Research on the Security Level of µ² against Impossible Differential cryptanalysis

Abstract

In the year 2020, a new lightweight block cipher µ² is proposed. It has both good software and hardware performance, and it is especially suitable for constrained resource environment. However, the security evaluation on µ² against impossible differential cryptanalysis seems missing from the specification. To fill this gap, an impossible differential cryptanalysis on µ² is proposed. In this paper, firstly, some cryptographic properties on µ² are proposed. Then several longest 7-round impossible differential distinguishers are constructed. Finally, an impossible differential cryptanalysis on µ² reduced to 10 rounds is proposed based on the constructed distinguishers. The time complexity for the attack is about 2^69.63 10-round µ² encryptions, the data complexity is O(2⁴⁸), and the memory complexity is 2^63.57 Bytes. The reported result indicates that µ² reduced to 10 rounds can't resist against impossible differential cryptanalysis.

1. Introduction

With the rapid development of micro devices in IoT(Internet of Things), RFID(Radio Frequency Identification), and smart card, there is a great demand for lightweight block ciphers in both scenarios of IoT[1, 2] and RFID[3, 4]. These lightweight block ciphers can protect the sensitive information in the devices with constrained computing capability. For lightweight block ciphers, there are many advantages such as simple structure, efficiency in both software and hardware platforms. And the design for this kind of block ciphers has been a focus for recent several years. Many good lightweight block ciphers are presented such as LBlock[5], PRESENT[6], GIFT[7], Midori[8], SIMON and SPECK[9] etc. In the year 2019, NIST proposed a standardization project LWC (LightWeight Cryptography) to enhance the development for lightweight ciphers. The lightweight block cipher µ2[10] is proposed in the year 2020. It has both good software and hardware performance, and it is especially suitable for constrained resource environment.

After the proposal of a new block cipher, various cryptanalytic methods should be considered to evaluate the security level thoroughly, such as differential cryptanalysis[11], linear cryptanalysis[12], integral cryptanalysis[13], impossible differential cryptanalysis[14, 15], zero correlation linear cryptanalysis[16]. Due to the enormous workload, some cipher designers may miss some of the cryptanalytic methods, or estimate the security level roughly which needs cryptographers to fill the gap with more refined research.

Impossible differential cryptanalysis was independently put forward by Knudsen[14] and Biham[15]. So far, it is one of the most effective cryptanalytic techniques. The basic idea of impossible differential cryptanalysis is establishing an impossible differential distinguisher, then filter the wrong key candidates with this distinguisher until the correct key is recovered. The method of impossible differential cryptanalysis has been successfully applied to many block ciphers [17-21].

Contributions

In this paper, the main target is to evaluate the security level on µ² against impossible differential cryptanalysis.

● Firstly, according to the structure of µ², the diffusion property for the key schedule and some cryptographic properties for the round function are illustrated.

● Secondly, with “miss-in-the-middle” technique and an automatic approach, several longest impossible differential distinguishers are established.

● Finally, on the basis of “early-abort” technique and constructed impossible differential distinguishers, a concrete key recovery impossible differential cryptanalysis on µ² reduced to 10 rounds is proposed.

The organization for this paper is as follows. The notations used in this paper and a brief introduction on µ² are illustrated in section 2. Section 3 proposes some properties on µ² which will be used in later cryptanalysis. Some longest impossible differential distinguishers are explored in section 4. A key recovery attack on µ² is proposed in section 5 and section 6 concludes the paper.

2. Preliminary

2.1 Notations

● P : represents a 64-bit plaintext;

● C : represents a 64-bit ciphertext;

● Xⁱ: intermediate value before the i-th round, which is consist of four 16-bit words Xⁱ = ( X₃ⁱ, X₂ⁱ, X₁ⁱ, X₀ⁱ );

● K : master key;

● keyⁱ : 80-bit key register at the i-th round;

● rkⁱ : round key for the i-th round, for each round key, rkⁱ can be seperated into four 16-bit parts, i.e. ( rk₃ⁱ, rk₂ⁱ, rk₂ⁱ,rk₀ⁱ) ;

● x||z : represents the relationship of concatenation for vectors x and z.

2.2 Brief Description on µ²

The block size for lightweight block cipher µ² is 64 bits, the key length is 80 bits and the cipher has 15 rounds.

Round Function

The structure of µ² is a Type-II GFS (GFS is short for generalized Feistel Structure, see Fig. 1, The F function in the GFS takes a 4-round SPN (SPN is short for substitution permutation network) structure which is illustrated in Fig. 2. Sbox is presented in Table 1 and bitwise permutation is defined as:

Fig. 1. Structure of µ²

Fig. 2. Structure of F function

In Fig. 2, variable const_i is a constant which is related to round of the SPN structure, round and position of the F function. Round keys in the bracket are for the right F function.

Table 1. Sbox for µ²

Key Schedule

The key schedule of µ² is modified from a famous block cipher PRESENT, which can be summarized as below.

Firstly, the 80-bit register is initialized with the master key. Secondly, the key register is rotated by 61 bits on the left. Thirdly, substitute the 64th to 67th bits of the key register with the Sbox. Fourthly, XOR the 15th to the 18th bits with a four-bit round counter. Finally, the 64 most significant bits of the key register are extracted as the round key RK, which is segmented into 4 sub-round keys (rk₃, rk₂, rk₁, rk₀,

The mathematical form of this key register updating progress can be illustrated as below.

(1) [k₇₉, k₇₈, ⋅⋅⋅ k₁, k₀] = [k₁₈, k₁₇, ⋅⋅⋅ k₂₀, k₁₉]

(2) [k₇₉, k₇₈, k₇₇, k₇₆] = S[k₇₉, k₇₈, k₇₇, k₇₆]

(3) [k₆₇, k₆₆, k₆₅, k₆₄] = S[k₆₇, k₆₆, k₆₅, k₆₄]

(4) [k₁₈, k₁₇, k₁₆, k₁₅] = [k₁₈, k₁₇, k₁₆, k₁₅] ⊕ round counter

3. Cryptographic Properties for µ²

Property 1: The key schedule of µ² has limited diffusion property. Specifically speaking, at the 12th round, there are still four bits of the key register key¹² which are only affected by one bit of the master key (18, 17, 16, 15 bits of key¹² and 67, 66, 65, 64 bits of master key K have one-to-one correspondence, At the 10th round, 12 bits of the key register key¹⁰ are only affected by one bit of the master key. Even for the last round, half of the key register (40 bits) are only affected by four bits of the master key.

The number of master key bits which affect 10th, 12th and last round’s key register are illustrated in Table 2 below. This property is critical for the phase of key recovery and it is the foundation to recover the master key bits rather than round key bits.

Table 2. Number of master key bits which affect the 15th, 12th and 10th round key register bits

Property 2: For any nonzero input difference of the Sbox, there exist 6.4 possible output differences on average.

Through analyzing the Sbox, it can be shown that the number of possible output differences for any nonzero input difference ranges from four to eight. And the mathematical expectation for this value is 6.4. If input difference zero is also taken into consideration, this mathematical expectation value is reduced to 6.

Property 3: For any nonzero input difference of one SPN round of the F function, there exist 1351 possible output differences on average.

For any nonzero input difference for one SPN round, they can be classified into four circumstances, i.e. one active Sbox to four active Sboxes. So in this circumstance, the number of output differences N can be calculated into the following formula:

\(N=\frac{c_{4}^{1} \cdot\left(2^{4}-1\right) \cdot 6 \cdot 4+c_{4}^{2} \cdot\left(2^{4}-1\right) 2 \cdot 6 \cdot 4^{2}+c_{4}^{3} \cdot\left(2^{4}-1\right) 3 \cdot 6 \cdot 4^{3}+c_{4}^{4} \cdot\left(2^{4}-1\right) 4 \cdot 6 \cdot 4^{4}}{216}=88529280 / 65536 \approx 1351\)

To validate the correctness of Property 3, a simulation process is conducted. For each input difference, the number of output difference for one SPN round of the F function ranges from 4 to 4096, which is averaged to 1351. This result coincides with the theoretical analysis.

Property 4: For any nonzero input to output difference of the F function, the highest probability is 38/65536, and for each input difference, there exist 25779 possible output differences on average.

The difference distribution table (DDT) for the Sbox and F function is calculated. After analyzing the DDT of the F function, it is found that the highest differential probability is 38/65536. Table 3 shows four highest probability differential characters in the DDT of the F function. After analyzing the difference distribution table of F function, it can be found that for each input difference, the number of output difference for the F function ranges from 23794 to 26023, which is averaged to 25779.

Table 3. Four highest probability differential character for the F function

4. Impossible Differential Distinguishers for µ²

Using “miss-in-the-middle” technique, with an automatic approach, the possibility of constructing impossible differential distinguishers on µ² block cipher is investigated. All the possibilities for the modes of input and output differences are exhaustively searched, two 7-round and ten 6-round impossible differential distinguishers are found. Table 4 illustrates these concrete distinguishers.

Table 4. Some longest Impossible Differential Distinguishers for µ²

Here, the first 7-round impossible differential distinguisher (0, a, 0, 0) (0, 0, h, 0) is taken as an example to illustrate the constructing process for the distinguisher. The detail of the structure for the distinguisher can be explained in Fig. 3 below.

Fig. 3. Construction of the 7-round Impossible Differential for µ²

In Fig. 3, “a, b, c, h, y, z” represent 16-bit nonzero differences and “?” represents the difference for the word is unknown, the word marked in red implies a contradiction.

5. Impossible Differential Cryptanalysis on µ²

Based on the 7-round impossible differential constructed in section 4, a key recovery attack on µ² reduced to 10 rounds is proposed with adding two rounds before and one round after the distinguisher (See Fig. 4, The key recovery attack is mainly composed of two stages: data collection stage and key recovery stage.

Data Collection Stage:

On one hand, construct 2^m data sets. For each set, word X₁⁰ of the plaintext P = ( X₃⁰, X₂⁰, X₁⁰, X₀⁰ ) are fixed to the same value and other words are arbitrary. So there are 48 bits (i.e. X₁⁰) can be any distinctive values and 16 bits (i.e. X₁⁰) are fixed to a constant for a data set. That is to say, for each data set, there can be about 2⁹⁵ plaintext pairs ( \(C_{2^{48}}^{2} \approx 2^{95}\), It is noted that when choosing a plaintext pair, ∆X₃⁰, ∆X₂⁰, ∆X₀⁰ should be nonzero difference. So for each data set, there are about [2¹⁶*(2¹⁶-1)/2]³ ≈ 2⁹³ pairs satisfying the constraint of the input. On the other hand, suppose the difference of the output for the 10th round is ∆C = ( ∆X₃¹⁰, ∆X₂¹⁰, X₁¹⁰, ∆X₀¹⁰ ), ∆X₃¹⁰, ∆X₀¹⁰ should be zero difference and ∆X₂¹⁰, X₁¹⁰ should be nonzero difference. So after sieving the difference of the ciphertexts, there are totally 2^m+61 (2^m+93⋅2^-32) plaintext-cipher pairs left.

During the research, it is found that if ∆X₀⁰ → ∆X₃⁰, ∆X₃⁰ → ∆X₂⁰ and ∆X₁¹⁰ → ∆X₀¹⁰ be three possible input difference to output differences for F function, the efficiency of sieving the wrong subkeys can be improved. This probability for the F function can be derived through Property 4, i.e. 25779/65536 ≈ 39.3% ≈ 2^-1.35. Through this further sieving, there are 2^m+56.95 (2^m+61⋅2^-1.35*3) plaintext-cipher pairs left.

Key Recovery Stage:

In the key recovery stage, “early-abort technique” is utilized to reduce the complexity, i.e. guessing the subkey bits in its smallest unit.

The details of the attack for the key recovery phase are illustrated as following three steps.

Step 1. For each plaintext-ciphertext pair after data collection stage, guess the 16 bits for the first round key rk₃¹. If ∆F(∆X₃⁰, rk₃¹, rk₂¹) =  ∆X₂⁰, save the rk₃¹. The round key rk₂¹ needn’t to be guessed because it doesn’t affect the difference. According to the key schedule, these 16 bits have one-to-one correspondence with 79 to 64 bits of the master key which is illustrated in Table 5 below. For the F function, each nonzero input difference can lead to 25779 output difference on average, so after this step, there are 2 ^m+42.3 plaintext-ciphertext pairs left.

In this step, rk₃¹ is split into four segments at first. However, as the F function is a 4-round SPN structure which makes the confusion and diffusion of the input difference quite well, it is hard to split rk₃¹ and guess it step by step.

Table 5. Correspondence between rk₃¹ and master key bits

Step 2. After step 1, guess the 16 bits for the 10th round key rk₁¹⁰. If ∆F (∆X₂¹⁰, rk₁¹⁰, rk₀¹⁰) =  ∆X1¹⁰, save the rk₁¹⁰. Similarly, the round key rk₀¹⁰ needn’t to be guessed. According to the key schedule, the 16 bits of rk₁¹⁰ corresponds with 41 to 59 bits of the master key bits, the detailed correspondence is illustrated in Table 6 below. Accordingly, 19 master key bits: K[59-41] should be guessed to derive rk₁¹⁰[15-0]. Also, for the F function, each nonzero input difference can lead to 25779 output difference on average, so after this step, there are 2 ^m+27.65 plaintext-ciphertext pairs left.

Table 6. Correspondence between

In Fig. 4, “a, b, c, h, u” represent 16-bit nonzero difference, the state marked in red represents an impossible differential distinguisher.

Fig. 4. Key Recovery Attack for µ²

The concrete relationship between the round key bits of follows:

(1) rk₁¹⁰[9-6]= S (K [52-49] ⊕ 0111)

(2) rk₁¹⁰[5-2]= K [48-45]

(3) rk₁¹⁰[1, 0]= S (K [44-41]) (two most significant bits)

(4) rk₁¹⁰[12, 11, 10]= S (K [56-53] ⊕ 0011) (three least significant bits)

(5) rk₁¹⁰[15, 14, 13]= S (S (K [56-53] ⊕ 0011) (most significant bit) || K [59-57]) (three least significant bits)

Step 3. After step 2, at most 48 round key bits, i.e. rk₁¹, rk₀¹ and rk₁² need to be guessed to derive the difference at the boundary of the impossible differential distinguisher. For rk₁¹, extra 9 bits of the master key K[40-32] should be guessed. As rk₀¹ ⊕ rk₁² can be regarded as a whole, so 16 bits (K[31-29], K[28]⊕K[63], K[27]⊕K[62], K[26]⊕K[61], K[25]⊕K[60], K[24-16]) should be guessed to derive rk₀¹ ⊕ rk₁². If the output difference for the right F function of the second round equals to ∆X₀¹, i.e. ∆F ( ∆X₁¹, rk₁², rk₀² ) =∆X₀¹, the output difference for the right branch of the second round equals to zero after Xoring ∆X₀¹, and the probability for this process is 1/25779. Iterate Step 1 to Step 3 until only one correct key is left.

After the steps above, through partial encryption (two rounds) and partial decryption (one round), if all the guessed key bits are correct, the 7-round impossible differential distinguisher in the middle will never occur. If the guessed key bits are incorrect, the impossible differential distinguisher will emerge with a fixed probability. This is the rule to judge the incorrect key from right one.

Following is the detailed relationship between the involved round key bits and master key bits in Step 3.

As rk₁¹[15 − 0] = K [47 − 32], according to Step 2, seven bits (i.e. K[47-41]) have already been guessed, so only nine master key bits (i.e. K[40-32]) should be guessed here. Then as rk₀¹[15 − 0] ⊕ rk₁²[15 − 0] = K [31 − 16] ⊕ K [66 − 51] , twelve involved master key bits (K[59-51] and K[66-64]) have already been guessed, so extra 16 bits information of the master key is needed.

Complexities of the Attack: There are altogether 60 bits information of the key which should be guessed during the attack.

Next, the number of data sets needed for the attack is illustrated. After sieving all the plaintext-ciphertext pairs for 2^m data sets, there are about  \(\left(2^{60}-1\right) \cdot\left(1-\frac{1}{25779}\right)^{2^{m+27.65}}\) wrong key candidates left. If m=0, as \(\left(2^{60}-1\right) \cdot\left(1-\frac{1}{25779}\right)^{2^{27.65}} \approx 0\), that is to say, almost all the wrong key candidates can be eliminated with only one data set for the attack.

● Time complexity: about 2^69.63 10-round encryption (the detail is illustrated in Table 7 below,

● Data complexity: 2⁴⁸ plaintext-ciphertext pairs.

● Memory complexity: about 2^56.95⋅4⋅8 + 2⁶⁰⋅8 Bytes ≈ 2^63.57 Bytes, which mainly depends on stored plaintext-ciphertext pairs and key candidates.

Table 7. Details of the time complexity for each step

6. Conclusion

µ² is a newly proposed lightweight block cipher in 2020. However, the security evaluation for µ² against impossible differential cryptanalysis seems missing from the specification. To fill this gap, an impossible differential cryptanalysis on µ² is proposed. Firstly, some cryptographic properties on µ² are proposed. Secondly, with an automatic approach, several longest impossible differential distinguishers are proposed. Thirdly, based on one of the longest distinguishers, a concrete impossible differential cryptanalysis on µ² is proposed. The result of this paper shows that µ² reduced to 10 rounds can’t resist against impossible differential cryptanalysis. To enhance the security level of µ² against the reported attack, more complex key schedule should be considered to shorten the length of the key recovery phase. The security level of µ² against other cryptanalytic methods should also be investigated which is left as a future work.