Sage Journals: Discover world-class research

Abstract

Lightweight ciphers are often used as the underlying encryption algorithm in resource-constrained devices. Their cryptographic security is a mandatory goal for ensuring the security of data transmission. Differential cryptanalysis is one of the most fundamental methods applicable primarily to block ciphers, and the resistance against this type of cryptanalysis is a necessary design criterion. ANU-II is an ultra-lightweight block cipher proposed in 2017, whose design offers many advantages such as the use of fewer hardware resources (logic gates), low power consumption and fast encryption for Internet of Things devices. The designers of ANU-II claimed its resistance against differential cryptanalysis and postulated that the design is safe enough for Internet of Things devices. However, as addressed in this article, the security claims made by designers appear not to be well grounded. Using mixed-integer linear programming–like techniques, we identify one-round differential characteristic that holds with probability 1, which is then efficiently employed in mounting the key recovery attack on full-round ANU-II with only 2² chosen plaintexts and 2^62.4 full-round encryptions. The result shows that the designers’ security evaluation of ANU-II against differential cryptanalysis is incorrect and the design rationale is flawed. To remedy this weakness, we provide an improved variant of ANU-II, which has much better resistance to differential cryptanalysis without affecting the hardware and/or software implementation cost.

Keywords

IoT devices lightweight block ciphers differential cryptanalysis key recovery attack MILP model

Introduction

With a rapid development of 5G technology and networks, the demand for Internet of Things (IoT) devices is constantly increasing in daily life. The information exchange between IoT devices is commonly performed through embedded encryption algorithms for the reasons of providing secure data transmission, device authentication and other sensitive services. A majority of the IoT devices (especially sensors and microcontrollers) implement as encryption algorithm a class of lightweight block ciphers that are designed to operate under certain power, memory and/or computation constraints.¹ In general, this family of ciphers is characterized by a low hardware implementation cost and low power consumption, while at the same time providing sufficient security margins in sensitive applications. On the other hand, for applications without the mentioned limitations, traditionally designed encryption algorithms (e.g. advanced encryption standard (AES)) generally have lower computing efficiency due to their robust design rationales.

Being more suitable for use in restrained environments, lightweight block ciphers have attracted much attention of cryptographic society. To date, there are numerous lightweight block ciphers that have emerged during the last decade, including PRESENT² that uses a substation permutation network (SPN), the LBlock³ cipher implementing the Feistel network, Simon and Speck⁴ having highly efficient (fast) software and hardware implementation, and RECTANGLE⁵ using the so-called bit-slice technology.

Differential cryptanalysis⁶ is one of the earliest generic cryptanalytic tools (along with linear cryptanalysis) applicable to block ciphers. This technique is currently well understood and for testing the resistance of ciphers against differential cryptanalysis the following approach is commonly applied. First, lower bounds on the number of active substitution boxes (S-boxes) is estimated and then a propagating differential characteristic with as high probability as possible needs to be specified. However, the computational complexity of specifying optimal differential paths (involving a few active S-boxes and holding with a high probability) grows exponentially with the number of rounds, which leads to efficient use of different algorithms that may identify optimal solutions.

The use of mixed-integer linear programming (MILP) techniques for this purpose has been quite a common method during the last decade. In 2011, lower bounds of the number of active S-boxes for Enocoro128v2 and AES were obtained by Mouha et al.⁷ using MILP-based models. This approach is, however, only applicable to byte-oriented block ciphers. To fill this gap, Sun et al.⁸ extended the byte-oriented MILP model to bit-oriented block ciphers for the purpose of searching for lower bounds on active S-boxes and good (having a high probability) differential characteristics. Also, in the work of Sun et al.,⁸ a heuristic search algorithm for finding the best differential characteristic was proposed. Later, automated MILP-based search algorithms have been widely used to evaluate the security of block ciphers with quite outstanding results. Fu et al.⁹ applied MILP-based techniques to ARX ciphers, where also a search for good differential characteristics and a linear approximation of the SPECK block cipher were addressed. Abdelkhalek et al.¹⁰ further developed the MILP modelling for (large) S-boxes to optimize the probability of differential characteristics. In addition, Sadeghi et al.¹¹ presented zero-correlation linear approximations and the related-tweakey impossible differential characteristics for the block cipher SKINNY. Zhou et al.¹² greatly improved the efficiency of MILP-based search algorithms by embedding the divide-and-conquer idea into the MILP model. In Crypto2020,¹³ a novel MILP model with the possibility of handling simultaneously the propagation of differentials and their values was developed. In FSE2021,¹⁴ a suitable MILP model for finding more efficient distinguishers that cover more encryption rounds was introduced.

ANU is an ultra-lightweight block cipher proposed by Bansod et al.¹⁵ However, the full-round ANU cipher was broken by Sasaki¹⁶ using the related-key boomerang attack. ANU-II is an improved version of ANU and was proposed by Dahiphale et al.,¹⁷ which is superior to ANU in terms of memory, latency, throughput and power consumption. However, in 2020, Wang et al.¹⁸ conducted an eight-round integral attack on ANU-II (designed for 25 encryption rounds) and mounted a key recovery attack using $2^{60}$ chosen plaintexts. The designers made a claim that ANU-II achieves a good resistance against differential cryptanalysis by investigating the differential properties of a round-reduced version of ANU-II. In this article, we show that the statement given by designers about the good resistance against differential cryptanalysis is incorrect and the current design of ANU-II contains serious security flaws.

Our contributions

We investigate the security of ANU-II and the main contributions are summarized as follows:

First, we construct an accurate MILP model for specifying exact lower bounds on the number of active S-boxes for ANU-II. Most notably and quite surprisingly, this model identifies an interesting property that the lower bounds of the minimum number of active S-boxes of any round always equal zero.

Then, by observing the input and output of each round, we unexpectedly (disproving the claims made by the designers) find a one-round iterative differential characteristic with probability 1.

Consequently, using repeatedly found one-round differential characteristic, we could mount a key recovery attack on the full-round ANU-II (consisting of 25 encryption rounds), which shows that the design has severe security flaws.

Finally, we propose an improved variant of ANU-II with the same hardware or software implementation expenses as the original cipher. Compared to the actual design, this variant is much more robust against differential cryptanalysis.

The summary of our main results and the previous works is shown in Table 1.

Table 1.

Existing attacks on ANU-II.

Ciphers	Attack	Rounds	Data	Time	Reference
ANU-II	Integral attack	8	$2^{60}$ (CP)	–	Wang et al.¹⁸
	Differential attack	25	$2^{2}$ (CP)	$2^{62.4}$	Section ‘Key recovery attack on full-round ANU-II’

Organization

The article is arranged as follows. In the ‘Preliminaries’ section, we introduce some basic notations and give a description of the ultra-lightweight block cipher ANU-II. A MILP-based differential search model for a minimal number of active S-boxes is given in the ‘Bit-oriented MILP model for differential analysis’ section. In the ‘Differential cryptanalysis of ANU-II’ section, a one-round iterative differential characteristic with probability 1 for ANU-II is specified, along with its application to the full-round key recovery attack. In the ‘An efficient modification of ANU-II’ section, we propose a new modified variant of ANU-II and estimate its resistance against differential cryptanalysis. Some concluding remarks are given in the ‘Conclusion’ section.

Preliminaries

Notations

The following notations are used throughout the article:

$P$ : 64 bits input plaintext;

$P_{L}^{r}$ : 32 bits input for the left branch of rth round;

$P_{R}^{r}$ : 32 bits input for the right branch of rth round;

$P_{L}^{r + 1}$ : 32 bits output for the left branch of rth round;

$P_{R}^{r + 1}$ : 32 bits output for the right branch of rth round;

$C$ : 64 bits output ciphertext;

$Δ C_{r_{-} i}$ : ith bit of the rth round ciphertext pairs’ difference ( $0 \leq i \leq 127$ );

$R C_{r}$ : rth round constant;

$n$ : block size of the cipher;

$w$ : the input size of the S-box;

$v$ : the output size of the S-box;

$r$ : iterative rounds ( $0 \leq r \leq 24$ );

$K$ : 128 bits master key;

$K^{(r)}$ : rth round subkey;

$K_{1}^{(r)}$ : 0–31 bits of $K_{r}$ ;

$K_{2}^{(r)}$ : 32–63 bits of $K_{r}$ ;

$K^{(r)} (i)$ : ith bit of the rth round subkey ( $0 \leq i \leq 63$ );

⊕: XOR;

∥: concatenation;

$< < < n$ : rotation to the left by $n$ bits;

$> > > n$ : rotation to the right by $n$ bits.

The description of ANU-II

ANU-II is an ultra-lightweight block cipher with a 64-bit block size and an 80/128-bit key size. ANU-II belongs to the family of Feistel networks and uses iteratively 25 encryption rounds. We mainly focus on the variant of ANU-II that uses a 128-bit master key. Let the left- and right-branch inputs of the rth round be denoted as $P_{L}^{r}$ and $P_{R}^{r}$ , respectively, and the corresponding outputs as $P_{L}^{r + 1}$ and $P_{R}^{r + 1}$ . The round function is shown in Figure 1.

Figure 1.

The round function of ANU-II.

There are four operations used in the round function: SubBox, AddRoundKey, Rotation and XOR. Among these, the operation SubBox is the only non-linear component and it employs eight S-boxes of size $4 \times 4$ in parallel.

Key schedule

When the master key is of length 128 bits, the key schedule extracts 64-bit key and XOR these with the intermediate encryption state. The first-round subkey is equal to the master key, and the update process for deriving round subkeys is as follows

K = K_{127}, \dots, K_{0}

K^{(0)} = K = K_{127}, \dots, K_{0}

K_{1}^{(0)} = K_{31}, \dots, K_{0} K_{2}^{(0)} = K_{63}, \dots, K_{32},

$For r = 0 to 24 do$

K_{1}^{(r)} = K^{(r)} (31 ~ 0)

K_{2}^{(r)} = K^{(r)} (63 ~ 32)

Rotation to the left by 13 bits

K^{(r)} < < < 13

Applying S-box operation

K^{(r + 1)} (3 ~ 0) = S [K^{(r)} (3 ~ 0)]

K^{(r + 1)} (7 ~ 4) = S [K^{(r)} (7 ~ 4)]

Applying S-box and XOR with a round constant

K^{(r + 1)} (63 ~ 59) = S [K^{(r)} (63 ~ 59)] \oplus R C_{r}

Note that the S-box in the above key schedule still uses the description in Table 2, and the value of $R C_{r}$ equals to $r$ for the rth encryption round.

Table 2.

S-box of ANU-II.

$x$	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
$S (x)$	E	4	B	1	7	9	C	A	D	2	0	F	8	5	3	6

Bit-oriented MILP model for differential analysis

MILP is a type of integer linear programming, especially suitable for solving optimization problems. Its goal is to minimize or maximize the value of the objective function under certain linear constraints. At the moment, commercial software such as in Sun et al.¹⁹ is usually used to solve such optimization problems. In this section, we introduce a bit-oriented MILP model for searching the exact lower bounds of active S-boxes with respect to propagation of differentials and the best differential characteristics in the single-key model.

Searching for the exact lower boundsof active S-boxes

To identify which S-boxes are active when specific differentials pass through the intermediate states of a given block cipher, we recall the following notation.

Definition 1

Let $X = (X_{0}, X_{1}, \dots, X_{n - 1})$ and $X^{*} = (X_{0}^{*}, X_{1}^{*}, \dots, X_{n - 1}^{*})$ be two binary strings of length $n$ .¹⁹ The difference between $X$ and $X^{*}$ is defined as $Δ X = X \oplus X^{*}$ ( $Δ X_{i} = X_{i} \oplus X_{i}^{*}, 0 \leq i \leq n - 1$ ). Then

Δ X_{i} = {\begin{matrix} 0, & Δ X_{i} is inactive \\ 1, & Δ X_{i} is active \end{matrix}

(1)

Definition 2

Let $N_{t} (t \in [0, n / w - 1])$ be a binary indicator that specifies whether the tth S-box is active or not, given as¹⁹

N_{t} = {\begin{matrix} 1, & t - th S-box is active \\ 0, & otherwise \end{matrix}

(2)

Next, we explain how to model diverse operations, such as: SubBox, XOR, and linear layer operation.

SubBox

Assume that $x = (x_{0}, x_{1}, \dots, x_{w - 1})$ and $y = (y_{0}, y_{1}, \dots, y_{v - 1})$ are the input and output differences, respectively, of a $w \times v$ S-box $N_{t}$ . Then, $N_{t} = 1$ holds if and only if $(x_{0}, x_{1}, \dots, x_{w - 1})$ is not the all zero vector, which leads to the following linear inequalities

{\begin{matrix} x_{0} + \dots + x_{w - 1} \geq N_{t} \\ N_{t} - x_{i} \geq 0 (0 \leq i \leq w - 1) \end{matrix}

(3)

In addition, we need to consider the propagation of differential values through an (active) S-box. Using the $H$ -representation of the convex hull (a polyhedron obtained by restricting the Euler space through linear (in)equalities), we transform the propagation of possible differences of an S-box into inequality constraints. Assume that $x = (x_{0}, x_{1}, \dots, x_{q - 1}), q = w + v$ (where $w$ and $v$ are the input and output size of the S-box, respectively) is a q-dimensional possible differential pattern. Then, the induced inequalities, of cardinality $m$ say, can be expressed as follows

\begin{matrix} α_{0, 0} x_{0} + \dots + α_{0, q - 1} x_{q - 1} + α_{0, q} \geq 0 \\ ⋮ \\ α_{m - 1, 0} x_{0} + \dots + α_{m - 1, q - 1} x_{q - 1} + α_{m - 1, q} \geq 0 \end{matrix}

where $α_{i, j}$ are binary coefficients generated by SageMath.²⁰

For instance, let $x = (x_{0}, x_{1}, x_{2}, x_{3}) = 1001$ , $y = (y_{0}, y_{1}, y_{2}, y_{3}) = 1100$ denote the input and output differences of a $4 \times 4$ S-box. Assuming that (1001)→ (1101) is a possible propagation (it occurs with non-zero probability), we express this propagation as an eight-dimensional tuple (10011101). Then, we utilize the SageMath software that calls the inequality-generator function in the package sage.geometry.polyhedron. The Sage code is given in Figure 2.

Figure 2.

Getting $H$ -representation of a convex hull.

Similarly, we can convert all possible differential propagation patterns into inequalities in accordance to the differential distribution table (DDT) given in Appendix 1 for the S-box of ANU-II. SageMath is generally used to transform possible differential patterns into a large number of linear inequalities.

When this phase is completed, some redundant inequalities need to be excluded. To achieve this, commonly two methods are used: the greedy algorithm by Sun et al.¹⁹ whose removal of redundant inequalities is not optimal and the MILP-reduced algorithm introduced by Sasaki and Todo.²¹ The latter algorithm is preferred in this article since it appears to be more efficient in removing redundant inequalities than the greedy algorithm.

XOR

Let $a \oplus b = c$ , where $a, b$ and $c$ represent a single bit. Then, the following constraints can be derived

{\begin{matrix} a + b + c \geq 2 d \\ d \geq a, d \geq b, d \geq c \\ a + b + c \leq 2 \end{matrix}

(4)

where $d$ is a dummy variable with value in ${0, 1}$ .

Linear operation

For ciphers that employ the Feistel network, the rotation and branch swapping are both included when modelling the linear layer operation. These operations can be efficiently described by linear equalities. To clarify this, we consider the right (cyclic) rotation of ANU-II as an example. Suppose the input is $y = (y_{31}, \dots, y_{0})$ and that $z = (z_{31}, \dots, z_{0})$ denotes the output after rotation to the right by 3 bits. The following constraints are then easily deduced

{\begin{matrix} z_{0} = y_{3} \\ z_{1} = y_{4} \\ ⋮ \\ z_{29} = y_{0} \\ z_{30} = y_{1} \\ z_{31} = y_{2} \end{matrix}

(5)

An initial constraint

The inequality $x_{0} + x_{1} + \dots + x_{n - 1} \geq 1$ needs to be introduced to ensure that the initial input differential is non-zero. Here, $n$ denotes the block size of the cipher.

The objective function

The r-round objective function, minimizing the number of active S-boxes, is set as ( $w$ indicating the input size of an S-box)

min_{differentials} \sum_{j = 0}^{r - 1} (\sum_{t = 0}^{(n / w) - 1} N_{t}^{j})

(6)

where $N_{t}^{j}$ indicates whether the tth S-box in the jth encryption round is active or not.

Searching for the best differential characteristic

To find the best differential characteristic, we encode the probability information for possible differential patterns of an S-box. Except for the non-linear SubBox operation, the constraints induced by the XOR and Rotation operations are same as described in the ‘Searching for the exact lower bounds of active S-boxes’ section.

SubBox

We consider the 4-bit S-boxes of ANU-II block cipher. There are three non-zero differential probabilities according to the DDT of S-box: 16/16 = 2⁰, 4/16 = 2⁻² and $2 / 16 = 2^{- 3}$ . We need to introduce two probability variables ( $p_{0}, p_{1}$ ) to encode and distinguish these three possible differential patterns of the S-boxes of ANU-II

(p_{0}, p_{1}) \in {\begin{matrix} (0, 0), & Pb (differential) {= 2}^{0} \\ (0, 1), & Pb (differential) {= 2}^{- 2} \\ (1, 1), & Pb (differential) {= 2}^{- 3} \end{matrix}

(7)

For instance, the possible differential pattern (0000 → 0000) can be expanded from the eight-dimensional tuple (0,0,0,0,0,0,0,0) to the 10-dimensional tuple (0,0,0,0,0,0,0,0,0,0). Similarly, using the DDT, the differential pattern (0001 → 0101) with probability $2^{- 2}$ is extended from (0,0,0,1,0,1,0,1) to (0,0,0,1,0,1,0,1,0,1). Also, (0010 → 0011) is extended to (0,0,1,0,0,0,1,1,1,0). In this way, all possible differential patterns can be encoded. Then, using SageMath, these differential patterns (containing the probability information) are transformed into linear inequalities using the code in Figure 2.

The MILP-reduced algorithm is then applied to remove redundant inequalities.

The objective function

Since equation (7) only describes the probabilities of differentials of a single S-box, we need to introduce additional notation to refer to different S-boxes used. Using $t \in [0, n / w - 1]$ to indicate the tth S-box in each round, we derive the following conditions

(p_{t_{-} 0}, p_{t_{-} 1}) \in {\begin{matrix} (0, 0), & p_{t_{-} 0} + 2 p_{t_{-} 1} = 0 \\ (0, 1), & p_{t_{-} 0} + 2 p_{t_{-} 1} = 2 \\ (1, 1), & p_{t_{-} 0} + 2 p_{t_{-} 1} = 3 \end{matrix}

(8)

where the integer representation 0, 2 and 3 of the binary tuple $(p_{t_{-} 0}, p_{t_{-} 1})$ on the right of equation (8), is exactly of the opposite sign compared to the exponents in equation (7). Since a product of probabilities expressed as $p_{i} = 2^{a_{i}}$ (treating different S-boxes as independent events) will correspond to the addition of exponents $a_{i}$ (with $a_{i} \leq 0$ ), it is natural to model the probability of differential characteristics of the jth round as $\sum_{t = 0}^{(n / w) - 1} p_{t_{-} 0}^{j} + 2 p_{t_{-} 1}^{j}$ , which takes into account all the S-boxes in the jth round and the superscript $j$ in $p_{t_{-} i}^{j}$ refers to the jth round as well. Then, $p = \sum_{j = 0}^{r - 1} \sum_{t = 0}^{(n / w) - 1} p_{t_{-} 0}^{j} + 2 p_{t_{-} 1}^{j}$ will contain the information about the probability of differential characteristics for $r$ encryption rounds. It is well-known that a random permutation will induce a uniform probability distribution of differentials being $2^{- n}$ (for a block cipher of size $n$ ), and therefore, we need a differential characteristic with probability $2^{- p} >> 2^{- n}$ . Thus, encoding the probability information of differential characteristics as above, our goal is to minimize the exponent $p$ . Therefore, the objective function for $r$ encryption rounds is set as

min \sum_{j = 0}^{r - 1} \sum_{t = 0}^{(n / w) - 1} p_{t_{-} 0}^{j} + 2 p_{t_{-} 1}^{j}

(9)

An initial constraint

We need to add the inequality $x_{0} + x_{1} + \dots + x_{n - 1} \geq 1$ to ensure that the initial input differential is non-zero, as otherwise the MILP solver would return 0 as an optimal solution.

Differential cryptanalysis of ANU-II

In this section, we first establish an MILP model that specifically searches for lower bounds on the number of active S-boxes for ANU-II. Then, again using our MILP model, we specify a single round differential characteristic that holds with probability one. Finally, we mount a key recovery attack on the full-round ANU-II that only requires $2^{2}$ chosen plaintexts and 2^62.4 full-round encryptions.

The exact lower bounds of the number of differential active S-boxes of ANU-II

In the single-key setting, the linear constraints discussed previously include SubBox, XOR, rotation and the initial constraint. Assume that 64-bit input difference is $(x_{63}, \dots, x_{0})$ , where $x_{0}$ is the least significant bit (LSB). More precisely, the input differences of left branch is represented as $(x_{63}, \dots, x_{32})$ , and the right branch is $(x_{31}, \dots, x_{0})$ . The corresponding MILP model, concerning the ANU-II cipher, is then built using the methods described in the ‘Searching for the exact lower bounds of active S-boxes’ section.

SubBox

ANU-II employs the Feistel network and uses eight S-boxes of size $4 \times 4$ . For each of the eight S-boxes of ANU-II, there are 97 possible differential patterns according to the DDT shown in Appendix 1. SageMath is used to transform 97 possible differential patterns into 287 inequalities. After applying the MILP-reduced algorithm, only 23 inequalities remain. Below, we use the convention that $x_{0}$ and $y_{0}$ refer to the LSBs of the input and output, respectively, of any S-box in ANU-II. Also, the variables $N_{t}$ identify the eight S-boxes, for $0 \leq t \leq 7$ . Our MILP model for the first S-box is specified by equations (10) and (11).

Essentially, equation (10) indicates whether the first S-box is active, whereas equation (11) specifies the propagation of differentials through the first S-box. Similarly, one can specify the constraints for the remaining seven S-boxes of ANU-II

{\begin{matrix} x_{0} + \dots + x_{3} \geq N_{0} \\ N_{0} - x_{i} \geq 0 (0 \leq i \leq 3) \end{matrix}

(10)

{\begin{matrix} - x_{3} + x_{1} - x_{0} - y_{2} - y_{1} \geq 3 \\ x_{3} - 3 x_{2} + x_{1} - x_{0} - 3 y_{3} - 2 y_{2} - 3 y_{1} - y_{0} \geq 10 \\ - x_{3} - 2 x_{2} + 2 x_{1} - x_{0} - y_{3} + 2 y_{2} + 2 y_{1} - y_{0} \geq 4 \\ 2 x_{3} + x_{2} - 2 x_{1} + 2 x_{0} + y_{3} - 3 y_{2} - 3 y_{1} - y_{0} \geq 6 \\ 3 x_{3} - x_{2} + 3 x_{1} - x_{0} + 3 y_{3} - y_{2} + 3 y_{1} + 2 y_{0} \geq 0 \\ 6 x_{3} + 3 x_{2} + 3 x_{1} + 6 x_{0} - 2 y_{3} - 2 y_{2} - 2 y_{1} + y_{0} \geq 0 \\ x_{3} + 3 x_{2} - 2 x_{1} + x_{0} - y_{3} + y_{2} + y_{1} + 2 y_{0} \geq 0 \\ x_{3} + 2 x_{2} - 2 x_{0} + y_{2} + 2 y_{1} + y_{0} \geq 0 \\ - x_{3} + 3 x_{2} + 2 x_{1} + 2 x_{0} + 2 y_{3} - y_{2} + 2 y_{1} - y_{0} \geq 0 \\ 3 x_{3} - x_{2} - x_{1} + 3 x_{0} + 2 y_{3} + 2 y_{2} + 2 y_{1} - y_{0} \geq 0 \\ x_{3} + x_{2} - x_{1} - 2 x_{0} + y_{3} + y_{2} - y_{1} - 2 y_{0} \geq 4 \\ - x_{3} - x_{2} + 3 x_{1} + 3 x_{0} + 3 y_{3} + 3 y_{2} - y_{1} + 2 y_{0} \geq 0 \\ 2 x_{3} + 3 x_{2} + 2 x_{1} - x_{0} + 2 y_{3} + 2 y_{2} - y_{1} - y_{0} \geq 0 \\ 2 x_{3} + x_{2} - 2 x_{1} - x_{0} - 2 y_{3} + 2 y_{2} - y_{1} + y_{0} \geq 4 \\ x_{3} - 3 x_{2} + 2 x_{1} + x_{0} + 2 y_{3} + y_{2} + y_{1} + 2 y_{0} \geq 0 \\ - x_{3} + 3 x_{2} - x_{1} + 4 x_{0} - y_{3} + 4 y_{2} - y_{1} + 4 y_{0} \geq 0 \\ - 2 x_{3} - 2 x_{2} - 2 x_{1} - 2 x_{0} + 3 y_{3} + y_{2} + y_{1} + y_{0} \geq 5 \\ - x_{3} + x_{2} + x_{1} + 2 x_{0} - y_{3} + 2 y_{1} - 2 y_{0} \geq 2 \\ - 2 x_{3} + x_{2} - x_{1} + x_{0} + y_{3} - y_{2} + y_{1} - 2 y_{0} \geq 4 \\ - 2 x_{3} + 2 x_{2} - 2 x_{0} - y_{2} - y_{1} - y_{0} \geq 5 \\ - 2 x_{3} - 2 x_{2} - x_{1} + 2 x_{0} - 2 y_{3} - y_{2} - y_{1} + y_{0} \geq 7 \\ - 2 x_{3} - 3 x_{2} - 3 x_{1} + x_{0} - 3 y_{3} + y_{2} - 2 y_{1} - y_{0} \geq 11 \\ x_{3} - 3 x_{2} - 3 x_{1} - 2 x_{0} - 3 y_{3} - 2 y_{2} + y_{1} - y_{0} \geq 11 \end{matrix}

(11)

Linear operation

We consider one of the cyclic rotation of ANU-II as an example. Suppose that $z = (z_{31}, \dots, z_{0})$ denotes the right branch output difference after rotation to the right by 3 bits. The following constraints are easily deduced

{\begin{matrix} z_{0} = x_{3} \\ ⋮ \\ z_{29} = x_{0} \\ z_{30} = x_{1} \\ z_{31} = x_{2} \end{matrix}

(12)

XOR

We only consider the constraints for the first XOR operation. (Similarly, the constraints for the second operation can also be attained.) Let $y = (y_{31}, \dots, y_{0})$ be the left branch output difference through S-box layer, $s = (s_{31}, \dots, s_{0})$ represents output difference after the first bitwise XOR operation, and $d = (d_{31}, \dots, d_{0})$ is a dummy variable

{\begin{matrix} y_{0} + z_{0} + s_{0} \geq 2 d_{0} \\ y_{0} + z_{0} + s_{0} \leq 2, \\ d_{0} \geq y_{0} \\ d_{0} \geq z_{0} \\ d_{0} \geq s_{0} \\ ⋮ \\ y_{31} + z_{31} + s_{31} \geq 2 d_{31} \\ y_{31} + z_{31} + s_{31} \leq 2, \\ d_{31} \geq y_{31} \\ d_{31} \geq z_{31} \\ d_{31} \geq s_{31} \end{matrix}

(13)

An initial constraint

x_{0} + \dots + x_{63} \geq 1

The objective function

Set the r-round objective function as

\min \sum_{j = 0}^{r - 1} {(\sum_{t = 0}^{7} N_{t})}_{j}

(14)

At this point, all inequality constraints are specified and a search for the best lower bound on the number of active S-boxes can be performed. We utilize the commercial software Gurobi²² for this purpose. The experimental results are shown in Table 3, and most notably, the lower bound on the number of active S-boxes equals 0. This observation is very interesting and it essentially indicates that ANU-II might have some serious design flaws.

Table 3.

Lower bounds on the number of active S-boxes for ANU-II.

	# Active S-boxes
Rounds	Dahiphale et al.¹⁷	This article
1	0	0
2	2
3	6
4	13
⋮	–
25	–

Iterated differential characteristic

The above result related to the lower bound on the number of active S-boxed (being 0), initiated a careful investigation of the design rationales of ANU-II, which then resulted in the identification of an iterative differential characteristic that holds with probability 1, as shown in Figure 3. Apparently, this differential characteristic holds with probability 1, because active bits only appear on the right-hand side (in total 32 bits) and the corresponding S-boxes are not active.

Figure 3.

One-round iterated differential characteristic of ANU-II.

Key recovery attack on full-round ANU-II

Employing the iterative differential characteristic of a single round found in the ‘Iterated differential characteristic’ section, one can construct a full-round differential characteristic by iterating the single round differential 25 times, as described in Figure 4. We use ‘1’ and ‘0’ to denote active and inactive bits, respectively. Let now the subkeys of 25 rounds of ANU-II be denoted as $K^{(0)}, \dots, K^{(24)}$ , where additionally, $K^{(r)} = K_{2}^{(r)} ∥ K_{1}^{(r)}$ for 32-bit halves $K_{1}^{(r)}$ and $K_{2}^{(r)}$ . The differential attack on 25-round ANU-II is now described, which heavily relies on some interesting relationships between the subkeys used in the last two encryption rounds.

Figure 4.

Differential attack on full-round ANU-II.

Property 1

The subkeys of two consecutive encryption rounds are heavily related, due to the key schedule of ANU-II. For our purpose, the relation between the subkey bits of the 24th and 25th rounds (96 bits in total) is of interest

{\begin{matrix} K_{1}^{(24)} (31 ~ 13) = K_{1}^{(23)} (18 ~ 0) \\ K_{2}^{(24)} (58 ~ 45) = K_{2}^{(23)} (45 ~ 32) \\ K_{2}^{(24)} (63 ~ 59) = K_{2}^{(23)} (50 ~ 46) \oplus R C_{r} \end{matrix}

(15)

where $R C_{r}$ is round constant and the notation $K_{j}^{(r)} (k ~ l)$ generally means that the key bits involved range from kth to lth position.

The attack consists of the following four steps:

1. Select $2^{m}$ plaintext pairs where the difference of each pair is the same $Δ P = P \oplus P^{'} = (Δ L_{0} ∥ Δ R_{0})$ . The values of $Δ L_{0}$ and $Δ R_{0}$ are shown in Figure 4.

2. Since the 25-round differential characteristic holds with probability with 1, having the input difference $Δ P$ in Step 1 implies that the output difference $Δ C_{25}$ must be $Δ C_{25} = C \oplus C^{'} = (Δ L_{25} ∥ Δ R_{25})$ . The value of $Δ L_{25}$ and $Δ R_{25}$ is shown in Figure 4. Therefore, no filtering process needs to be involved.

3. We now consider the totality of 96 key bits relevant to our attack, more precisely 64 bits of the subkey ( $K_{2}^{(24)}, K_{1}^{(24)}$ ) used in the 25th round and 32 bits of the subkey $K_{2}^{(23)}$ used in the 24th round. Note that Step 3(b) is executed after Step 3(a) has been completed. For each plaintext pair selected in Step 1, we execute the following process:

(a) For every guessed value of the 64-bit subkey $K^{(24)} = K_{2}^{(24)} ∥ K_{1}^{(24)}$ in round 25, decrypt the 25th round: $Δ R_{24} = Δ L_{25} \oplus (Δ R_{25} ⋘ 10) \oplus K_{2}^{(24)}$ and $Δ L_{24} = ((Δ L_{25} \oplus (Δ R_{25} ⋘ 10)$ $\oplus K_{2}^{(24)}) ⋙ 3) \oplus Δ R_{25} \oplus K_{1}^{(24)}$ . If the output difference at round 24 ( $Δ L_{24}, Δ R_{24}$ ) equals (0,…,0,1,…,1), as shown in Figure 4, increment the corresponding counter. Due to a large signal-to-noise ratio only a few plaintext pairs are sufficient to extract these 64 bits, see the discussion on data complexity below.

(b) For every guessed value of the 32-bit subkey $K_{2}^{(23)}$ , decrypt the 24th round: $Δ R_{23} = Δ L_{24} \oplus (Δ R_{24} ⋘ 10) \oplus K_{2}^{(23)}$ . If the 32-bit output difference of round 23 ( $Δ R_{23}$ ) equals (1,…,1), see also Figure 4, increment the corresponding counter.

4. Output the 96-bit subkey guessed $K_{1}^{(24)}, K_{2}^{(24)}$ , and $K_{2}^{(23)}$ as the correct subkeys.

Data complexity

We utilize the signal-to-noise ratio $(S / N = (2^{k} \times p) / (α \times β)$ , introduced by Biham and Shamir,⁶ to determine the cardinality of plaintext pairs, where $k$ is the number of key bits guessed in the analysis, $p$ is the probability of differential characteristic, $α$ is the average number of keys suggested by a pair and $β$ is the ratio between the pairs that are not discarded and a total number of pairs. Since we are guessing 96 bits of the two subkeys and the probability of the differential characteristic is 1 (also implying that there is no additional filtering), then $S / N = 2^{96} \times 1 / 1 \times 1 = 2^{96}$ (as $α = β = p = 1$ ). It also implies that only a few plaintext pairs are enough for a successful differential attack according to Biham and Shamir.⁶ Therefore, we select the number of plaintext pairs to be equal to $2^{m} = 4 \times p^{- 1} = 4$ , which is also the data complexity of our attack.

Time complexity

The time complexity of the attack is clearly dominated by Step 3(a) that is executed first. In particular, Step 3(a) requires about $2 \times 4 \times 2^{64} = 2^{67}$ one-round decryptions. Note that in Step 3(b), 19 bits of the guessed 32 bits key are related to $K^{(24)}$ (according to property 1), and therefore, these 96 bits of subkeys essentially give 77 subkey bits. Finally, we go through the exhaustive search over the remaining 51 bits. Therefore, the total time complexity is $2^{67} \times 1 / 25 + 2^{51} \approx 2^{62.4}$ full-round encryptions, where the factor $1 / 25$ simply denotes that we perform one-round partial decryption.

An efficient modification of ANU-II

The experimental results confirm that the designers’ security evaluation of ANU-II against differential cryptanalysis is incorrect and the design is essentially flawed. The main reason for this is that suitable differences cancel out each other in the right branch (consequently, there is a differential characteristic that holds with probability 1). Therefore, we provide an improved variant of ANU-II given in Figure 5, which avoids this problem (modifying slightly the internal structure) and additionally has the best resistance to differential cryptanalysis without changing hardware and software implementation cost. The minimum number of active S-boxes of the proposed variant of ANU-II is listed in Table 4.

Figure 5.

Our modified variant of ANU-II.

Table 4.

Lower bounds on the number of active S-boxes of our modified variant of ANU-II.

	# Active S-boxes
Rounds	This article
1	0
2	1
3	2
4	4
5	6
6	9

The best differential characteristic of our modified variant

We have also performed experiments towards finding the best differential characteristic of our modified version of ANU-II. For this purpose, we have built an MILP model, as described previously in the ‘Searching for the best differential characteristic’ section

{\begin{matrix} x_{3} - 3 x_{2} + x_{1} - x_{0} - 4 y_{3} - 3 y_{2} - 4 y_{1} - y_{0} - p_{0_{-} 0} + 13 p_{0_{-} 1} \geq 0 \\ - x_{3} - x_{0} - y_{2} - y_{1} - p_{0_{-} 0} + 4 p_{0_{-} 1} \geq 0 \\ - 7 x_{3} - 4 x_{2} + x_{1} + 6 x_{0} + 3 y_{3} + 5 y_{2} - 2 y_{1} + 11 p_{0_{-} 0} + p_{0_{-} 1} \geq 0 \\ x_{3} - 2 x_{2} + x_{0} + 5 y_{3} + 2 y_{2} + 2 y_{1} + y_{0} + 3 p_{0_{-} 0} - 3 p_{0_{-} 1} \geq 0 \\ x_{3} + 2 x_{1} + x_{0} + 2 y_{3} + y_{2} + y_{1} + 2 y_{0} + p_{0_{-} 0} - 4 p_{0_{-} 1} \geq 0 \\ x_{3} + 3 x_{2} + x_{0} + 2 y_{2} + 2 y_{1} + y_{0} - p_{0_{-} 0} - 3 p_{0_{-} 1} \geq 0 \\ 2 x_{3} + 2 x_{2} + x_{1} + 2 x_{0} + y_{2} + y_{1} + y_{0} - p_{0_{-} 0} - 3 p_{0_{-} 1} \geq 0 \\ 5 x_{3} + x_{2} - x_{1} - 3 x_{0} - 2 y_{3} + 3 y_{2} + 2 y_{1} - 2 y_{0} + 2 p_{0_{-} 0} + 3 p_{0_{-} 1} \geq 0 \\ 2 x_{2} - x_{1} - 3 x_{0} + y_{3} + y_{2} - 2 y_{1} - 3 y_{0} - p_{0_{-} 0} + 7 p_{0_{-} 1} \geq 0 \\ - 3 x_{2} - 2 x_{1} + 2 x_{0} - 2 y_{3} + y_{2} - y_{1} - 2 y_{0} + p_{0_{-} 0} + 7 p_{0_{-} 1} \geq 0 \\ 3 x_{3} + x_{2} - x_{1} + 3 x_{0} - 2 y_{2} - 2 y_{1} - y_{0} - 2 p_{0_{-} 0} + 4 p_{0_{-} 1} \geq 0 \\ - 2 x_{3} + 3 x_{2} + 2 x_{1} + 3 x_{0} - 2 y_{3} - y_{2} + 4 y_{1} - 4 y_{0} - p_{0_{-} 0} + 5 p_{0_{-} 1} \geq 0 \\ - x_{3} - x_{0} + y_{2} + y_{1} - p_{0_{-} 0} + 2 p_{0_{-} 1} \geq 0 \\ 4 x_{3} - 3 x_{2} + 2 x_{1} - 5 x_{0} + 2 y_{3} - y_{2} + 3 y_{1} + y_{0} + 7 p_{0_{-} 0} \geq 0 \\ - 4 x_{3} + 3 x_{2} - 2 x_{1} + x_{0} + 2 y_{3} - 3 y_{2} + 2 y_{1} - 4 y_{0} - p_{0_{-} 0} + 9 p_{0_{-} 1} \geq 0 \\ - 3 x_{3} + 4 x_{2} - 3 x_{0} + y_{3} - 2 y_{2} - 2 y_{1} + y_{0} + 3 p_{0_{-} 0} + 5 p_{0_{-} 1} \geq 0 \\ - x_{3} - 3 x_{2} - 3 x_{1} - 2 x_{0} - 2 y_{3} - 7 y_{2} + 7 y_{1} + y_{0} + 4 p_{0_{-} 0} + 11 p_{0_{-} 1} \geq 0 \\ - x_{3} - 2 x_{2} - 2 x_{1} - x_{0} - y_{3} - y_{1} + y_{0} - 2 p_{0_{-} 0} + 8 p_{0_{-} 1} \geq 0 \end{matrix}

(16)

SubBox

Our modified variant of ANU-II also uses eight 4-bit S-boxes. For each 4-bit S-box, there are 97 possible differential patterns that essentially give 97 possible 10-dimensional points when the probability information is embedded. SageMath is used to transform 97 points into 1033 inequalities. After applying the MILP-reduced algorithm, only 18 inequalities then remain. We again assume that $x_{0}$ and $y_{0}$ denote the LSBs of the input and output of the S-box, respectively. Similarly as before, we need to introduce two probability variables $(p_{0}, p_{1})$ to encode the three possible differential patterns of the S-boxes of ANU-II. The first S-box can be described by a set of inequalities (16) and similar constraints can be obtained for the remaining seven S-boxes of ANU-II.

XOR and linear operation

Similar to the method described in the ‘Searching for the exact lower bounds of active S-boxes’ section.

An initial constraint

x_{0} + \dots + x_{63} \geq 1

Objective function

\min \sum_{j = 0}^{r - 1} {(\sum_{t = 0}^{7} p_{t_{-} 0} + 2 p_{t_{-} 1})}_{j}

At this point, all inequality constraints have been specified and our MILP model can search for the best differential characteristics. The experimental results are shown in Table 5, where clearly the situation is now quite different compared to the original design.

Table 5.

The six-round best differential characteristic of our variant of ANU-II.

Rounds	Input difference	$\min \sum_{j = 0}^{r - 1} {(\sum_{t = 0}^{7} p_{t_{-} 0} + 2 p_{t_{-} 1})}_{j}$
1	1020 0002 140a 0801	6
2	6000 0800 1000 0182	10
3	0000 0002 6000 0000	12
4	0000 0000 0000 0002	12
5	0000 0002 0000 0800	14
6	6000 0800 0020 0182	18

Conclusion

In this article, we have successfully applied the standard differential cryptanalysis to the full-round ANU-II block cipher. Due to the design flaw, a differential characteristic that holds with probability 1 could be identified for the entire cipher, which then leads to an efficient attack that uses a few plaintext pairs and $2^{62.4}$ full-round encryptions. It appears that the internal structure within the Feistel network is responsible for this security issue and we propose a simple modification of the internal structure (without changing hardware and software implementation cost), which efficiently protects the cipher form this kind of attacks. This is also illustrated by applying our MILP model to the modified variant of ANU-II where the best differential characteristic (for five-round reduced ANU-II) holds with much smaller probability than one.

Footnotes

Appendix 1

DDT of ANU-II S-box, as shown in Table 6.

Handling Editor: Yanjiao Chen

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship and/or publication of this article: The work was supported in part by the National Natural Science Foundation of China (61872103), in part by the National Natural Science Foundation of China (62162016), in part by the Guangxi Natural Science Foundation (2019GXNSFGA245004), in part by the Scientific Research Project of Young Innovative Talent of Guangxi (Guike AD20238082) and the Guangxi Natural Science Foundation (2020GXNSFBA297076).

ORCID iD

Lingchen Li

References

CK.

An overview on the security techniques and challenges of the internet of things. J Cryptol Res 2015; 2(1): 40–53 (in Chinese).

Bogdanov

Knudsen

Leander

, et al. PRESENT: an ultra-lightweight block cipher. In: Proceedings of the cryptographic hardware and embedded systems (CHES), Vienna, 10–13 September 2007, pp.450–466. Berlin: Springer.

Zhang

LBlock: a lightweight block cipher. In: Proceedings of the 9th international conference on applied cryptography and network security (ACNS), Nerja, 7–10 June 2011, pp.327–344. Berlin: Springer.

Beaulieu

Shors

Sntith

, et al. The SIMON and SPECK lightweight block ciphers. In: Proceedings of the 52nd ACM/EDAC/IEEE design automation conference (DAC), New York, 8–12 June 2015, pp.1–6. New York: IEEE.

Zhang

Bao

Lin

, et al. RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Inform Sci 2015; 58(12): 1–15.

Biham

Shamir

Differential cryptanalysis of DES-like cryptosystems. J Cryptol 1991; 4(1): 3–72.

Mouha

Wang

, et al. Differential and linear cryptanalysis using mixed-integer linear programming. In: Proceedings of the 7th international conference on information security and cryptology (Inscrypt), Beijing, China, 3 December 2011, pp.57–76. Berlin: Springer.

Sun

Wang

, et al. Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties, https://eprint.iacr.org/2014/747 (2015, accessed 8 February 2015).

Wang

Guo

, et al. MILP-based automatic search algorithms for differential and linear trails for SPECK. In: Proceedings of the fast software encryption (FSE), Bochum, 20–23 March 2016, pp.268–288. Berlin: Springer.

10.

Abdelkhalek

Sasaki

Todo

, et al. MILP Modeling for (large) S-boxes to optimize probability of differential characteristics. IACR Trans Symmet Cryptol 2017; 2017(4): 99–129.

11.

Sadeghi

Mohammadi

Bagheri

Cryptanalysis of reduced round SKINNY block cipher. IACR Trans Symmet Cryptol 2018; 2018(3): 124–162.

12.

Zhou

Zhang

Ding

, et al. Improving the MILP-based security evaluation algorithm against differential/linear cryptanalysis using a divide-and-conquer approach. IACR Trans Symmet Cryptol 2019; 2019(4): 438–469.

13.

Liu

Isobe

Meier

Automatic verification of differential characteristics: application to reducedimli. In:: Proceedings of the annual international cryptology conference (CRYPTO), Santa Barbara, CA, 17–21 August 2020, pp.219–248. Cham: Springer.

14.

Zong

Dong

Chen

, et al. Towards key-recovery-attack friendly distinguishers: application to GIFT-128. IACR Trans Symmet Cryptol 2021; 2021(1): 156–184.

15.

Bansod

Patil

Sutar

, et al. ANU: an ultra lightweight cipher design for security in IoT. Secur Commun Netw 2016; 9(18): 5238–5251.

16.

Sasaki

Related-key boomerang attacks on full ANU lightweight block cipher. In: Proceedings of the 16th international conference on applied cryptography and network security (ACNS), Leuven, 2–4 July 2018, pp.421–439. Cham: Springer.

17.

Dahiphale

Bansod

Patil

ANU-II: a fast and efficient lightweight encryption design for security in IoT. In: Proceedings of the international conference on big data, IoT and data science (BID), Pune, India, 20–22 December 2017. New York: IEEE.

18.

Wang

Wei

Liu

Integral distinguisher search of ANU, ANU-II and LiCi block ciphers. J Chin Comput Syst 2020; 41(7): 1470–1475 (in Chinese).

19.

Sun

Wang

, et al. Automatic security evaluation and related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Proceedings of the 20th international conference on the theory and application of cryptology and information security (ASIACRYPT), Kaohsiung, Taiwan, 7–11 December 2014, pp.158–178. Berlin: Springer.

20.

SageMath, http://www.sagemath.org/index.html

21.

Sasaki

Todo

New algorithm for modeling S-box in MILP based differential and division trail search. In: Proceedings of the 10th international conference for information technology and communications (SecITC), Bucharest, 8–9 June 2017, pp.150–165. Cham: Springer.

22.

Gurobi optimizer 9.1.2, http://www.gurobi.com

Differential cryptanalysis of full-round ANU-II ultra-lightweight block cipher

Abstract

Keywords

Introduction

Our contributions

Organization

Preliminaries

Notations

The description of ANU-II

Key schedule

Bit-oriented MILP model for differential analysis

Searching for the exact lower boundsof active S-boxes

Definition 1

Definition 2

SubBox

XOR

Linear operation

An initial constraint

The objective function

Searching for the best differential characteristic

SubBox

The objective function

An initial constraint

Differential cryptanalysis of ANU-II

The exact lower bounds of the number of differential active S-boxes of ANU-II

SubBox

Linear operation

XOR

An initial constraint

The objective function

Iterated differential characteristic

Key recovery attack on full-round ANU-II

Property 1

Data complexity

Time complexity

An efficient modification of ANU-II

The best differential characteristic of our modified variant

SubBox

XOR and linear operation

An initial constraint

Objective function

Conclusion

Footnotes

Appendix 1

Declaration of conflicting interests

Funding

ORCID iD

References