℓ_{i}]$ represents the $ℓ_{i}$ -bit vector of $p_{i}$ and $s_{000}^{'} [i - 1, i - ℓ_{i}]$ conforms to the pattern $(1, \dots, 1, 0)$ for any $i \in I$ . Therefore,

\begin{matrix} \sum_{i \in I} ⌊ {log}_{2} (p_{i}) ⌋ = HW (RevCarry ((w \land s_{000}^{'}) ≪ 1, s_{000}^{'} ≪ 1)), \end{matrix}

following Proposition 1. For the second case, let c be the n-bit vector given by $c = RevCarry ((w \land s_{000}^{'}) ≪ 1, s_{000}^{'} ≪ 1)$ . Denoting by $j = i - l_{i}$ and $m = ⌊ {log}_{2} (p_{i}) ⌋$ for a given $i \in I$ , note that $p_{i} [m]$ is the most significant active bit of $p_{i}$ and

\begin{matrix} \begin{matrix} i + 1, & \dots, & j + m + 2, & j + m + 1, & j + m, & \dots, & j + 2, & j + 1, & j \\ (w ≪ 1) [i + 1, j] & = & (0, & \dots, & 0 & p_{i} [m], & p_{i} [m - 1], & \dots, & p_{i} [1], & p_{i} [0] & 0), \\ c [i + 1, j] & = & (0, & \dots, & 0 & 0, & 1, & \dots, & 1, & 1 & 0) . \end{matrix} \end{matrix}

Thus $c [j + m, j]$ conforms to the pattern $(1, \dots, 1, 0)$ and Proposition 1 leads to

\begin{matrix} \sum_{\begin{matrix} i \in I \\ m = ⌊ {log}_{2} (p_{i}) ⌋ \end{matrix}} Truncate (p_{i} [m - 1, 0]) = ParallelTrunc (w ≪ 1, c) . \end{matrix}

For any n-bit variables x and y, it is easy to see that $ParallelLog (x, y) < n$ . Thus, $⌊ {log}_{2} (n) ⌋ + 4$ bits are sufficient to represent $(r ≪ 4)$ , and f can also be represented with the same number of bits following Proposition 1. Therefore, by representing $(r ≪ 4)$ and f in $(⌊ {log}_{2} (n) ⌋ + 5)$ -bit variables, the bit-vector expression $(r ≪ 4) ⊞ f$ does not overflow. $□$

Recall that the differential weight of constant addition can be decomposed as

\begin{matrix} {weight}_{⊞_{a}} (u, v) = - \sum_{i \notin I} {log}_{2} (φ_{i}) - \sum_{i \in I} {log}_{2} (\frac{1}{2^{ℓ_{i} - 1}}) - \sum_{i \in I} {log}_{2} (p_{i}) . \end{matrix}

If the binary logarithm of $p_{i}$ is replaced by our approximation of the binary logarithm ${apxlog}_{2} (p_{i})$ , we obtain the following approximation of the weight,

\begin{matrix} {apxweight}_{⊞_{a}} (u, v) ≜ - \sum_{i \notin I} {log}_{2} (φ_{i}) - \sum_{i \in I} {log}_{2} (\frac{1}{2^{ℓ_{i} - 1}}) - \sum_{i \in I} {apxlog}_{2} (p_{i}) . \end{matrix}

Our weight approximation can be computed with the bit-vector function $BvWeight$ described in Algorithm 1, as shown in the lemma.

Lemma 8

If at least $⌊ {log}_{2} (n) ⌋ + 5$ bits are dedicated to $BvWeight (u, v, a)$ , then

\begin{matrix} 2^{4} {apxweight}_{⊞_{a}} (u, v) = BvWeight (u, v, a) . \end{matrix}

Proof

Regarding Lemmas 3 and 5 and 7 we respectively obtain

All in all, we get the following identities,

\begin{matrix} 2^{4} {apxweight}_{⊞_{a}} (u, v) = 2^{4} ((i n t ≪ 4) ⊟ f r a c) = BvWeight (u, v, a) . \end{matrix}

$□$

Note that the four least significant bits of $BvWeight (u, v, a)$ correspond to the fraction bits of the approximate weight. In other words, the output of $BvWeight (u, v, a)$ represents the rational value

\begin{matrix} \sum_{i = 0}^{⌊ {log}_{2} (n) ⌋ + 4} 2^{i - 4} BvWeight (u, v, a) [i] . \end{matrix}

The bit-vector complexity of $BvWeight$ is dominated by the complexity of $LZ$ , $Rev$ , $HW$ , $ParallelLog$ , and $ParallelTrunc$ . Since these operations can be computed with $O ({log}_{2} n)$ basic bit-vector operations, so does $BvWeight$ .

Theorem 4 shows that $BvWeight$ leads to a close approximation of the differential weight and provides explicit bounds for the approximation error.

Theorem 4

Let (u, v) be a valid differential over the n-bit constant addition $⊞_{a}$ , let ${weight}_{⊞_{a}} (u, v)$ be the differential weight of (u, v), and let $BvWeight$ be the bit-vector function defined by Algorithm 1. Then, the approximation error,

\begin{matrix} E = {weight}_{⊞_{a}} (u, v) - {apxweight}_{⊞_{a}} (u, v) = {weight}_{⊞_{a}} (u, v) - 2^{- 4} BvWeight (u, v, a) \end{matrix}

is bounded by $- 0.029 (n - 1) \leq E \leq 0 .$

Section 3.3 is devoted to the proof of Theorem 4, where we will also analyse the error caused by our approximated binary logarithm. Before proving Theorem 4, we will describe an example to understand this theorem and Algorithm 1.

Example 3

Consider the same conditions as defined in Example 1, i.e., $(u, v) = (1010001110, 1010001010)$ and the constant input $a = 1000101110$ . The weight for our differential is

\begin{matrix} {weight}_{⊞_{a}} (u, v) & = - {log}_{2} (Pr [u \overset{⊞_{a}}{\to} v]) = - {log}_{2} (\frac{5}{16}) \approx 1.678 . \end{matrix}

Let’s find the approximate weight ${apxweight}_{⊞_{a}}$ based on Algorithm 1. Table 4 presents some of the variables we obtain to compute the aforementioned approximate weight.

Table 4.

Intermediate variables for computing ${apxweight}_{⊞_{a}} (u, v)$ of Example 3

i	9	7	6	5	4	3	2	1	0
a[i]	1	0	0	1	0	1	1	1	0
u[i]	1	1	0	0	0	1	1	1	0
v[i]	1	1	0	0	0	1	0	1	0
$s_{000} [i]$	1	1	1	1	0	0	0	1	1
$s_{000}^{'} [i]$	0	1	1	1	0	0	0	1	1
w[i]	0	0	1	0	1	0	0	1	0
$BvWeight (u, v, a) [i]$	0	0	0	0	1	1	1	0	0

Open in a new tab

The set $I = {1 \leq i \leq n - 1 | S_{i} = 11 *, ℓ_{i} > 1}$ in this example is equal to $I = {2, 8}$ . The variable int in Algorithm 1 consists of three parts. The first part of the variable int calculated in Algorithm 1 is

\begin{matrix} HW ((u \oplus v) ≪ 1) = 0000000001 = 1, \end{matrix}

which is equal to $- \sum_{i \notin I} {log}_{2} (φ_{i}) = - \sum_{i \in {0, 1, 3, 4, 5, 6, 7, 9}} {log}_{2} (φ_{i}) = - {log}_{2} (φ_{3})$ .

The second part uses the variable $s_{000}^{'}$ which is the same as $s_{000}$ except that the leading one bits of $s_{000}$ are replaced in $s_{000}^{'}$ by zeros. In other words, $s_{000}^{'} [9] = 0$ but the remaining bits of these two bit-vectors are exactly equal. Computing the second part results in

\begin{matrix} HW (s_{000}^{'}) = 0000000101 = 5, \end{matrix}

and it is equal to $\sum_{i \in I} (ℓ_{i} - 1) = (ℓ_{2} - 1) + (ℓ_{8} - 1)$ .

For the third and last part of int, we compute w, obtaining $w = 0001010010$ . We remark that the bit-vector w for $i \in I$ in fact includes $p_{i}$ as some subvectors, i.e.

\begin{matrix} i = & 2 : w [2 - 1, 2 - ℓ_{2}] = w [1, - 1] = 100 = 4 = p_{2}, \\ i = & 8 : w [8 - 1, 8 - ℓ_{8}] = w [7, 4] = 0101 = 5 = p_{8} . \end{matrix}

Hence, the third part of int is computed as

\begin{matrix} ParallelLog ((w \land s_{000}^{'}) ≪ 1, s_{000}^{'} ≪ 1) = 0000000100 = 4, \end{matrix}

which is equal to $\sum_{i \in I} ⌊ {log}_{2} (p_{i}) ⌋ = ⌊ {log}_{2} (p_{2}) ⌋ + ⌊ {log}_{2} (p_{8}) ⌋$ . Considering all three parts, the bit-vector int is obtained by

\begin{matrix} i n t = 0000000001 ⊞ 0000000101 ⊟ 0000000100 = 0000000010 = 2 . \end{matrix}

Moreover, the frac bit-vector in Algorithm 1 is calculated by

Considering the third major operand of int and the bit-vector frac, we can obtain the summation of all approximate logarithms

\begin{matrix} \sum_{i \in I} {apxlog}_{2} (p_{i}) = {apxlog}_{2} (p_{2}) + {apxlog}_{2} (p_{8}) = 4 + \frac{4}{2^{4}} = 4.25 . \end{matrix}

To summarize, the output of Algorithm 1 is

\begin{matrix} BvWeight (u, v, a) & = (i n t ≪ 4) ⊟ f r a c, \\ = 0000100000 ⊟ 0000000100 = 0000011100 = 28 . \end{matrix}

Therefore, the approximate weight will be equal to

\begin{matrix} {apxweight}_{⊞_{a}} (u, v) = 2^{- 4} BvWeight (u, v, a) = \frac{28}{2^{4}} = 1.75 . \end{matrix}

The total error of our approximation is

\begin{matrix} E = {weight}_{⊞_{a}} (u, v) - {apxweight}_{⊞_{a}} (u, v) \approx 1.678 - 1.75 = - 0.072, \end{matrix}

which is a negative value and lower bounded by $- 0.029 (n - 1) = - 0.261$ as suggested by Theorem 4.

Error analysis: proof of Theorem 4

In this subsection, we will prove Theorem 4 by gradually analysing the error produced by our approximation of the binary logarithm. As we can see from Eqs. (3) and (5), the gap between ${weight}_{⊞_{a}} (u, v)$ and ${apxweight}_{⊞_{a}} (u, v)$ is

\begin{matrix} weight & _{⊞_{a}} (u, v) - {apxweight}_{⊞_{a}} (u, v) = - \sum_{i \in I} ({log}_{2} (p_{i}) - {apxlog}_{2} (p_{i})) . \end{matrix}

Note that the integer part of ${apxlog}_{2}$ is equal to the integer part of ${log}_{2}$ and the error is caused by the fraction part of the logarithm.

Given a positive integer x and the corresponding $m = ⌊ {log}_{2} (x) ⌋$ , we define ${apxlog}_{2}^{κ}$ as

\begin{matrix} {apxlog}_{2}^{κ} (x) = \{\begin{matrix} m + x [m - 1, 0] / 2^{m}, & m \leq κ \\ m + x [m - 1, x - κ] / 2^{κ}, & m > κ \end{matrix}) \end{matrix}

The non-negative integer $κ$ is called the precision of the fraction part. Note that ${apxlog}_{2}^{κ}$ is the generalization of ${apxlog}_{2}$ , which considers $κ = 4$ bits for the fraction part. While Theorem 4 only focuses on $κ = 4$ , we will use ${apxlog}_{2}^{κ}$ in this section to additionally prove that our error bound also applies to $κ \geq 4$ .

The following lemma bounds the approximation error of ${apxlog}_{2}$ when $κ \geq ⌊ {log}_{2} (x) ⌋$ , with a similar proof as [56] for the sake of completeness. The main idea is that after extracting integer part of the logarithm in base 2, one can estimate ${log}_{2} (1 + γ)$ by $γ$ when $0 \leq γ < 1$ .

Lemma 9

Consider a positive integer x and the binary logarithm approximation ${log}_{2} (x) \approx m + x [m - 1, 0] / 2^{m},$ where $m = ⌊ {log}_{2} (x) ⌋$ . Then, the approximation error $e = {log}_{2} (x) - (m + x [m - 1, 0] / 2^{m})$ is bounded by $0 \leq e \leq B$ , where B is given by

\begin{matrix} B = 1 - (1 + ln (ln (2))) / ln (2) \approx 0.086 . \end{matrix}

Proof

Let $x = 2^{m} + b$ , where b is a non-negative integer such that $0 \leq b < 2^{m}$ . Therefore, $x [m - 1, 0] = x - 2^{m} = b$ and the error is given by

\begin{matrix} e = & {log}_{2} (x) - (m + \frac{x [m - 1, 0]}{2^{m}}) = {log}_{2} (2^{m} + b) - (m + \frac{b}{2^{m}}) \\ = & {log}_{2} (1 + \frac{b}{2^{m}}) - \frac{b}{2^{m}} . \end{matrix}

For $γ = b / 2^{m}$ , we obtain $0 \leq γ < 1$ and $e = {log}_{2} (1 + γ) - γ$ . Note that e is a concave function of $γ$ where $e \geq 0$ if and only if $0 \leq γ \leq 1$ . By deriving $e = e (γ)$ , one can see that $max (e) = B = 1 - (1 + ln (ln (2))) / ln (2) \approx 0.086$ is reached when $γ = 1 / ln (2) - 1 \approx 0.44$ . $□$

The bound B is an almost tight bound, e.g., when $x = 3$ , the obtained error is ${log}_{2} (3) - (1 + \frac{1}{2}) ≊ 0.085$ . The following example sheds more light on our binary logarithm approximation.

Example 4

Consider the positive integer $x = 11101$ . Note that ${log}_{2} (x) ≊ 4.85798$ and $m = ⌊ ({log}_{2} (x)) ⌋ = 4$ . In order to obtain the approximation defined in Proposition 9, we first find and omit the greatest "one" in binary representation of x, and we get $x [m - 1, 0] = 1101$ . By interpreting the remaining bits as a binary fraction, we have $x [m - 1, 0] / 2^{m} = 0.1101$ . Therefore, the approximated binary logarithm of $x = 11101$ in binary representation is

\begin{matrix} m + \frac{x [m - 1, 0]}{2^{m}} = 100.1101, \end{matrix}

which is equal to 4.8125. In addition, the corresponding error of such approximation is $e \approx 0.04548$ , which is a positive value and upper bounded by $B \approx 0.086$ .

Finally, we can now prove Theorem 4, which basically states that if we dedicate 4 bits to the fraction precision $κ$ , the approximation error E is bounded by $- 0.029 \cdot (n - 1) \leq E \leq 0$ . While Theorem 4 focuses on $κ = 4$ , we will show in the proof that we can also bound the error for $κ \geq 4$ . To this end, we generalize the approximated weight ${apxweight}_{⊞_{a}}$ and the approximated weight error $E_{κ}$ as follows

\begin{matrix} {apxweight}_{⊞_{a}}^{κ} (u, v) & = - (\sum_{i \in I} {apxlog}_{2}^{κ} (p_{i}) + \sum_{i \in I} {log}_{2} (\frac{1}{2^{ℓ_{i} - 1}}) + \sum_{i \notin I} {log}_{2} (φ_{i})) \\ E_{κ} & = {weight}_{⊞_{a}} (u, v) - {apxweight}_{⊞_{a}}^{κ} (u, v), \end{matrix}

where ${apxweight}_{⊞_{a}}^{4} (u, v) = {apxweight}_{⊞_{a}} (u, v)$ is defined by Eq. (5) and $E_{4} = E$ is defined in Theorem 4.

Fig. 1 — The error $e = {log}_{2} (1 + γ) - γ$ , over $0 \leq γ < 1$

Proof (Theorem 4)

First, we mention that ${log}_{2} (φ_{i})$ is an integer number when $S_{i} \neq 11 *$ or for $S_{i} = 11 *$ we see $ℓ_{i} < 3$ . For these cases, ${log}_{2} (φ_{i}) = ⌊ {log}_{2} (φ_{i}) ⌋$ and the approximation error is equal to zero.

Next, for each $i \in I$ when $ℓ_{i} \geq 3$ , let $p_{i} = 2^{m_{i}} + b_{i}$ such that $m_{i}$ and $b_{i}$ are two non-negative integers, $m_{i} \leq ℓ_{i} - 2$ and $0 \leq b_{i} < 2^{m_{i}}$ . If $ℓ_{i} \leq κ + 2$ , we obtain $m_{i} \leq κ$ and ${apxlog}_{2}^{κ} (p_{i}) = m_{i} + b_{i} \cdot 2^{- m_{i}}$ . Thus, the resulting error

\begin{matrix} e_{i} = {log}_{2} (p_{i}) - {apxlog}_{2}^{κ} (p_{i}) = {log}_{2} (p_{i}) - (m_{i} + b_{i} \cdot 2^{- m_{i}}) \end{matrix}

is exactly the same as the error defined in Proposition 9, and $0 \leq e_{i} \leq B \approx 0.086$ .

On the other hand, for $m_{i} > κ$ , i.e., $ℓ_{i} \geq κ + 3$ , let $p_{i} = 2^{m_{i}} + t_{i} \cdot 2^{m_{i} - κ} + ζ_{i}$ , where $t_{i}$ and $ζ_{i}$ are two non-negative integers such that $0 \leq t_{i} < 2^{κ}$ as well as $0 \leq ζ_{i} < 2^{m_{i} - κ}$ . In this case, the approximated binary logarithm is ${apxlog}_{2}^{κ} (p_{i}) = m_{i} + t_{i} \cdot 2^{- κ}$ . We now define a new error $e_{i}^{'}$ as

\begin{matrix} e_{i}^{'} & = {log}_{2} (p_{i}) - {apxlog}_{2}^{κ} (p_{i}) = {log}_{2} (1 + t_{i} \cdot 2^{- κ} + ζ_{i} \cdot 2^{- m_{i}}) - t_{i} \cdot 2^{- κ} . \end{matrix}

Due to the fact that $ζ_{i} \geq 0$ , we can see that

\begin{matrix} e_{i}^{'} = {log}_{2} (p_{i}) - (m_{i} + t_{i} \cdot 2^{- κ}) \geq {log}_{2} (p_{i}) - (m_{i} + t_{i} \cdot 2^{- κ} + ζ_{i} \cdot 2^{- m_{i}}) = e_{i} \geq 0 . \end{matrix}

Since $ζ_{i} < 2^{m_{i} - κ}$ and by reforming the error, we obtain the upper bound of $e_{i}^{'}$

\begin{matrix} e_{i}^{'} \leq {log}_{2} (1 + t_{i} \cdot 2^{- κ} + 2^{- κ}) - t_{i} \cdot 2^{- κ} = ({log}_{2} (1 + γ_{i}^{'}) - γ_{i}^{'}) + 2^{- κ}, \end{matrix}

where $γ_{i}^{'} = (t_{i} + 1) \cdot 2^{- κ}$ and $2^{- κ} \leq γ_{i}^{'} < 1$ . Regarding Proposition 9, the new error $e_{i}^{'}$ is bounded by $0 \leq e_{i}^{'} \leq B + 2^{- κ}$ .

Note that for a valid differential (u, v) over the constant addition $⊞_{a}$ we can see that $S_{0} = 000$ which for some $i^{*}$ belongs to the chain

\begin{matrix} Γ_{i^{*}} = {S_{i^{*} - 1}, \dots, S_{0}, S_{- 1} = ⊥}, ℓ_{i^{*}} = i^{*} + 1 . \end{matrix}

Hence, we obtain

\begin{matrix} δ_{i^{*} - 1} & = \frac{a [i^{*} - ℓ_{i^{*}} - 1]}{2^{ℓ_{i^{*}} - 1}} + \sum_{j = 2}^{ℓ_{i^{*}}} \frac{a [i^{*} - j]}{2^{j - 1}} = \sum_{j = 2}^{ℓ_{i^{*}} - 1} \frac{a [i^{*} - j]}{2^{j - 1}} . \end{matrix}

Similar to the proof of Lemma 4 we have

\begin{matrix} φ_{i^{*}} = \frac{p_{i^{*}}}{2^{ℓ_{i^{*}} - 1}} = \frac{p_{i^{*}}^{*}}{2^{ℓ_{i^{*}} - 2}}, \end{matrix}

where $p_{i^{*}}^{*} = p_{i^{*}} / 2$ is an integer. Therefore, by replacing $ℓ_{i^{*}}$ with $ℓ_{i^{*}}^{*} = ℓ_{i^{*}} - 1$ , the previous statements considering the error bounds of our approximation for the state $S_{i^{*}} = 11 *$ and its new $ℓ_{i^{*}}^{*}$ are still correct. We now define two bits $b$ and $b^{'}$ as

\begin{matrix} b = \{\begin{matrix} 1, & 3 \leq ℓ_{i^{*}}^{*} \leq κ + 2 \\ 0, & o . w . \end{matrix}), b^{'} = \{\begin{matrix} 1, & ℓ_{i^{*}}^{*} > κ + 2 \\ 0, & o . w . \end{matrix}) \end{matrix}

Finally, by defining the conditional index set $I_{α}^{β} = {i \in I - {i^{*}} | α \leq ℓ_{i} \leq β}$ we obtain

\begin{matrix} E_{κ} & = {weight}_{⊞_{a}} (u, v) - {apxweight}_{⊞_{a}}^{κ} (u, v) \\ = - \sum_{i \in I} ({log}_{2} (p_{i}) - {apxlog}_{2}^{κ} (p_{i})) \\ = - (\sum_{i \in I_{3}^{κ + 2}} e_{i} + \sum_{i \in I_{κ + 3}^{n}} e_{i}^{'} + b e_{i^{*}} + b^{'} e_{i^{*}}^{'}) \\ \geq - (B \sum_{i \in I_{3}^{κ + 2}} 1 + (B + 2^{- κ}) \sum_{i \in I_{κ + 3}^{n}} 1 + b B + b^{'} (B + 2^{- κ})) \\ \geq - (\frac{B}{3} \sum_{i \in I_{3}^{κ + 2}} ℓ_{i} + (\frac{B + 2^{- κ}}{κ + 3}) \sum_{i \in I_{κ + 3}^{n}} ℓ_{i} + b \frac{B}{3} ℓ_{i^{*}}^{*} + b^{'} (\frac{B + 2^{- κ}}{κ + 3}) ℓ_{i^{*}}^{*}) . \end{matrix}

For $κ \geq 4$ , we can see that $\frac{B + 2^{- κ}}{κ + 3} \leq \frac{B}{3}$ , resulting in

\begin{matrix} 0 \geq E_{κ} & \geq - (\frac{B}{3} \sum_{i \in I_{3}^{n}} ℓ_{i} + \frac{B}{3} ℓ_{i^{*}}^{*}) = - (\frac{B}{3} \sum_{i \in I_{3}^{n}} ℓ_{i} + \frac{B}{3} (ℓ_{i^{*}} - 1)) \\ \geq - \frac{B}{3} (n - 1) \approx - 0.029 (n - 1) . \end{matrix}

Since for $κ = 4$ , we have $E_{4} = E = {weight}_{⊞_{a}} (u, v) - {apxweight}_{⊞_{a}} (u, v)$ , the above inequalities hold for the approximation error E as well. $□$

While dedicating $κ = 4$ bits as the fraction precision is enough to obtain the same error bounds as $κ > 4$ , considering $κ < 4$ creates a trade-off between the lower bound of the error and the complexity of Algorithm 1. As an example, choosing $κ = 3$ removes one $HW$ call in Algorithm 1. However, by following the proof of Theorem 4 for $κ = 3$ , the error will be lower bounded by $- 0.035 (n - 1)$ , which potentially is an acceptable trade-off.

The differential model of the constant addition as well as the approximation error will be used in the automated method that we will present in the next section to search for characteristics and impossible differentials of ARX ciphers.

SMT-based search of characteristics and impossible differentials

In this section, we describe how to formulate the search of optimal characteristics and impossible differentials as a sequence of SMT problems, which can be solved by an off-the-shelf SMT solver such as Boolector [62] or STP [22]. Our methods are inspired by the approach of Mouha and Preneel [57] to search for single-key characteristics of Salsa20 [57] and the approach by Sasaki and Todo to search for impossible differentials using Mixed Integer Linear Programming (MILP) [66].

Searching for characteristics

To search for characteristics up to probability $2^{- n}$ , the probability space is decomposed into n intervals $I_{w} = (2^{- w - 1}, 2^{- w}]$ , where $w = 0, 1, \dots, n - 1$ , and for each interval, the decision problem of whether there exists a characteristic with probability $p \in I_{w}$ is encoded as an SMT problem. Note that a characteristic $Ω$ has probability $p \in I_{w}$ if and only if its integer weight $⌊ weight (Ω) ⌋$ is equal to w. Section 4.2 describes the encoding process for an ARX cipher.

The SMT problems are provided to the SMT solver, which checks their satisfiability in increasing weight order. When the SMT solver finds the first satisfiable problem, an assignment of the variables that makes the problem satisfiable is obtained, and the search finishes. The assignment contains a characteristic with integer weight $\hat{w}$ , and it is optimal in the sense that there are no characteristics with integer weight strictly smaller than $\hat{w}$ . If the n SMT problems are found to be unsatisfiable, then it is proved there are no characteristics with probability higher than $2^{- n}$ .

To speed up the search, we perform the search iteratively on round-reduced versions of the cipher. First, we search for an optimal characteristic for a small number of rounds r; let $\hat{w}$ denote its integer weight. Then, we search for an optimal $(r + 1)$ -round characteristic, but skipping the SMT problems with weight strictly less than $\hat{w}$ . Since these SMT problems were found to be unsatisfiable for r rounds, they will also be unsatisfiable for $r + 1$ rounds. This procedure is repeated until the total number of rounds is reached. Algorithm 2 describes in pseudo-code this search strategy. Our strategy prioritises SMT problems with low weight and small number of rounds, which are faster to solve. In addition, our search also finds optimal characteristics of round-reduced versions, which can be used in other differential-based attacks, such as rectangle or boomerang attacks [9, 71].

This automated method can be used to search for either single-key or related-key characteristics. Furthermore, additional SMT constraints can be added to the SMT problems in order to search for different types of characteristics. For related-key characteristics and by default, this method searches characteristics minimizing the total weight $weight (Ω) = weight (Ω_{KS}) + weight (Ω_{E})$ . Strong related-key characteristics can be searched by adding the constraint $weight (Ω_{KS}) = 0$ in the SMT problems. Similarly, equivalent keys can be found by adding the constraint $weight (Ω_{E}) = 0$ .

Algorithm 2 returns the characteristic with the minimum SMT integer weight, obtained from the bit-vector differential models used within the SMT problems. When some of these models compute approximations of the intermediate weights, the SMT integer weight and the actual integer weight of the characteristic might differ, and the returned characteristic might not be optimal. However, if we have alternative models that compute the exact intermediate weights (that cannot be represented in the SMT problems) and a bound for the error of the SMT integer weight, Algorithm 2 can be adapted to obtain the optimal characteristic as follows. First, Algorithm 2 is used to obtain the characteristic $Ω$ with the minimum SMT integer weight $\hat{w}$ . Then, one finds all2 characteristics with SMT integer weights ${\hat{w}, \hat{w} + 1, \dots, \hat{w} + ⌊ ϵ ⌋}$ , where $ϵ$ is the absolute bound for the error of the SMT integer weight. Finally, the weights of the found characteristics are recomputed with the alternative models, and the characteristic with the minimum integer weight is returned. This adaptation can be used for ARX ciphers with constant additions, as the error bound can be computed from Theorem 4 and Machado’s algorithm [53] can be used to compute the exact weights of the constant additions.

This method only ensures optimality if the differential probabilities over each round are independent and the characteristic probability does not strongly depend on the choice of the secret key. When these assumptions do not hold for a cipher, we empirically compute the weight of each characteristic found by sampling many input pairs satisfying the input difference and counting those satisfying the difference trail. In this case, this method provides a practical heuristic to find characteristics with high probability, and it is one of the best systematic approaches for some families of ciphers, such as ARX.

Encoding the SMT problems

In this section, we explain how to formulate the decision problem of determining whether a characteristic $Ω$ exists with integer weight W of an ARX cipher as an SMT problem in the bit-vector theory.

First, the ARX cipher is represented in Static Single Assignment (SSA) form, that is, as an ordered list of instructions $y \leftarrow f (x)$ such that each variable is assigned exactly once and each instruction is a modular addition, a rotation, or an XOR.

For each variable x in the SSA representation, a bit-vector variable $Δ_{x}$ denoting the difference of x is defined in the SMT problem. Then, for every instruction $y \leftarrow f (x)$ , the weight and the differential model of f are added to the SMT problem as a bit-vector variable w and bit-vector constraints ${valid}_{f_{i}} (Δ_{x}, Δ_{y})$ and $Equals (w, {weight}_{f_{i}} (Δ_{x}, Δ_{y}))$ , following Table 5.

Table 5.

Bit-vector differential models of ARX operations

$y = f_{a} (x)$	Validity	Weight
$y = x_{1} \oplus x_{2}$	$Equals (Δ_{y}, Δ_{x_{1}} \oplus Δ_{x_{2}})$	0
$y = x \oplus a$	$Equals (Δ_{y}, Δ_{x})$	0
$y = x ⋘ a$	$Equals (Δ_{y}, Δ_{x} ⋘ a)$	0
$y = x ⋙ a$	$Equals (Δ_{y}, Δ_{x} ⋙ a)$	0
$y = x_{1} ⊞ x_{2}$	Theorem 1	Theorem 1
$y = x ⊞ a$	Theorem 3	Theorem 4

Open in a new tab

Finally, the following bit-vector constraints are added to the SMT problem,

\begin{matrix} NotEquals (Δ_{p}, 0), Equals (W, w_{1} ⊞ \dots ⊞ w_{r}), \end{matrix}

where $Δ_{p}$ denotes the input difference and $(w_{1}, \dots, w_{r})$ denote the weight of each operation. The first constraint excludes the trivial characteristic with zero input difference, while the second constraint fixes the weight of the characteristic to the target weight. Note that the bit-size of the weights might need to be increased to prevent an overflow in the modular addition of the last constraint.

Example 5

Consider the keyed function $f_{k}$ with key k and input $p = (p_{1}, p_{2})$ ,

\begin{matrix} f_{k} (p_{1}, p_{2}) = (((p_{2} ⊞ 1) \oplus k) ⊞ p_{1}, p_{1} ⋘ 1) . \end{matrix}

This function can be written as a list of simple instructions (SSA form) as

\begin{matrix} x_{1} \leftarrow p_{2} ⊞ 1, \\ x_{2} \leftarrow x_{1} \oplus k, \\ x_{3} \leftarrow x_{2} ⊞ p_{1}, \\ x_{4} \leftarrow p_{1} ⋘ 1, \end{matrix}

where the output is the pair $(x_{3}, x_{4})$ . Figure 2 depicts the function $f_{k}$ together with its intermediate variables.

An SMT problem in the bit-vector theory denoting whether $f_{k}$ has a characteristic with integer weight W is as follows:

\begin{matrix} \exists Δ_{p_{1}}, & Δ_{p_{2}}, Δ_{x_{1}}, Δ_{x_{2}}, Δ_{x_{3}}, Δ_{x_{4}}, w_{1}, w_{2}, w_{3}, w_{4} : \\ {valid}_{⊞_{1}} (Δ_{p_{2}}, Δ_{x_{1}}), \\ Equals (w_{1}, BvWeight (Δ_{p_{2}}, Δ_{x_{1}}, 1)), \\ Equals (Δ_{x_{2}}, Δ_{x_{1}}), \\ Equals (w_{2}, 0), \\ {valid}_{⊞} ((Δ_{x_{2}}, Δ_{p_{1}}), Δ_{x_{3}}), \\ Equals (w_{3}, {weight}_{⊞} ((Δ_{x_{2}}, Δ_{p_{1}}), Δ_{x_{3}})), \\ Equals (Δ_{x_{4}}, Δ_{d_{p_{1}}} ⋘ 1), \\ Equals (w_{4}, 0), \\ NotEquals ((Δ_{p_{1}}, Δ_{p_{2}}), 0), \\ Equals (W, (w_{1} ⊞ ((w_{2} ⊞ w_{3} ⊞ w_{4}) ≪ 4) ≫ 4)) . \end{matrix}

The shifts in the last constraint are due to the fact that the last four bits of $w_{1}$ denote fraction bits. Furthermore, depending on the bit-size of $f_{k}$ , it might be necessary to extend the bit-size of the weights in order to prevent an overflow in the last modular additions.

Searching of impossible differentials

In [66], Sasaki and Todo [66] propose a MILP-based method to search for impossible differentials that employs the MILP problems used to search for characteristics. Since this method can also be adapted to SMT problems, we will explain the method within the SMT context.

The method’s main idea is that one can check whether a particular differential $(Δ_{p}, Δ_{c})$ is impossible by querying a simple SMT problem. While it is infeasible to check all differentials, one can check those with a low number of active bits since most of the known impossible differentials have this property.

The subroutine to check whether a particular differential $(Δ_{p_{0}}, Δ_{c_{0}})$ is impossible can be done as follows. First, the SMT problem of whether there exists a characteristic over the cipher is encoded as in Sect. 4.2. However, only the validity constraints are added; the weight constraints and the target weight W are ignored. Second, the constraints that fix the input and output differences $(Δ_{p}, Δ_{c})$ to $(Δ_{p_{0}}, Δ_{c_{0}})$ are added to the SMT problem, that is,

\begin{matrix} Equals (Δ_{p}, Δ_{p_{0}}), Equals (Δ_{c}, Δ_{c_{0}}) . \end{matrix}

Then, the SMT solver checks the satisfiability of the SMT problem. If the problem is found to be unsatisfiable, the differential is impossible.

This method can be used to search for single-key and related-key impossible differentials. For the former case, the validity constraints of the key schedule are ignored, while for the latter case they are included in the SMT problems.

As opposed to the previous SMT-based characteristic search method, the impossible check subroutine is a sound method. In other words, a characteristic found by Algorithm 2 could be invalid due to the independence assumptions, but a differential found impossible by the check subroutine is always impossible. While the check subroutine is a sound method, it is not complete; there are some impossible differentials that cannot be detected by the check subroutine.

While the check subroutine is fast, checking all differentials is infeasible and only a small subset can be checked with the method by [66]. Thus, we propose a new automated method to search for impossible differentials that does not restrict the search over any pre-defined small subset and let the SMT solver efficiently search through the space of differentials. Our automated method proceeds as follows.

First, we split the cipher $E = E_{2} \circ E_{1} \circ E_{0}$ into three parts $E_{2}, E_{1}$ and $E_{0}$ . Let $Ω = (Δ_{x_{0}}, Δ_{x_{1}}, Δ_{x_{2}}, Δ_{x_{3}})$ denote a partial characteristic over E, that is, any characteristic verifying

\begin{matrix} Pr (Δ_{x_{0}} \overset{E_{0}}{\to} Δ_{x_{1}}) = 1, Pr (Δ_{x_{2}} \overset{E_{2}}{\to} Δ_{x_{3}}) = 1 . \end{matrix}

Note that no relation is imposed between $Δ_{x_{1}}$ and $Δ_{x_{2}}$ .

Then, we search for all partial characteristics using our SMT-based method from Sect. 4.1. For each partial characteristic $Ω = (Δ_{x_{0}}, Δ_{x_{1}}, Δ_{x_{2}}, Δ_{x_{3}})$ , we apply the check subroutine to the differential $(Δ_{x_{1}}, Δ_{x_{2}})$ over $E_{1}$ . If $(Δ_{x_{1}}, Δ_{x_{2}})$ is found to be impossible over $E_{1}$ , then $(Δ_{x_{0}}, Δ_{x_{3}})$ is an impossible differential over E, since $(Δ_{x_{0}}, Δ_{x_{1}})$ and $(Δ_{x_{2}}, Δ_{x_{3}})$ are differentials with probability one (see Fig. 3).

Fig. 3 — The partial characteristic $Ω = (Δ_{x_{0}}, Δ_{x_{1}}, Δ_{x_{2}}, Δ_{x_{3}})$ over $E = E_{2} \circ E_{1} \circ E_{0}$ , alongside the condition that the inner part $(Δ_{x_{1}}, Δ_{x_{2}})$ over $E_{1}$ is an impossible differential

Like the characteristic search method, we start searching for impossible differentials over a round-reduced version of the cipher and keep increasing the number of rounds iteratively. This procedure is described in Algorithm 3. While FindPartialCh in Algorithm 3 is responsible for finding partial characteristics, IsImpossible subroutine checks the corresponding inner differential to be impossible. Impossible differentials starting after a few rounds are useful in practice, and our method can easily be adapted by splitting the cipher into four parts, $E = E_{2} \circ E_{1} \circ E_{0} \circ E_{- 1}$ , where $E_{- 1}$ denotes the skipped rounds.

The main advantage of our method is that the subset of differentials to check does not need to be specified. Thus, it can find impossible differentials that other methods cannot. Moreover, the search of partial characteristics is quite fast, as for many operations f (including the modular addition and the constant addition) the constraint $Equals (0, {weight}_{f} (Δ_{x}, Δ_{y}))$ is much simpler than the constraint for the general case $Equals (w, {weight}_{f} (Δ_{x}, Δ_{y}))$ .

As opposed to the search of characteristics, the search of $r + 1$ -round impossible differentials cannot reuse information obtained from the search of r-round impossible differentials. In other words, Algorithm 2 exploits the fact that if no r-round characteristics were found with weight w, then no $r + 1$ -round characteristics can be found with the same weight. However, for some key schedules, Algorithm 2 might find $r + 1$ -round impossible differentials even if no r-round impossible differentials were found.

Implementation

We have developed an open-source tool ArxPy3 to find characteristics and impossible differentials of ARX ciphers implementing the methods described earlier. Originally, ArxPy was a tool to search for rotational-XOR characteristics using SMT solvers [64]. However, we have extended it to support (related-key) differential characteristics and impossible differentials containing the constant addition. ArxPy provides high-level functions that automate the search, a simple interface to represent ARX ciphers, and complete documentation in HTML format, among other features.

ArxPy workflow is represented in Fig. 4. The user first defines the ARX cipher using the interface provided by ArxPy and chooses the parameters of the search (e.g., the type of the characteristic to search, the SMT solver to use, etc.). Then, ArxPy automatically translates the python implementation of the ARX cipher into SSA form, encodes the SMT problems associated to the type of search selected by the user, and solves the SMT problems by querying the SMT solver. When searching for characteristics, for each satisfiable SMT problem found, ArxPy reconstructs the characteristic from the assignment of the variables that satisfies the problem and empirically verifies the weight of the characteristic. Finally, ArxPy returns the results of the search to the user.

Internally, ArxPy is implemented in Python 3 and uses the libraries SymPy [55] to obtain the SSA representation through symbolic execution and PySMT [23] for the communication with the SMT solvers. Thus, all the SMT solvers supported by PySMT can be directly used for ArxPy.

Experiments

We have applied our methods for finding characteristics and impossible differentials to some ARX ciphers that include constant additions. In particular, we have searched for related-key characteristics and related-key impossible differentials of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2.

Due to the difficulty of searching for characteristics of ciphers with constant additions this far, cipher designers have avoided constant additions in the encryption functions so that they could search for single-key characteristics, the most threatening ones. Only a few ciphers include constant additions in the encryption function, and their ad-hoc structures make them more suitable to be analysed with other types of differences, such as additive differences in the case of TEA [11]. As a result, we have focused on searching related-key characteristics and impossible differentials of some well-known ciphers.

Regarding the search for characteristics, we used Algorithm 2 to find related-key characteristics starting from the first round of each cipher. For the case of impossible differentials, we applied Algorithm 3 to search for related-key impossible differentials but skipping the first rounds of the cipher. To this end, we repeatedly call Algorithm 3 while increasing the number of skipped rounds in each call.

For related-key characteristics, the usual assumptions (i.e., round independence and the hypothesis of stochastic equivalence) do not always hold. Thus, we empirically verify each characteristic and stopped each round-reduced search after the first valid characteristic is found.

To verify a related-key characteristic $Ω$ , we split $Ω$ in smaller characteristics $Ω_{i} = (Δ_{x_{i}} \to \dots \to Δ_{y_{i}})$ with weight $w_{i}$ lower than 20, and empirically compute the probability of each differential $(Δ_{x_{i}}, Δ_{y_{i}})$ by sampling a small multiple of $2^{w_{i}}$ input pairs for $2^{10}$ related-key pairs. After combining the probability of each differential, we obtain $2^{10}$ characteristic probabilities, one for each related-key pair. If the characteristic probability is non-zero for several key pairs, we consider the characteristic valid and we define its empirical probability (resp. weight) as the arithmetic mean of the $2^{10}$ characteristic probabilities (resp. weights), but excluding those key pairs with zero probability.

Thus, for each characteristic that we have found, i.e. strong related-key characteristic ( $w_{KS} = 0$ ) and weak related-key characteristic ( $w_{KS} > 0$ ), Table 6 provides: (1) the theoretical key schedule and encryption weights $(w_{KS}, w_{E})$ , computed by summing the weight of each ARX operation; (2) the empirical key schedule and encryption weights $(\bar{w_{KS}}, \bar{w_{E}})$ , computed by sampling input pairs as explained before; and (3) the percentage of the valid key pairs that empirically lead to non-zero probability in the weight verification. In the appendix, we provide the round weights and the round differences for the characteristics covering the most rounds.

Table 6.

Best related-key differential characteristics of XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2

Cipher	Ch. Type	Rounds	$(w_{KS}, \bar{w_{KS}})$	$(w_{E}, \bar{w_{E}})$	% valid keys	References
XTEA	Strong	16	0	32	–	[52]
		16	(0,0)	(37, 32.02)	46%	This paper
		18	(0,0)	(57, 49.79)	48%	This paper
	Weak	18	17	19	–	[45, 52]
		18	(4.83, 3.15)	(16, 14.46)	100%	This paper
		27	(6.89, 5.74)	(40, 39.39)	7%	This paper
HIGHT	Strong	10	0	12	–	[50]
		10	(0, 0)	(12, 9.97)	34%	This paper
		15	(0, 0)	(45, 42.59)	8%	This paper
	Weak	12	2	19	–	[40]
		12	(2.48, 3.19)	(19, 17.65)	40%	This paper
		14	(13.09, 9.85)	(14, 11.46)	17%	This paper
LEA	Weak	11	–	–	–	[32]
		6	(1.56, 1.22)	(24, 22.50)	100%	This paper
		7	(2.56, 4.68)	(36, 34.35)	100%	This paper
SHACAL-1	Strong	27	0	29	–	[36]
	Strong	30	(0, 0)	(63, 47.36)	97%	This paper
	Weak	35	10	29	–	[18, 72]
	Weak	25	(1, 0.87)	(22, 13.31)	47%	This paper
SHACAL-2	Strong	24	0	38 $^{a}$	–	[51]
	Strong	23	(0, 0)	(58, 48.06)	100%	This paper
	Weak	24	–	52	–	[12]
	Weak	22	(6.67, 2.38)	(29, 24.03)	100%	This paper

Open in a new tab

$^{a}$ Imposes extra conditions on plaintext values or intermediate values

When searching for impossible differentials with skipped rounds, Algorithm 3 splits the cipher into four parts. More specifically, the cipher E is represented as $E = E_{2} \circ E_{1} \circ E_{0} \circ E_{- 1}$ , where $E_{- 1}$ denotes the skipped rounds, $E_{1}$ stands for the rounds of the inner impossible differential, and $E_{0}$ and $E_{2}$ respectively denote the backward and the forward rounds of the partial characteristics. In Table 7 we provide the number of rounds of each part for the best related-key impossible differentials that we found, and in Table 8 we provide the input and output differences of our longest impossible differentials.

Table 7.

Best related-key impossible differentials of XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2

Cipher	Rounds	Start	Backward	Inner ID	Forward	References
XTEA	$25 (19 \sim 43)$	19	–	–	–	[15]
XTEA	$25 (0 \sim 24)$	0	7	13	5	This paper
HIGHT	$22 (6 \sim 27)$	6	–	–	–	[63]
HIGHT	$22 (0 \sim 21)$	0	4	14	4	This paper
LEA	$4 (0 \sim 3)$	0	0	4	0	This paper
SHACAL-1	$30 (20 \sim 49)$	20	2	16	12	This paper
SHACAL-2	$18 (0 \sim 17)$	0	–	–	–	[75]
SHACAL-2	$24 (0 \sim 23)$	0	1	12	11	This paper

Open in a new tab

Table 8.

Input, output, and key differences of our longest related-key impossible differentials

Cipher	Differences
XTEA	$Δ_{mk}$	$(0 x 80000000, 0 x 00000000, 0 x 00000000, 0 x 00000000)$
	$Δ_{p}$	$(0 x 80000000, 0 x 00000000)$
	$Δ_{c}$	$(0 x 00000000, 0 x 80000000)$
HIGHT	$Δ_{mk}$	$(0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00,$
		$0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 80, 0 x 00)$
	$Δ_{p}$	$(0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 80, 0 x 00, 0 x 00, 0 x 00)$
	$Δ_{c}$	$(0 x 00, 0 x 80, 0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00, 0 x 00)$
LEA	$Δ_{mk}$	$(0 x 00000001, 0 x 00000000, 0 x 00000000, 0 x 00000000)$
	$Δ_{p}$	$(0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000)$
	$Δ_{c}$	$(0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000)$
SHACAL-1	$Δ_{mk}$	$(0 xa 0000000, 0 x 80000000, 0 xa 0000000, 0 x 00000000,$
		$0 x 80000000, 0 x 00000000, 0 xc 0000000, 0 x 00000000,$
		$0 x 80000000, 0 x 80000000, 0 x 40000000, 0 x 00000000,$
		$0 x 80000000, 0 x 80000000, 0 x 40000000, 0 x 00000000)$
	$Δ_{p}$	$(0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 80000000, 0 x 00000000)$
	$Δ_{c}$	$(0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000)$
SHACAL-2	$Δ_{mk}$	$(0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000,$
		$0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000,$
		$0 x 94857 ee 6, 0 x 00000000, 0 x 00000000, 0 x 00000000,$
		$0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000)$
	$Δ_{p}$	$(0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000,$
		$0 x 00000000, 0 x 00000000, 0 x 00000000, 0 x 00000000)$
	$Δ_{c}$	$(0 x 80000000, 0 x 00000000, 0 x 00000000, 0 x 00000000,$
		$0 x 80000000, 0 x 00000000, 0 x 00000000, 0 x 00000000)$

Open in a new tab

Apart from all of the best-known impossible differentials that are indicated in Table 7, we also implemented and searched impossible differentials using the automated method of Sasaki and Todo [66] to compare the results with the ones observed by Algorithm 3. While for XTEA, LEA, and HIGHT, both methods find impossible differentials with the same number of rounds, for SHACAL-1 and SHACAL-2 Algorithm 3 achieves impossible differentials covering more rounds. For XTEA and HIGHT, the longest impossible differentials found by Algorithm 3 include a few active bits, and thus they could also be found by the other method. However, for SHACAL-1 and SHACAL-2, our algorithm found impossible differentials containing multiple active bits, which cannot be obtained by other methods that restrict to predefined differential subsets with a low number of active bits.

For the experiments, we have used ArxPy equipped with the SMT solver Boolector [62], winner of the SMT competition SMT-COMP 2019 in the bit-vector track [26]. We run the characteristic search for one week on a single core of an Intel Xeon 6244 at 3.60GHz. The search of impossible differentials was done on similar hardware during one week as well. Note that better characteristics and impossible differentials could be found if the round-reduced searches are not stopped after the first valid characteristic or if more time is employed.

TEA

Designed by Wheeler and Needham, TEA [73] is a block cipher with 64-bit block size and 128-bit key size. It iterates 64 times an ARX round function, including constant additions and logical shifts, depicted in Fig. 5. Since the logical shifts propagate XOR differences deterministically, the encoding method presented in Sect. 4.2 can be easily extended to include these operations.

Fig. 5 — The i-th round of TEA, $i = 0, 1 \dots, 63$ . The master key mk is split into four 32-bit words $(m k_{0}, m k_{1}, m k_{2}, m k_{3})$ and the i-th round key is defined as $(k_{i, 0}, k_{i, 1}) = (m k_{0}, m k_{1})$ if i is even and $(k_{i, 0}, k_{i, 1}) = (m k_{2}, m k_{3})$ if i is odd. The i-th round constant is defined as $Δ_{i} = Δ_{i - 2} ⊞ Δ_{0}$ , where $Δ_{- 1} = Δ_{0} = 2654435769$

Kelsey et al. [35] presented the best related-key characteristics in [35]. They found a 2-round iterative strong related-key characteristic $Ω$ with weight $(w_{k}, w_{e}) = (0, 1)$ , which they extended to a 60-round characteristic with weight (0, 30). They also discovered in [34] that each TEA key has three other equivalent keys.

Using ArxPy, we revisited the results by Kelsey et al. [34], but in a fully automated way. We found three related-key characteristics with weight zero over the full cipher, confirming that each key is equivalent to exactly three other keys. Excluding these three characteristics, we also obtained a 60-round strong related-key characteristic with weight (0, 30), and all the 60-round SMT problems with smaller weights were found to be unsatisfiable. Since a 60-round related-key characteristic is sufficient to mount the related-key differential cryptanalysis on full-round TEA [35], there is no need to search for characteristics containing more rounds of TEA, and we stop at 60 rounds.

There is also no need to search for related-key impossible differentials of TEA, as each of the three full-round zero-weight related-key characteristics induces roughly $2 \times 2^{64}$ full-round related-key impossible differentials, simply by alternating either the plaintext or the ciphertext difference.

XTEA

The block cipher XTEA [60] is designed by the same authors of TEA to fix the weakness of the former cipher (in the related-key setting). XTEA has a 64-bit block size and 128-bit key size, and it iterates 64 times the round function depicted in Fig. 6. Like TEA, the round function also includes logical shifts, but the constant additions are included in the key schedule.

Fig. 6 — The i-th round of XTEA, $i = 0, 1 \dots, 63$ . The master key mk is split into four 32-bit words $(m k_{0}, m k_{1}, m k_{2}, m k_{3})$ and the i-th round key is defined as $k_{i} = s_{i} ⊞ m k_{s_{i} \land 3}$ if i is even and $k_{i} = s_{i} ⊞ m k_{(s_{i} ≪ 11) \land 3}$ if i is odd. The i-th constant $s_{i}$ is defined as $s_{i} = s_{i - 2} ⊞ s_{0}$ , where $s_{- 1} = s_{0} = 2654435769$

The longest related-key characteristics found so far are the 16-round strong related-key differential with weight 32, manually found by Lu in [52], and the 18-round weak related-key characteristic with weights $(w_{KS}, w_{E}) = (19, 19)$ , manually found by Lee et al. [45] but later improved to (17, 19) by Lu [52].

The results of our automated search for related-key characteristics are listed in Table 6. In the strong related-key search, we found an 18-round characteristic with weight 57; all the SMT problems for 19 rounds were found to be unsatisfiable. In the weak related-key search, we found characteristics up to 27 rounds, where the 27-round characteristic has total weight $6 + 40 = 46$ . No equivalent keys were found for XTEA.

In our automated search for related-key impossible differentials of XTEA, we observed impossible differentials spanning 25 rounds, similar to the best impossible differential found this far by Darbuka [15]. Denoting the cipher XTEA with 25 rounds by $E = E_{2} \circ E_{1} \circ E_{0}$ , our related-key impossible differential contains a 13-round inner impossible differential over $E_{1}$ , extended by a deterministic 7-round backward trail over $E_{0}$ and a deterministic 5-round forward trail over $E_{2}$ as depicted in Table 7. Our automated tool was also able to complete the search of related-key impossible differentials up to 31 rounds, but no impossible differentials spanning more than 25 rounds were found.

HIGHT

Adopted as an international standard by ISO/IEC [33], HIGHT [31] is a lightweight cipher with a block size of 64 bits and a key size of 128 bits. The encryption function performs initial and final key whitening transformations, and iterates 32 times a round function including XORs, 2-input additions and rotations; the constant additions are performed in the key schedule.

Fig. 7 — The i-th round function of HIGHT, $i = 0, 1 \dots, 31$ [31]. The i-th round key is denoted by $k_{i} = (S K_{4 i - 1}, S K_{4 i - 2}, S K_{4 i - 3}, S K_{4 i - 4})$ and the functions $F_{0}$ and $F_{1}$ are defined as $F_{0} (x) = (x ⋘ 1) \oplus (x ⋘ 2) \oplus (x ⋘ 7)$ and $F_{1} (x) = (x ⋘ 3) \oplus (x ⋘ 4) \oplus (x ⋘ 6)$

Fig. 8 — The key schedule of HIGHT [31]. The round key words are denoted by $S K_{i}$ and the key schedule constants are denoted by $δ_{j}$

The longest related-key characteristics found for HIGHT are a 10-round strong characteristic with weight 12 found by Lu [50], and a 12-round weak characteristic with weights $(w_{KS}, w_{E}) = (2, 19)$ found by Koo et al. [40]. In our automated search, we found related-key characteristics up to 15 rounds, listed in Table 6. The longest strong related-key characteristic we found covered 15 rounds with weights (0, 45), whereas the longest weak related-key characteristic covered 14 rounds with total weight $13 + 14 = 27$ .

Özen et al. introduced the best-known 22-round related-key impossible differential for HIGHT [63]. Using ArxPy, we found a new impossible differential covering the same number of rounds, as shown in Table 7. Our impossible differential consists of a 14-round inner impossible differential, extended by two zero-weight 4-round backward and forward related-key trails. The mentioned 22-round impossible differential is the longest related-key impossible differential that ArxPy could obtain in one week by checking up to 32 rounds of HIGHT.

LEA

Among the family of ARX ciphers LEA [32], we analysed LEA-128, the version with 128-bit block size, 24 rounds, and 128-bit key size. The encryption round function of LEA performs 2-input additions, rotations, and XORs, whereas the key schedule contains constant additions and rotations.

Fig. 9 — The i-th round function of the encryption (top) and the key schedule (bottom) of LEA-128, $i = 0, 1 \dots, 23$ . The tuple $(k_{i, 0}, \dots, k_{i, 3})$ denotes the i-th round key and $δ_{i}$ denotes the i-th key schedule constant

The designers of LEA found related-key characteristics up to 11 rounds, but only specifying that the 11-round characteristics are valid for a small part of the key space and without providing the weights of such characteristics [32]. Excluding these characteristics, there are no others examples of related-key characteristics of LEA. Our automated search found weak related-key characteristics up to 7 rounds valid for the full key space, listed in Table 6. Strong characteristics with weight smaller than 128 were found up to 4 rounds, and all the strong related-key SMT problems for 5 rounds were found unsatisfiable. No equivalent keys were found for LEA.

We applied ArxPy on LEA to automatically search for related-key impossible differentials. While our method completed the search for a large number of rounds, only impossible differentials with non-zero key difference spanning up to four rounds were found. The lack of related-key impossible differentials, with low Hamming weight or with key schedule transitions with probability 1, seems to be due to the heavy and robust key schedule of LEA. By and large, ciphers with lightweight key schedule algorithms tend to have longer related-key impossible differentials in comparison to their single-key counterparts. However, the key schedule and the round function of LEA are of the same complexity. Thus, finding an impossible differential that covers more rounds in related-key setting instead of single-key setting seems infeasible. We confirmed this by applying our tool to LEA in the single-key setting, obtaining multiple 10-round single-key impossible differentials within a few hours.

SHACAL-1

Based on the compression function of the NIST standard hash function SHA-1 [19], the block cipher SHACAL-1 was initially suggested in [27] and submitted by Handschuh and Naccache to the NESSIE project [61]. SHACAL-1 uses 160-bit block size and 80 rounds, where its round function is similar to the SHA-1 compression function. The key size can be variable from 0 to 512 bits, although a minimum of 128-bit key size is required in [28] and we analysed SHACAL-1 for 512-bit keys.

There are some ad-hoc differential characteristics presented in [18, 30, 36]. However, Wang et al. [72] indicated that many of the previous characteristics are invalid. The longest valid XOR differential characteristic is a 35-round weak related-key characteristic that appeared in [18] and was later corrected in [72] to obtain the corrected weights $(w_{KS}, w_{E}) = (10, 29)$ . Moreover, the longest strong related-key XOR differential characteristic that is not found to be invalid by [72] spans 27 rounds of SHACAL-1 with the corresponding weights $(w_{KS}, w_{E}) = (0, 29)$ [36].

These characteristics do not necessarily start from the first round of SHACAL-1 since they are not used for a differential attack but rather for a rectangle attack [9]. Note that the round function of SHACAL-1 changes in different rounds (see Fig. 10), and these characteristics could take advantage of the variable definition of the round function. However, we are only looking for the characteristics starting from the first round and for the particular case of SHACAL-1 with variable round functions, we do not necessarily obtain the best possible characteristics.

Fig. 10 — The i-th round of SHACAL-1, $i = 0, 1 \dots, 79$ . The 160-bit input is divided into five 32-bit words $A_{i}$ , $B_{i}$ , $C_{i}$ , $D_{i}$ , and $E_{i}$ . The function $f_{i}$ significantly changes regarding the round number. For a given 512-bit master key $m k = (M_{0}, M_{1}, \dots, M_{15})$ , the round keys $K_{i}$ are computed as described above, where $W_{i}$ is the round constant

Our automated tool ArxPy obtained a weak-key 25-round characteristic with $(w_{KS}, w_{E}) = (1, 22)$ . Moreover, the tool could also find a 30-round characteristic in the strong-key setting with the corresponding weights $(w_{KS}, w_{E}) = (0, 63)$ . In our search, a large amount of SHACAL-1 characteristics found by the SMT solver did not pass our empirical validation test, which significantly increased the running time for finding each valid characteristic. More specifically and in the weak-key setting, we found more than 100 empirically invalid characteristics until we detected a valid 25-round one; we also obtained multiple 26-round weak characteristics within a week, but they were found invalid by our empirical test. We discarded more than 900 empirically invalid characteristics for the strong-key setting before finding a valid 30-round characteristic, and none of the 31-round trails obtained in a week could pass the test.

One of the main reasons for the large number of empirically invalid characteristics is the 5-input modular addition within the round function of SHACAL-1. Since the differential model of the modular addition with three or more inputs is unknown, we had to approximate the differential model of the 5-input addition with a chain of 2-input addition models. In other words, to model the 5-input addition $y = x_{1} ⊞ x_{2} ⊞ x_{3} ⊞ x_{4} ⊞ x_{5}$ , we split it into four 2-input additions

\begin{matrix} z_{1} = x_{1} ⊞ x_{2}, z_{2} = z_{1} ⊞ x_{3}, z_{3} = z_{2} ⊞ x_{4}, y = z_{3} ⊞ x_{5}, \end{matrix}

and we model the four 2-input additions independently. Thus, we are approximating the differential probability of the 5-input addition

\begin{matrix} Pr [(Δ_{x_{1}}, \dots, Δ_{x_{5}}) \overset{⊞}{\to} Δ_{y}] \end{matrix}

with the multiplication of the differential probabilities of the four 2-input additions

\begin{matrix} Pr [(Δ_{x_{1}}, Δ_{x_{2}}) \overset{⊞}{\to} Δ_{z_{1}}] \times & Pr [(Δ_{z_{1}}, Δ_{x_{3}}) \overset{⊞}{\to} Δ_{z_{2}}] \times \\ Pr [(Δ_{z_{2}}, Δ_{x_{4}}) \overset{⊞}{\to} Δ_{z_{3}}] \times Pr [(Δ_{z_{3}}, Δ_{x_{5}}) \overset{⊞}{\to} Δ_{y}] . \end{matrix}

For many differentials, this approximation is not accurate, and this caused the appearance of many empirically invalid characteristics in our search.

As depicted in Table 7, our automated tool found the first known related-key impossible differential of SHACAL-1, extending to 30 rounds of the cipher from rounds 20 to 49. The backward and forward trails respectively traverse 2 and 12 rounds of SHACAL-1, delimiting the inner 16-round impossible differential. The search for 31-round impossible differentials did not finish after one week, and we stopped the search. Thus, we expect that dedicating more time to the search may result in obtaining longer impossible differentials.

Fig. 11 — The i-th round of SHACAL-2, $i = 0, 1 \dots, 63$ . The 256-bit input is divided into eight 32-bit words $A_{i}$ , $B_{i}$ , $C_{i}$ , $D_{i}$ , $E_{i}$ , $F_{i}$ , $G_{i}$ , and $H_{i}$ . The special operators used in the round function of SHACAL-2 are $If$ , $Maj$ , $Σ_{0}$ , and $Σ_{1}$ that are defined as above. For a given 512-bit master key $m k = (M_{0}, M_{1}, \dots, M_{15})$ , the key schedule generates round keys $K_{i}$ as described in above, where $W_{i}$ is the round constant

SHACAL-2

Similar to SHACAL-1, the block cipher SHACAL-2 [28] was designed based on the compression function of the NIST standard hash function SHA-256 [20]. The cipher was submitted to the NESSIE project [61] and was approved as one of the NESSIE final selections. SHACAL-2 is a 256-bit block cipher, has 64 rounds, and supports a variable key size up to 512 bits. We analysed SHACAL-2 for 512-bit keys.

The longest ad-hoc related-key XOR differential characteristic in the strong-key setting is a 24-round characteristic presented in [51] with $(w_{KS}, w_{E}) = (0, 38)$ , which relies on some additional conditions on specific values alongside the differences to improve the weights. Moreover, in the weak-key setting, Biryukov et al. [12] provided two 24-round related-key XOR differential characteristics of SHACAL-2, each has encryption weight $w_{E} = 52$ . However, they did not explicitly mention the key schedule weight $w_{KS}$ for each characteristic.

Our automated search resulted in a 23-round characteristic in the strong-key setting with encryption weight $w_{E} = 58$ and a 22-round characteristic in the weak-key setting with total weight $w_{KS} + w_{E} = 6 + 29 = 35$ . Like SHACAL-1, our automated search could not find longer characteristics of SHACAL-2 within a week due to the large number of empirically invalid characteristics found. The round function of SHACAL-2 also contains a modular addition with multiple inputs (i.e., seven operands), and modelling it with 2-input additions is one of the main reasons for the inaccurate differential behaviour for some special differences.

Table 7 lists the results of the best related-key impossible differentials of SHACAL-2. The 18-round impossible differential presented by Yang et al. in [75] has been the longest known related-key impossible differential for SHACAL-2 so far. Our automated tool ArxPy obtained a 24-round impossible differential, improving the previous best result by 6 rounds. This impossible differential includes a 12-round inner impossible differential, extended by two deterministic 1-round backward and 11-round forward trails. We checked up to 28-rounds of SHACAL-2 in one week, and the longest impossible differential we observed was the 24-round related-key impossible differential.

Conclusion

In this paper, we proposed the first bit-vector differential model of the n-bit modular addition with a constant. We described a bit-vector formula, with bit-vector complexity O(1), that determines whether a differential is valid and a bit-vector function, with complexity $O ({log}_{2} n)$ , that provides a close approximation of the differential weight. In this regard, we carefully studied our approximation error and obtained almost tight bounds. Moreover, we described two new SMT-based automated methods to search for characteristics and impossible differentials of ARX ciphers including constant additions, respectively.

Each of our methods formulates the search problem as a sequence of bit-vector SMT problems, encoded from the cipher’s SSA representation and the bit-vector differential models of each operation. We have implemented our methods in ArxPy, an open-source tool to find characteristics and impossible differentials of ARX ciphers in a fully automated way. To show some examples, we have applied our automated methods to search for equivalent keys, related-key characteristics, and related-key impossible differentials of TEA, XTEA, HIGHT, LEA, SHACAL-1, and SHACAL-2.

Regarding the characteristic results, for TEA we revisited previous results obtained in a manual approach. In contrast, for XTEA, HIGHT, and LEA, we improved the previous best-known related-key characteristics in both the strong-key and the weak-key settings. Our characteristic results of SHACAL-1 and SHACAL-2 did not outperform previous works in all settings due to the presence of modular additions with more than two inputs, for which no efficient differential model has been proposed yet.

Concerning the impossible differentials, our results for TEA, XTEA, and HIGHT are of the same length, compared to the best-known related-key impossible differentials. On the other hand, we obtained the longest related-key impossible differentials for LEA, SHACAL-1, and SHACAL-2.

Our differential model relies on a bit-vector-friendly approximation on the binary logarithm. Thus, future works could explore other approximations improving the bit-vector complexity or the approximation error, which could also be applied to other SMT problems involving the binary logarithm. While we have focused on the modular addition by a constant, there are other simple operations for which no differential model has been proposed so far, such as the modular multiplication, and the modular addition with more than two inputs. Obtaining differential models for more operations will allow designing ciphers with more flexibility, leading to new designs that potentially are more efficient.

Acknowledgements

Seyyed Arash Azimi and Mohammad Reza Aref were partially supported by Iran National Science Foundation (INSF) under Contract No. 96/53979. Adrián Ranea is supported by a PhD Fellowship from the Research Foundation - Flanders (FWO).

Appendix A: Characteristics

We describe the characteristics covering most rounds that we obtained in Sect. 5. For each characteristic, we provide the difference of the master key words $Δ_{mk}$ , the difference of the plaintext words $Δ_{p}$ and the difference of the ciphertext words $Δ_{c}$ . Furthermore, for each round $i = 0, 1, \dots$ of the cipher, we provide the difference of the i-th round key words, the output difference of the i-th round function $Δ_{x_{i}}$ , the (cumulative) weight of the operations that compute the i-th round key words $w_{k_{i}}$ and the weight of the i-th round function $w_{x_{i}}$ . The differences are given in hexadecimal values.

Table 9.

The 60-round strong related-key characteristic of TEA

i-th round	$Δ_{x_{i}}$	$w_{x_{i}}$
0	(0x00000000, 0x80000000)	0
1	(0x80000000, 0x00000000)	1
2	(0x00000000, 0x80000000)	0
3	(0x80000000, 0x00000000)	1
4	(0x00000000, 0x80000000)	0
5	(0x80000000, 0x00000000)	1
6	(0x00000000, 0x80000000)	0
7	(0x80000000, 0x00000000)	1
8	(0x00000000, 0x80000000)	0
9	(0x80000000, 0x00000000)	1
10	(0x00000000, 0x80000000)	0
11	(0x80000000, 0x00000000)	1
12	(0x00000000, 0x80000000)	0
13	(0x80000000, 0x00000000)	1
14	(0x00000000, 0x80000000)	0
15	(0x80000000, 0x00000000)	1
16	(0x00000000, 0x80000000)	0
17	(0x80000000, 0x00000000)	1
18	(0x00000000, 0x80000000)	0
19	(0x80000000, 0x00000000)	1
20	(0x00000000, 0x80000000)	0
21	(0x80000000, 0x00000000)	1
22	(0x00000000, 0x80000000)	0
23	(0x80000000, 0x00000000)	1
24	(0x00000000, 0x80000000)	0
25	(0x80000000, 0x00000000)	1
26	(0x00000000, 0x80000000)	0
27	(0x80000000, 0x00000000)	1
28	(0x00000000, 0x80000000)	0
29	(0x80000000, 0x00000000)	1
30	(0x00000000, 0x80000000)	0
31	(0x80000000, 0x00000000)	1
32	(0x00000000, 0x80000000)	0
33	(0x80000000, 0x00000000)	1
34	(0x00000000, 0x80000000)	0
35	(0x80000000, 0x00000000)	1
36	(0x00000000, 0x80000000)	0
37	(0x80000000, 0x00000000)	1
38	(0x00000000, 0x80000000)	0
39	(0x80000000, 0x00000000)	1
40	(0x00000000, 0x80000000)	0
41	(0x80000000, 0x00000000)	1
42	(0x00000000, 0x80000000)	0
43	(0x80000000, 0x00000000)	1
44	(0x00000000, 0x80000000)	0
45	(0x80000000, 0x00000000)	1
46	(0x00000000, 0x80000000)	0
47	(0x80000000, 0x00000000)	1
48	(0x00000000, 0x80000000)	0
49	(0x80000000, 0x00000000)	1
50	(0x00000000, 0x80000000)	0
51	(0x80000000, 0x00000000)	1
52	(0x00000000, 0x80000000)	0
53	(0x80000000, 0x00000000)	1
54	(0x00000000, 0x80000000)	0
55	(0x80000000, 0x00000000)	1
56	(0x00000000, 0x80000000)	0
57	(0x80000000, 0x00000000)	1
58	(0x00000000, 0x80000000)	0
59	(0x80000000, 0x00000000)	1
Total		30
$Δ_{p}$	(0x80000000, 0x00000000)
$Δ_{c}$	(0x80000000, 0x00000000)
$Δ_{mk}$	(0x00000000, 0x00000000, 0x00000000, 0x84000000)

Open in a new tab

Table 10.

The three full-round related-key characteristics with total weight 0 of TEA

$Δ_{mk}$	$Δ_{p}$	$Δ_{c}$
(0x80000000, 0x80000000, 0x80000000, 0x80000000)	(0x00000000, 0x00000000)	(0x00000000, 0x00000000)
(0x00000000, 0x00000000, 0x80000000, 0x80000000)	(0x00000000, 0x00000000)	(0x00000000, 0x00000000)
(0x80000000, 0x80000000, 0x00000000, 0x00000000)	(0x00000000, 0x00000000)	(0x00000000, 0x00000000)

Open in a new tab

Table 11.

The 18-round strong related-key characteristic of XTEA

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
0	0x00000000	0	(0x00010000, 0x44200000)	9
1	0x00000000	0	(0x44200000, 0x04000000)	6
2	0x00000000	0	(0x04000000, 0x80000000)	6
3	0x80000000	0	(0x80000000, 0x00000000)	2
4	0x80000000	0	(0x00000000, 0x00000000)	0
5	0x00000000	0	(0x00000000, 0x00000000)	0
6	0x00000000	0	(0x00000000, 0x00000000)	0
7	0x00000000	0	(0x00000000, 0x00000000)	0
8	0x00000000	0	(0x00000000, 0x00000000)	0
9	0x00000000	0	(0x00000000, 0x00000000)	0
10	0x00000000	0	(0x00000000, 0x00000000)	0
11	0x00000000	0	(0x00000000, 0x00000000)	0
12	0x80000000	0	(0x00000000, 0x80000000)	0
13	0x80000000	0	(0x80000000, 0x04000000)	2
14	0x00000000	0	(0x04000000, 0x44200000)	6
15	0x00000000	0	(0x44200000, 0x00010000)	6
16	0x00000000	0	(0x00010000, 0xc4310800)	9
17	0x00000000	0	(0xc4310800, 0x01010040)	11
Total		0		57
$Δ_{p}$	(0xc4310800, 0x00010000)
$Δ_{c}$	(0xc4310800, 0x01010040)
$Δ_{mk}$	(0x00000000, 0x00000000, 0x80000000, 0x00000000)

Open in a new tab

Table 12.

The 27-round weak related-key characteristic of XTEA

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
0	0x00000000	0	(0x00000000, 0x00000000)	0
1	0x80000000	0	(0x00000000, 0x80000000)	0
2	0x80000000	0	(0x80000000, 0x04000000)	2
3	0x40200000	1.179	(0x04000000, 0x04000000)	4
4	0x40200000	0	(0x04000000, 0x80000000)	4
5	0x80000000	0	(0x80000000, 0x00000000)	2
6	0x80000000	0	(0x00000000, 0x00000000)	0
7	0x00000000	0	(0x00000000, 0x00000000)	0
8	0x00000000	0	(0x00000000, 0x00000000)	0
9	0x00000000	0	(0x00000000, 0x00000000)	0
10	0x80000000	0	(0x00000000, 0x80000000)	0
11	0x80000000	0	(0x80000000, 0x04000000)	2
12	0x40200000	1.006	(0x04000000, 0x04000000)	4
13	0x40200000	0.734	(0x04000000, 0x80000000)	4
14	0x80000000	0	(0x80000000, 0x00000000)	2
15	0x80000000	0	(0x00000000, 0x00000000)	0
16	0x00000000	0	(0x00000000, 0x00000000)	0
17	0x00000000	0	(0x00000000, 0x00000000)	0
18	0x80000000	0	(0x00000000, 0x80000000)	0
19	0x00000000	0	(0x80000000, 0x84000000)	2
20	0x40600000	2.067	(0x84000000, 0x80000000)	4
21	0x80000000	0	(0x80000000, 0x80000000)	2
22	0x80000000	0	(0x80000000, 0x84000000)	2
23	0xc0600000	1.907	(0x84000000, 0x80000000)	4
24	0x00000000	0	(0x80000000, 0x00000000)	2
25	0x80000000	0	(0x00000000, 0x00000000)	0
26	0x80000000	0	(0x00000000, 0x80000000)	0
Total		6.893		40
$Δ_{p}$	(0x00000000, 0x00000000)
$Δ_{c}$	(0x80000000, 0x00000000)
$Δ_{mk}$	(0x00000000, 0x80000000, 0xc0200000, 0x80000000)

Open in a new tab

Table 13.

The 15-round strong related-key characteristic of HIGHT. The round -1 corresponds to the initial key whitening

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
− 1	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x09, 0x20, 0xb8, 0xe9, 0x80, 0x00)	1
0	(0x00, 0x00, 0x80, 0x00)	0	(0x00, 0x00, 0x20, 0xb8, 0xe9, 0x80, 0x00, 0x00)	3
1	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0xb8, 0x2c, 0x80, 0x00, 0x00, 0x00)	6
2	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x2c, 0x80, 0x00, 0x00, 0x00, 0x00)	3
3	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00)	3
4	(0x00, 0x80, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	0
5	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	0
6	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	0
7	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	0
8	(0x80, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80)	0
9	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0xd4, 0x80, 0x00)	5
10	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x90, 0xd4, 0x80, 0x00, 0x00)	1
11	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0xe9, 0x90, 0x95, 0x80, 0x00, 0x00, 0x00)	7
12	(0x00, 0x00, 0x00, 0x00)	0	(0xe9, 0x00, 0x95, 0x80, 0x00, 0x00, 0x00, 0x80)	1
13	(0x00, 0x00, 0x00, 0x80)	0	(0x00, 0xe9, 0x80, 0x00, 0x00, 0xa4, 0x80, 0xe9)	9
14	(0x00, 0x00, 0x00, 0x00)	0	(0x80, 0xe9, 0x80, 0x00, 0x89, 0xa4, 0x2b, 0xe9)	6
Total		0		45
$Δ_{p}$	(0x00, 0x00, 0x09, 0x20, 0xb8, 0xe9, 0x80, 0x00)
$Δ_{c}$	(0x80, 0xe9, 0x80, 0x00, 0x89, 0xa4, 0x2b, 0xe9)
$Δ_{mk}$	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00)

Open in a new tab

Table 14.

The 14-round weak related-key characteristic of HIGHT. The round -1 corresponds to the initial key whitening

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
-1	(0x00, 0x00, 0x00, 0x40)	0	(0x62, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	1
0	(0x40, 0x00, 0x00, 0x00)	0.791	(0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	2
1	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0)	0
2	(0x00, 0x00, 0x00, 0x3a)	1.0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00)	0
3	(0x00, 0x00, 0x00, 0x40)	0.752	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	1
4	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	0
5	(0x00, 0x00, 0x00, 0x40)	0.791	(0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00)	1
6	(0x00, 0x00, 0x2e, 0x00)	4.0	(0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00)	5
7	(0x00, 0x00, 0x40, 0x00)	1.093	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	1
8	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	0
9	(0x00, 0x00, 0xc0, 0x00)	0.046	(0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00)	1
10	(0x00, 0x16, 0x00, 0x00)	4.0	(0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00)	0
11	(0x00, 0x40, 0x00, 0x00)	0.142	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	1
12	(0x00, 0x00, 0x00, 0x00)	0	(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)	0
13	(0x00, 0x00, 0xc0, 0x00)	0.476	(0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00)	1
Total		13.091		14
$Δ_{p}$	(0x62, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40)
$Δ_{c}$	(0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00)
$Δ_{mk}$	(0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x7a, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00)

Open in a new tab

Table 15.

The 7-round weak related-key characteristic of LEA

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
0	(0x20000000, 0x00000000, 0x00000000, 0x00000000)	0.408	(0x80000000, 0x40000000, 0xc0000010, 0x4000000c)	14
1	(0x40000000, 0x00000000, 0x00000000, 0x00000000)	0.462	(0x00000000, 0x80000000, 0x80000000, 0x80000000)	7
2	(0x80000000, 0x00000000, 0x00000000, 0x00000000)	0.695	(0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
3	(0x00000001, 0x00000000, 0x00000000, 0x00000000)	0	(0x00000200, 0x00000000, 0x00000000, 0x00000000)	1
4	(0x00000002, 0x00000000, 0x00000000, 0x00000000)	0	(0x00040400, 0x00000000, 0x00000000, 0x00000200)	2
5	(0x00000004, 0x00000000, 0x00000000, 0x00000000)	0	(0x08080800, 0x00000000, 0x00000040, 0x00040400)	4
6	(0x00000008, 0x00000000, 0x00000000, 0x00000000)	1.0	(0x10101010, 0x00000002, 0x00008088, 0x08080800)	8
Total		2.565		36
$Δ_{p}$	(0x4000000c, 0x2040000c, 0x20400004, 0x20400082)
$Δ_{c}$	(0x10101010, 0x00000002, 0x00008088, 0x08080800)
$Δ_{mk}$	(0x10000000, 0x00000000, 0x00000000, 0x00000000)

Open in a new tab

Table 16.

The 30-round strong related-key characteristic of SHACAL-1

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
0	0x80000000	0	(0x00000000, 0x00000002, 0x00000000, 0x80100008, 0x00008000)	7
1	0x80000000	0	(0x00008000, 0x00000000, 0x80000000, 0x00000000, 0x80100008)	5
2	0x00000000	0	(0x00000008, 0x00008000, 0x00000000, 0x80000000, 0x00000000)	5
3	0x00000000	0	(0x00000100, 0x00000008, 0x00002000, 0x00000000, 0x80000000)	5
4	0x80000000	0	(0x00000008, 0x00000100, 0x00000002, 0x00002000, 0x00000000)	6
5	0x00000000	0	(0x00000102, 0x00000008, 0x00000040, 0x00000002, 0x00002000)	8
6	0x00000000	0	(0x00000000, 0x00000102, 0x00000002, 0x00000040, 0x00000002)	8
7	0x00000000	0	(0x00000000, 0x00000000, 0x80000040, 0x00000002, 0x00000040)	5
8	0x80000000	0	(0x00000000, 0x00000000, 0x00000000, 0x80000040, 0x00000002)	5
9	0x00000000	0	(0x00000002, 0x00000000, 0x00000000, 0x00000000, 0x80000040)	3
10	0x80000000	0	(0x00000000, 0x00000002, 0x00000000, 0x00000000, 0x00000000)	3
11	0x00000000	0	(0x00000000, 0x00000000, 0x80000000, 0x00000000, 0x00000000)	1
12	0x80000000	0	(0x00000000, 0x00000000, 0x00000000, 0x80000000, 0x00000000)	1
13	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x80000000)	1
14	0x80000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
15	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
16	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
17	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
18	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
19	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
20	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
21	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
22	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
23	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
24	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
25	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
26	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
27	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
28	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
29	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
Total		0		63
$Δ_{p}$	(0x00000002, 0x00000000, 0x80100008, 0x00008000, 0x80000040)
$Δ_{c}$	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)
$Δ_{mk}$	(0x80000000, 0x80000000, 0x00000000, 0x00000000,
	0x80000000, 0x00000000, 0x00000000, 0x00000000,
	0x80000000, 0x00000000, 0x80000000, 0x00000000,
	0x80000000, 0x00000000, 0x80000000, 0x00000000)

Open in a new tab

Table 17.

The 25-round weak related-key characteristic of SHACAL-1

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
0	0x00000000	0	(0x00000000, 0x00000000, 0x80000040, 0x00000002, 0x80000000)	3
1	0x80000000	0	(0x00000000, 0x00000000, 0x00000000, 0x80000040, 0x00000002)	3
2	0x00000000	0	(0x00000002, 0x00000000, 0x00000000, 0x00000000, 0x80000040)	3
3	0x80000000	0	(0x00000000, 0x00000002, 0x00000000, 0x00000000, 0x00000000)	3
4	0x00000000	0	(0x00000000, 0x00000000, 0x80000000, 0x00000000, 0x00000000)	1
5	0x80000000	0	(0x00000000, 0x00000000, 0x00000000, 0x80000000, 0x00000000)	1
6	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x80000000)	1
7	0x80000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
8	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
9	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
10	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
11	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
12	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
13	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
14	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
15	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
16	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
17	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
18	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
19	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
20	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
21	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
22	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	0
23	0x00000003	1	(0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000)	4
24	0x00000000	0	(0x00000020, 0x00000001, 0x00000000, 0x00000000, 0x00000000)	3
Total		1		22
$Δ_{p}$	(0x00000000, 0x00000102, 0x00000002, 0x80000000, 0x80000000)
$Δ_{c}$	(0x00000020, 0x00000001, 0x00000000, 0x00000000, 0x00000000)
$Δ_{mk}$	(0x00000000, 0x80000000, 0x00000000, 0x80000000,
	0x00000000, 0x80000000, 0x00000000, 0x80000000,
	0x00000000, 0x00000000, 0x00000000, 0x00000000,
	0x00000000, 0x00000000, 0x00000000, 0x00000000)

Open in a new tab

Table 18.

The 23-round strong related-key characteristic of SHACAL-2

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
0	0x00000000	0	(0x00000000, 0x00000000, 0x221c0240, 0x80000000,	12
			0x00000000, 0x00082200, 0x20040000, 0x80000000)
1	0x00000000	0	(0x80000000, 0x00000000, 0x00000000, 0x221c0240,	26
			0x00000000, 0x00000000, 0x00082200, 0x20040000)
2	0x00000000	0	(0x00000000, 0x80000000, 0x00000000, 0x00000000,	7
			0x02100040, 0x00000000, 0x00000000, 0x00082200)
3	0x00000000	0	(0x00000000, 0x00000000, 0x80000000, 0x00000000,	4
			0x00000000, 0x02100040, 0x00000000, 0x00000000)
4	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x80000000,	3
			0x00000000, 0x00000000, 0x02100040, 0x00000000)
5	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	4
			0x80000000, 0x00000000, 0x00000000, 0x02100040)
6	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	1
			0x00000000, 0x80000000, 0x00000000, 0x00000000)
7	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	1
			0x00000000, 0x00000000, 0x80000000, 0x00000000)
8	0x80000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x80000000)
9	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
10	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	3
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
11	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
12	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
13	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
14	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
15	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
16	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
17	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
18	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
19	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
20	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
21	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
22	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
Total		0		58
$Δ_{p}$	(0x00000000, 0x00000000, 0x221c0240, 0x80000000,
	0x00000000, 0x00082200, 0x20040000, 0x80000000)
$Δ_{c}$	(0x00000000, 0x00000000, 0x00000000, 0x00000000,
	0x00000000, 0x00000000, 0x00000000, 0x00000000)
$Δ_{mk}$	(0x00000000, 0x00000000, 0x00000000, 0x00000000,
	0x00000000, 0x00000000, 0x00000000, 0x00000000,
	0x80000000, 0x00000000, 0x00000000, 0x00000000,
	0x00000000, 0x00000000, 0x00000000, 0x00000000)

Open in a new tab

Table 19.

The 22-round weak related-key characteristic of SHACAL-2

i-th round	$Δ_{k_{i}}$	$w_{k_{i}}$	$Δ_{x_{i}}$	$w_{x_{i}}$
0	0x00000000	0	(0x00000000, 0x00020000, 0x00000000, 0x00000000,	6
			0x01000840, 0x00000000, 0x00000000, 0x88000020)
1	0x00000000	0	(0x00000000, 0x00000000, 0x00020000, 0x00000000,	4
			0x00000000, 0x01000840, 0x00000000, 0x00000000)
2	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00020000,	4
			0x00000000, 0x00000000, 0x01000840, 0x00000000)
3	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	4
			0x00020000, 0x00000000, 0x00000000, 0x01000840)
4	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	1
			0x00000000, 0x00020000, 0x00000000, 0x00000000)
5	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	1
			0x00000000, 0x00000000, 0x00020000, 0x00000000)
6	0x00020000	0.405	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	3
			0x00000000, 0x00000000, 0x00000000, 0x00020000)
7	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
8	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
9	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
10	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
11	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
12	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	3
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
13	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
14	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
15	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
16	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
17	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
18	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
19	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
20	0x00000000	0	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	0
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
21	0x80004400	6.262	(0x00000000, 0x00000000, 0x00000000, 0x00000000,	6
			0x00000000, 0x00000000, 0x00000000, 0x00000000)
Total		6.67		29
$Δ_{p}$	(0x00000000, 0x00020000, 0x00000000, 0x00000000,
	0x01000840, 0x00000000, 0x00000000, 0x88000020)
$Δ_{c}$	(0x80004400, 0x00000000, 0x00000000, 0x00000000,
	0x80004400, 0x00000000, 0x00000000, 0x00000000)
$Δ_{mk}$	(0x00000000, 0x00000000, 0x00000000, 0x00000000,
	0x00000000, 0x00000000, 0x00020000, 0x00000000,
	0x00000000, 0x00000000, 0x00000000, 0x00000000,
	0x00000000, 0x00000000, 0x00000000, 0x00000000)

Open in a new tab

Footnotes

https://github.com/ranea/ArxPy.

It is possible to get another solution of an SMT problem by solving it again with an additional constraint that excludes the first solution. By repeating this process, one can find all the solutions.

https://github.com/ranea/ArxPy.

Parts of this paper were presented at the Asiacrypt 2020 conference [3].

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Contributor Information

Seyyed Arash Azimi, Email: arash_azimi@ee.sharif.edu.

Adrián Ranea, Email: adrian.ranea@esat.kuleuven.be.

Mahmoud Salmasizadeh, Email: salmasi@sharif.edu.

Javad Mohajeri, Email: mohajer@sharif.edu.

Mohammad Reza Aref, Email: aref@sharif.edu.

Vincent Rijmen, Email: vincent.rijmen@esat.kuleuven.be.

References

1.Aumasson JP, Henzen L, Meier W, Phan RCW. Sha-3 proposal blake. NIST (round 3) 2009;92:2008. [Google Scholar]
2.Aumasson J.P., Jovanovic P., Neves S.: Analysis of NORX: investigating differential and rotational properties. In: LATINCRYPT, volume 8895 of Lecture Notes in Computer Science. Springer, Cham (2014).
3.Azimi S.A., Ranea A., Salmasizadeh M., Mohajeri J., Aref M.R., Rijmen V.: A bit-vector differential model for the modular addition by a constant. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 385–414. Springer, Cham (2020).
4.Bagherzadeh E, Ahmadian Z. Milp-based automatic differential searches for LEA and HIGHT. IACR Cryptol. 2018;2018:948. [Google Scholar]
5.Barrett C, Tinelli C. Satisfiability modulo theories. In: Clarke EM, Henzinger TA, Veith H, Bloem R, editors. Handbook of Model Checking. Cham: Springer; 2018. pp. 305–343. [Google Scholar]
6.Beaulieu R, Shors D, Smith J, Treatman-Clark S, Weeks B, Wingers L. The SIMON and SPECK families of lightweight block ciphers. IACR Cryptol. 2013;2013:404. [Google Scholar]
7.Bernstein DJ. The salsa20 family of stream ciphers. New York: Springer; 2008. [Google Scholar]
8.Biham E., Biryukov A., Shamir A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: EUROCRYPT, volume 1592 of Lecture Notes in Computer Science. Springer (1999).
9.Biham E., Dunkelman O., Keller N.: The rectangle attack-rectangling the serpent. In: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Advances in Cryptology - EUROCRYPT 2001, Innsbruck, Austria, May 6–10, 2001 (2001).
10.Biham E, Shamir A. Differential cryptanalysis of des-like cryptosystems. J. Cryptol. 1991;4(1):3–72. doi: 10.1007/BF00630563. [DOI] [Google Scholar]
11.Biryukov A., Velichkov V.: Automatic search for differential trails in arx ciphers. In Cryptographers’ Track at the RSA Conference. Springer, Cham (2014)
12.Biryukov A., Lamberger M., Mendel F., Nikolić I.: Second-order differential collisions for reduced sha-256. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer (2011)
13.Biryukov A., Velichkov V., Le Corre Y.: Automatic search for the best trails in arx: application to block cipher speck. In: International Conference on Fast Software Encryption, pp. 289–310. Springer (2016).
14.Cui T, Chen S, Fu K, Wang M, Jia K. New automatic tool for finding impossible differentials and zero-correlation linear approximations. Sci. China. 2021;64(2):129103. [Google Scholar]
15.Darbuka A.: Related-key attacks on block ciphers. Master’s thesis. Master’s thesis, Middle East Technical University (2009).
16.Dinu D., Perrin L., Udovenko A., Velichkov V., Großschädl J., Biryukov A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: ASIACRYPT (1), volume 10031 of Lecture Notes in Computer Science (2016).
17.Dinu D, Corre YL, Khovratovich D, Perrin L, Großschädl J, Biryukov A. Triathlon of lightweight block ciphers for the internet of things. J. Cryptogr. Eng. 2019;9(3):283–302. doi: 10.1007/s13389-018-0193-x. [DOI] [Google Scholar]
18.Dunkelman O., Keller N., Kim J.: Related-key rectangle attack on the full shacal-1. In: International Workshop on Selected Areas in Cryptography. Springer (2006).
19.FIPS. Secure hash standard. Federal Information Processing Standards Publication 180-1. (1995).
20.FIPS. Secure hash standard. Federal Information Processing Standards Publication 180-4 (2015).
21.Fu K., Wang M., Guo Y., Sun S., Hu L.: Milp-based automatic search algorithms for differential and linear trails for speck. In: Fast Software Encryption—23rd International Conference, FSE 2016, Bochum, Germany, March 20–23, 2016 Revised Selected Papers (2016).
22.Ganesh V., Dill D.L.: A decision procedure for bit-vectors and arrays. In: CAV, volume 4590 of Lecture Notes in Computer Science. Springer (2007).
23.Gario M., Micheli A.: Pysmt: a solver-agnostic library for fast prototyping of smt-based algorithms. In: SMT Workshop 2015 (2015).
24.Gartner. Gartner identifies top 10 strategic IoT technologies and trends. https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends (2018).
25.Gartner. Gartner survey reveals 47 percent of organizations will increase investments in IoT despite the impact of covid-19. https://www.gartner.com/en/newsroom/press-releases/2020-10-29-gartner-survey-reveals-47-percent-of-organizations-will-increase-investments-in-iot-despite-the-impact-of-covid-19- (2020).
26.Hadarean L., Hyvarinen A., Niemetz A., Reger G.: 14th international satisfiability modulo theories competition (smt-comp 2019). https://smt-comp.github.io/2019/ (2019).
27.Handschuh H., Knudsen L.R., Robshaw M.J.: Analysis of sha-1 in encryption mode. In: Track at the RSA Conference. Springer (2001)
28.Handschuh H., Naccache D.: Shacal: a family of block ciphers. Submission to the NESSIE project (2002).
29.Henry J, Warren S. Hacker’s delight. Boston: Addison-Wesley; 2003. [Google Scholar]
30.Hong S., Kim J., Lee S., Preneel B.: Related-key rectangle attacks on reduced versions of shacal-1 and aes-192. Springer, In International Workshop on Fast Software Encryption (2005).
31.Hong D., Sung J., Hong S., Lim J., Lee S., Koo B.S., Lee C., Chang D., Lee J., Jeong K., Kim H.: HIGHT: A new block cipher suitable for low-resource device. In: Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10–13, 2006, Proceedings (2006).
32.Hong D., Lee J.K., Kim D.C., Kwon D., Ryu K.H., Lee D.G.: LEA: A 128-bit block cipher for fast encryption on common processors. In: WISA, volume 8267 of Lecture Notes in Computer Science. Springer (2013).
33.ISO/IEC 18033-3:2010. Information technology, Security techniques, Encryption algorithms, Part 3: Block ciphers. Standard, International Organization for Standardization (2010).
34.Kelsey J., Schneier B., Wagner D.A.: Key-schedule cryptanalysis of idea, g-des, gost, safer, and triple-des. In: CRYPTO, volume 1109 of Lecture Notes in Computer Science. Springer (1996).
35.Kelsey J., Schneier B., Wagner B.A.: Related-key cryptanalysis of 3-way, biham-des, cast, des-x, newdes, rc2, and TEA. In: ICICS, volume 1334 of Lecture Notes in Computer Science. Springer (1997).
36.Kim J., Kim G., Hong S., Lee S., Hong D.: The related-key rectangle attack, application to shacal-1. In: Australasian Conference on Information Security and Privacy. Springer (2004).
37.Knudsen L. Deal-a 128-bit block cipher. Complexity. 1998;258(2):216. [Google Scholar]
38.Kölbl S., Hadipour H.: Cryptosmt: An easy to use tool for cryptanalysis of symmetric primitives based on smt/sat solvers. https://github.com/kste/cryptosmt.
39.Kölbl S., Leander G., Tiessen T., Observations on the SIMON block cipher family. In Advances in Cryptology - CRYPTO 2015–35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20,: Proceedings. Part I, 2015 (2015).
40.Koo B., Hong D., Kwon D.: Related-key attack on the full HIGHT. In: Information Security and Cryptology - ICISC 2010 - 13th International Conference, Seoul, Korea, December 1–3, 2010, Revised Selected Papers (2010).
41.Koo B, Roh D, Kim H, Jung Y, Lee D, Kwon, D: CHAM: A family of lightweight block ciphers for resource-constrained devices. In: Information Security and Cryptology - ICISC 2017 - 20th International Conference, Seoul, South Korea, November 29–December 1, 2017, Revised Selected Papers (2017).
42.Kovásznai G, Fröhlich A, Biere A. Complexity of fixed-size bit-vector logics. Theory Comput. Syst. 2016;59(2):323. doi: 10.1007/s00224-015-9653-1. [DOI] [Google Scholar]
43.Lai X., Massey J.L.: A proposal for a new block encryption standard. In EUROCRYPT, volume 473 of Lecture Notes in Computer Science. Springer (1990).
44.Lai X., Massey J.L., Murphy S.: Markov ciphers and differential cryptanalysis. In: EUROCRYPT, volume 547 of Lecture Notes in Computer Science. Springer (1991).
45.Lee E., Hong D., Chang D., Hong S., Lim J.: A weak key class of XTEA for a related-key rectangle attack. In: VIETCRYPT, volume 4341 of Lecture Notes in Computer Science. Springer (2006).
46.Lipmaa H.: On differential properties of pseudo-hadamard transform and related mappings. In: A. Menezes, P. Sarkar (eds) Progress in Cryptology - INDOCRYPT 2002, Third International Conference on Cryptology in India, Hyderabad, India, December 16–18, 2002, vol. 2551 of Lecture Notes in Computer Science. Springer (2002).
47.Lipmaa H., Moriai S.: Efficient algorithms for computing differential properties of addition. In: Fast Software Encryption, 8th International Workshop, FSE 2001 Yokohama, Japan, April 2–4, 2001, Revised Papers (2001).
48.Liu Y, Witte GD, Ranea A, Ashur T. Rotational-xor cryptanalysis of reduced-round SPECK. IACR Trans. Symmetric Cryptol. 2017;3:2017. [Google Scholar]
49.Lodi A.: Mixed integer programming computation. In: 50 Years of Integer Programming. Springer (2010).
50.Lu J.: Cryptanalysis of reduced versions of the HIGHT block cipher from CHES 2006. In: Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29–30, 2007, Proceedings (2007).
51.Lu J., Kim J., Keller N., Dunkelman O.: Related-key rectangle attack on 42-round shacal-2. In: International Conference on Information Security. Springer (2006).
52.Lu J. Related-key rectangle attack on 36 rounds of the XTEA block cipher. Int. J. Inf. Sec. 2009;8(1):15. doi: 10.1007/s10207-008-0059-9. [DOI] [Google Scholar]
53.Machado AW. Differential probability of modular addition with a constant operand. IACR Cryptol. 2001;2001:52. [Google Scholar]
54.Matsui M.: On correlation between the order of s-boxes and the strength of des. Springer, In Workshop on the Theory and Application of of Cryptographic Techniques (1994).
55.Meurer A, Smith CP, Paprocki M, et al. Sympy: symbolic computing in python. PeerJ. 2017;3:e103. [Google Scholar]
56.Mitchell JN. Computer multiplication and division using binary logarithms. IRE Trans. Electron. Comput. 1962;4:512. doi: 10.1109/TEC.1962.5219391. [DOI] [Google Scholar]
57.Mouha N, Preneel B. Towards finding optimal differential characteristics for ARX: application to Salsa20. IACR Cryptol. 2013;2013:328. [Google Scholar]
58.Mouha N., Mennink B., Van Herrewege A., Watanabe D., Preneel B., Verbauwhede I.: Chaskey: an efficient mac algorithm for 32-bit microcontrollers. In International Conference on Selected Areas in Cryptography. Springer (2014).
59.National Institute of Standards and Technology. Lightweight cryptography project. https://csrc.nist.gov/Projects/Lightweight-Cryptography.
60.Needham R., Wheeler D.: Tea extensions. Technical report, Computer Laboratory, University of Cambridge (1997).
61.NESSIE. New european schemes for signatures, integrity and encryption. https://www.cosic.esat.kuleuven.be/nessie/index.html.
62.Niemetz A, Preiner M, Biere A. Boolector 2.0 system description. J. Satisf. Boolean Modeling Comput. 2015;9:53–58. doi: 10.3233/SAT190101. [DOI] [Google Scholar]
63.Özen O., Varıcı K., Tezcan C., Kocair C.: Lightweight block ciphers revisited: Cryptanalysis of reduced round present and height. In Australasian Conference on Information Security and Privacy. Springer (2009).
64.Ranea A, Liu Y, Ashur T. An easy-to-use tool for rotational-xor cryptanalysis of ARX block ciphers. Proc. Roman. Acad. Series A. 2017;18(3):1–8. [Google Scholar]
65.Ren J, Chen S. Cryptanalysis of reduced-round speck. IEEE Access. 2019;7:63045–63056. doi: 10.1109/ACCESS.2019.2917015. [DOI] [Google Scholar]
66.Sasaki Y., Todo Y.: New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers. In EUROCRYPT (3), volume 10212 of Lecture Notes in Computer Science (2017).
67.Schulte-Geers E. On ccz-equivalence of addition mod $2^n$ Designs Codes Cryptogr. 2013;66(1–3):111–127. doi: 10.1007/s10623-012-9668-4. [DOI] [Google Scholar]
68.Song L., Huang Z., Yang Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In Information Security and Privacy - 21st Australasian Conference, ACISP: Melbourne, VIC, Australia, July 4–6, 2016, Proceedings. Part I, 2016 (2016).
69.Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I (2014).
70.Sun S, Gerault D, Lafourcade P, Yang Q, Todo Y, Qiao K, Hu L. Analysis of aes, skinny, and others with constraint programming. IACR Trans. Symmetric Cryptol. 2017;1:2017. [Google Scholar]
71.Wagner DA. The boomerang attack. In Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings (1999).
72.Wang G., Keller N., Dunkelman O.: The delicate issues of addition with respect to xor differences. In: International Workshop on Selected Areas in Cryptography. Springer (2007).
73.Wheeler D.J., Needham R.M.: Tea, a tiny encryption algorithm. In FSE, volume 1008 of Lecture Notes in Computer Science. Springer (1994).
74.Winternitz RS, Hellman ME. Chosen-key attacks on a block cipher. Cryptologia. 1987;11(1):1–7. doi: 10.1080/0161-118791861749. [DOI] [Google Scholar]
75.Yang SP, Hu YP, Zhong MF. Related-key impossible differential attacks on 31-round shacal-2. J. Commun. 2006;28(11A):54–58. [Google Scholar]

[CR1] 1.Aumasson JP, Henzen L, Meier W, Phan RCW. Sha-3 proposal blake. NIST (round 3) 2009;92:2008. [Google Scholar]

[CR2] 2.Aumasson J.P., Jovanovic P., Neves S.: Analysis of NORX: investigating differential and rotational properties. In: LATINCRYPT, volume 8895 of Lecture Notes in Computer Science. Springer, Cham (2014).

[CR3] 3.Azimi S.A., Ranea A., Salmasizadeh M., Mohajeri J., Aref M.R., Rijmen V.: A bit-vector differential model for the modular addition by a constant. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 385–414. Springer, Cham (2020).

[CR4] 4.Bagherzadeh E, Ahmadian Z. Milp-based automatic differential searches for LEA and HIGHT. IACR Cryptol. 2018;2018:948. [Google Scholar]

[CR5] 5.Barrett C, Tinelli C. Satisfiability modulo theories. In: Clarke EM, Henzinger TA, Veith H, Bloem R, editors. Handbook of Model Checking. Cham: Springer; 2018. pp. 305–343. [Google Scholar]

[CR6] 6.Beaulieu R, Shors D, Smith J, Treatman-Clark S, Weeks B, Wingers L. The SIMON and SPECK families of lightweight block ciphers. IACR Cryptol. 2013;2013:404. [Google Scholar]

[CR7] 7.Bernstein DJ. The salsa20 family of stream ciphers. New York: Springer; 2008. [Google Scholar]

[CR8] 8.Biham E., Biryukov A., Shamir A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: EUROCRYPT, volume 1592 of Lecture Notes in Computer Science. Springer (1999).

[CR9] 9.Biham E., Dunkelman O., Keller N.: The rectangle attack-rectangling the serpent. In: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, Advances in Cryptology - EUROCRYPT 2001, Innsbruck, Austria, May 6–10, 2001 (2001).

[CR10] 10.Biham E, Shamir A. Differential cryptanalysis of des-like cryptosystems. J. Cryptol. 1991;4(1):3–72. doi: 10.1007/BF00630563. [DOI] [Google Scholar]

[CR11] 11.Biryukov A., Velichkov V.: Automatic search for differential trails in arx ciphers. In Cryptographers’ Track at the RSA Conference. Springer, Cham (2014)

[CR12] 12.Biryukov A., Lamberger M., Mendel F., Nikolić I.: Second-order differential collisions for reduced sha-256. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer (2011)

[CR13] 13.Biryukov A., Velichkov V., Le Corre Y.: Automatic search for the best trails in arx: application to block cipher speck. In: International Conference on Fast Software Encryption, pp. 289–310. Springer (2016).

[CR14] 14.Cui T, Chen S, Fu K, Wang M, Jia K. New automatic tool for finding impossible differentials and zero-correlation linear approximations. Sci. China. 2021;64(2):129103. [Google Scholar]

[CR15] 15.Darbuka A.: Related-key attacks on block ciphers. Master’s thesis. Master’s thesis, Middle East Technical University (2009).

[CR16] 16.Dinu D., Perrin L., Udovenko A., Velichkov V., Großschädl J., Biryukov A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: ASIACRYPT (1), volume 10031 of Lecture Notes in Computer Science (2016).

[CR17] 17.Dinu D, Corre YL, Khovratovich D, Perrin L, Großschädl J, Biryukov A. Triathlon of lightweight block ciphers for the internet of things. J. Cryptogr. Eng. 2019;9(3):283–302. doi: 10.1007/s13389-018-0193-x. [DOI] [Google Scholar]

[CR18] 18.Dunkelman O., Keller N., Kim J.: Related-key rectangle attack on the full shacal-1. In: International Workshop on Selected Areas in Cryptography. Springer (2006).

[CR19] 19.FIPS. Secure hash standard. Federal Information Processing Standards Publication 180-1. (1995).

[CR20] 20.FIPS. Secure hash standard. Federal Information Processing Standards Publication 180-4 (2015).

[CR21] 21.Fu K., Wang M., Guo Y., Sun S., Hu L.: Milp-based automatic search algorithms for differential and linear trails for speck. In: Fast Software Encryption—23rd International Conference, FSE 2016, Bochum, Germany, March 20–23, 2016 Revised Selected Papers (2016).

[CR22] 22.Ganesh V., Dill D.L.: A decision procedure for bit-vectors and arrays. In: CAV, volume 4590 of Lecture Notes in Computer Science. Springer (2007).

[CR23] 23.Gario M., Micheli A.: Pysmt: a solver-agnostic library for fast prototyping of smt-based algorithms. In: SMT Workshop 2015 (2015).

[CR24] 24.Gartner. Gartner identifies top 10 strategic IoT technologies and trends. https://www.gartner.com/en/newsroom/press-releases/2018-11-07-gartner-identifies-top-10-strategic-iot-technologies-and-trends (2018).

[CR25] 25.Gartner. Gartner survey reveals 47 percent of organizations will increase investments in IoT despite the impact of covid-19. https://www.gartner.com/en/newsroom/press-releases/2020-10-29-gartner-survey-reveals-47-percent-of-organizations-will-increase-investments-in-iot-despite-the-impact-of-covid-19- (2020).

[CR26] 26.Hadarean L., Hyvarinen A., Niemetz A., Reger G.: 14th international satisfiability modulo theories competition (smt-comp 2019). https://smt-comp.github.io/2019/ (2019).

[CR27] 27.Handschuh H., Knudsen L.R., Robshaw M.J.: Analysis of sha-1 in encryption mode. In: Track at the RSA Conference. Springer (2001)

[CR28] 28.Handschuh H., Naccache D.: Shacal: a family of block ciphers. Submission to the NESSIE project (2002).

[CR29] 29.Henry J, Warren S. Hacker’s delight. Boston: Addison-Wesley; 2003. [Google Scholar]

[CR30] 30.Hong S., Kim J., Lee S., Preneel B.: Related-key rectangle attacks on reduced versions of shacal-1 and aes-192. Springer, In International Workshop on Fast Software Encryption (2005).

[CR31] 31.Hong D., Sung J., Hong S., Lim J., Lee S., Koo B.S., Lee C., Chang D., Lee J., Jeong K., Kim H.: HIGHT: A new block cipher suitable for low-resource device. In: Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10–13, 2006, Proceedings (2006).

[CR32] 32.Hong D., Lee J.K., Kim D.C., Kwon D., Ryu K.H., Lee D.G.: LEA: A 128-bit block cipher for fast encryption on common processors. In: WISA, volume 8267 of Lecture Notes in Computer Science. Springer (2013).

[CR33] 33.ISO/IEC 18033-3:2010. Information technology, Security techniques, Encryption algorithms, Part 3: Block ciphers. Standard, International Organization for Standardization (2010).

[CR34] 34.Kelsey J., Schneier B., Wagner D.A.: Key-schedule cryptanalysis of idea, g-des, gost, safer, and triple-des. In: CRYPTO, volume 1109 of Lecture Notes in Computer Science. Springer (1996).

[CR35] 35.Kelsey J., Schneier B., Wagner B.A.: Related-key cryptanalysis of 3-way, biham-des, cast, des-x, newdes, rc2, and TEA. In: ICICS, volume 1334 of Lecture Notes in Computer Science. Springer (1997).

[CR36] 36.Kim J., Kim G., Hong S., Lee S., Hong D.: The related-key rectangle attack, application to shacal-1. In: Australasian Conference on Information Security and Privacy. Springer (2004).

[CR37] 37.Knudsen L. Deal-a 128-bit block cipher. Complexity. 1998;258(2):216. [Google Scholar]

[CR38] 38.Kölbl S., Hadipour H.: Cryptosmt: An easy to use tool for cryptanalysis of symmetric primitives based on smt/sat solvers. https://github.com/kste/cryptosmt.

[CR39] 39.Kölbl S., Leander G., Tiessen T., Observations on the SIMON block cipher family. In Advances in Cryptology - CRYPTO 2015–35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16–20,: Proceedings. Part I, 2015 (2015).

[CR40] 40.Koo B., Hong D., Kwon D.: Related-key attack on the full HIGHT. In: Information Security and Cryptology - ICISC 2010 - 13th International Conference, Seoul, Korea, December 1–3, 2010, Revised Selected Papers (2010).

[CR41] 41.Koo B, Roh D, Kim H, Jung Y, Lee D, Kwon, D: CHAM: A family of lightweight block ciphers for resource-constrained devices. In: Information Security and Cryptology - ICISC 2017 - 20th International Conference, Seoul, South Korea, November 29–December 1, 2017, Revised Selected Papers (2017).

[CR42] 42.Kovásznai G, Fröhlich A, Biere A. Complexity of fixed-size bit-vector logics. Theory Comput. Syst. 2016;59(2):323. doi: 10.1007/s00224-015-9653-1. [DOI] [Google Scholar]

[CR43] 43.Lai X., Massey J.L.: A proposal for a new block encryption standard. In EUROCRYPT, volume 473 of Lecture Notes in Computer Science. Springer (1990).

[CR44] 44.Lai X., Massey J.L., Murphy S.: Markov ciphers and differential cryptanalysis. In: EUROCRYPT, volume 547 of Lecture Notes in Computer Science. Springer (1991).

[CR45] 45.Lee E., Hong D., Chang D., Hong S., Lim J.: A weak key class of XTEA for a related-key rectangle attack. In: VIETCRYPT, volume 4341 of Lecture Notes in Computer Science. Springer (2006).

[CR46] 46.Lipmaa H.: On differential properties of pseudo-hadamard transform and related mappings. In: A. Menezes, P. Sarkar (eds) Progress in Cryptology - INDOCRYPT 2002, Third International Conference on Cryptology in India, Hyderabad, India, December 16–18, 2002, vol. 2551 of Lecture Notes in Computer Science. Springer (2002).

[CR47] 47.Lipmaa H., Moriai S.: Efficient algorithms for computing differential properties of addition. In: Fast Software Encryption, 8th International Workshop, FSE 2001 Yokohama, Japan, April 2–4, 2001, Revised Papers (2001).

[CR48] 48.Liu Y, Witte GD, Ranea A, Ashur T. Rotational-xor cryptanalysis of reduced-round SPECK. IACR Trans. Symmetric Cryptol. 2017;3:2017. [Google Scholar]

[CR49] 49.Lodi A.: Mixed integer programming computation. In: 50 Years of Integer Programming. Springer (2010).

[CR50] 50.Lu J.: Cryptanalysis of reduced versions of the HIGHT block cipher from CHES 2006. In: Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29–30, 2007, Proceedings (2007).

[CR51] 51.Lu J., Kim J., Keller N., Dunkelman O.: Related-key rectangle attack on 42-round shacal-2. In: International Conference on Information Security. Springer (2006).

[CR52] 52.Lu J. Related-key rectangle attack on 36 rounds of the XTEA block cipher. Int. J. Inf. Sec. 2009;8(1):15. doi: 10.1007/s10207-008-0059-9. [DOI] [Google Scholar]

[CR53] 53.Machado AW. Differential probability of modular addition with a constant operand. IACR Cryptol. 2001;2001:52. [Google Scholar]

[CR54] 54.Matsui M.: On correlation between the order of s-boxes and the strength of des. Springer, In Workshop on the Theory and Application of of Cryptographic Techniques (1994).

[CR55] 55.Meurer A, Smith CP, Paprocki M, et al. Sympy: symbolic computing in python. PeerJ. 2017;3:e103. [Google Scholar]

[CR56] 56.Mitchell JN. Computer multiplication and division using binary logarithms. IRE Trans. Electron. Comput. 1962;4:512. doi: 10.1109/TEC.1962.5219391. [DOI] [Google Scholar]

[CR57] 57.Mouha N, Preneel B. Towards finding optimal differential characteristics for ARX: application to Salsa20. IACR Cryptol. 2013;2013:328. [Google Scholar]

[CR58] 58.Mouha N., Mennink B., Van Herrewege A., Watanabe D., Preneel B., Verbauwhede I.: Chaskey: an efficient mac algorithm for 32-bit microcontrollers. In International Conference on Selected Areas in Cryptography. Springer (2014).

[CR59] 59.National Institute of Standards and Technology. Lightweight cryptography project. https://csrc.nist.gov/Projects/Lightweight-Cryptography.

[CR60] 60.Needham R., Wheeler D.: Tea extensions. Technical report, Computer Laboratory, University of Cambridge (1997).

[CR61] 61.NESSIE. New european schemes for signatures, integrity and encryption. https://www.cosic.esat.kuleuven.be/nessie/index.html.

[CR62] 62.Niemetz A, Preiner M, Biere A. Boolector 2.0 system description. J. Satisf. Boolean Modeling Comput. 2015;9:53–58. doi: 10.3233/SAT190101. [DOI] [Google Scholar]

[CR63] 63.Özen O., Varıcı K., Tezcan C., Kocair C.: Lightweight block ciphers revisited: Cryptanalysis of reduced round present and height. In Australasian Conference on Information Security and Privacy. Springer (2009).

[CR64] 64.Ranea A, Liu Y, Ashur T. An easy-to-use tool for rotational-xor cryptanalysis of ARX block ciphers. Proc. Roman. Acad. Series A. 2017;18(3):1–8. [Google Scholar]

[CR65] 65.Ren J, Chen S. Cryptanalysis of reduced-round speck. IEEE Access. 2019;7:63045–63056. doi: 10.1109/ACCESS.2019.2917015. [DOI] [Google Scholar]

[CR66] 66.Sasaki Y., Todo Y.: New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers. In EUROCRYPT (3), volume 10212 of Lecture Notes in Computer Science (2017).

[CR67] 67.Schulte-Geers E. On ccz-equivalence of addition mod $2^n$ Designs Codes Cryptogr. 2013;66(1–3):111–127. doi: 10.1007/s10623-012-9668-4. [DOI] [Google Scholar]

[CR68] 68.Song L., Huang Z., Yang Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In Information Security and Privacy - 21st Australasian Conference, ACISP: Melbourne, VIC, Australia, July 4–6, 2016, Proceedings. Part I, 2016 (2016).

[CR69] 69.Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: Application to simon, present, lblock, DES(L) and other bit-oriented block ciphers. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7–11, 2014. Proceedings, Part I (2014).

[CR70] 70.Sun S, Gerault D, Lafourcade P, Yang Q, Todo Y, Qiao K, Hu L. Analysis of aes, skinny, and others with constraint programming. IACR Trans. Symmetric Cryptol. 2017;1:2017. [Google Scholar]

[CR71] 71.Wagner DA. The boomerang attack. In Fast Software Encryption, 6th International Workshop, FSE ’99, Rome, Italy, March 24–26, 1999, Proceedings (1999).

[CR72] 72.Wang G., Keller N., Dunkelman O.: The delicate issues of addition with respect to xor differences. In: International Workshop on Selected Areas in Cryptography. Springer (2007).

[CR73] 73.Wheeler D.J., Needham R.M.: Tea, a tiny encryption algorithm. In FSE, volume 1008 of Lecture Notes in Computer Science. Springer (1994).

[CR74] 74.Winternitz RS, Hellman ME. Chosen-key attacks on a block cipher. Cryptologia. 1987;11(1):1–7. doi: 10.1080/0161-118791861749. [DOI] [Google Scholar]

[CR75] 75.Yang SP, Hu YP, Zhong MF. Related-key impossible differential attacks on 31-round shacal-2. J. Commun. 2006;28(11A):54–58. [Google Scholar]

PERMALINK

A bit-vector differential model for the modular addition by a constant and its applications to differential and impossible-differential cryptanalysis

Seyyed Arash Azimi

Adrián Ranea

Mahmoud Salmasizadeh

Javad Mohajeri

Mohammad Reza Aref

Vincent Rijmen

Abstract

Introduction

Contributions

Differences to the conference version

Outline

Preliminaries

Notations

Table 1.

Differential and impossible-differential cryptanalysis

Searching for characteristics and impossible differentials.

SMT solvers

Differential models

Theorem 1

Theorem 2

Bit-vector differential model of the constant addition

Definition 1

Example 1

Table 2.

Validity

Lemma 1

Proof

Lemma 2

Proof

Theorem 3

Proof

Example 2

Table 3.

Weight of a valid differential

Lemma 3

Proof

Lemma 4

Proof

Lemma 5

Proof

Lemma 6

Proof

Proposition 1

Proof

Lemma 7

Proof

Lemma 8

Proof

Theorem 4

Example 3

Table 4.

Error analysis: proof of Theorem 4

Lemma 9

Proof

Example 4

Fig. 1.

Proof (Theorem 4)

SMT-based search of characteristics and impossible differentials

Searching for characteristics

Encoding the SMT problems

Table 5.

Example 5

Fig. 2.

Searching of impossible differentials

Fig. 3.

Implementation

Fig. 4.

Experiments

Table 6.

Table 7.

Table 8.

TEA

Fig. 5.

XTEA

Fig. 6.

HIGHT

Fig. 7.

Fig. 8.