# Partly-Pseudo-Linear Cryptanalysis of Reduced-Round Speck

^{*}

Next Article in Journal

Previous Article in Journal

Department of Computer Science, The George Washington University, 800 22nd St. NW, Washington, DC 20052, USA

Author to whom correspondence should be addressed.

Received: 2 July 2020 / Revised: 30 November 2020 / Accepted: 2 December 2020 / Published: 30 December 2020

We apply McKay’s pseudo-linear approximation of addition modular ${2}^{n}$ to lightweight ARX block ciphers with large words, specifically the Speck family. We demonstrate that a pseudo-linear approximation can be combined with a linear approximation using the meet-in-the-middle attack technique to recover several key bits. Thus we illustrate improvements to Speck linear distinguishers based solely on Cho–Pieprzyk approximations by combining them with pseudo-linear approximations, and propose key recovery attacks.

ARX block ciphers—which rely on Addition-Rotation-XOR operations performed a number of times—provide a common approach to lightweight cipher design. In June 2013, a group of inventors from the US’s National Security Agency (NSA) proposed two families of lightweight block ciphers, Simon and Speck—each of which comes in a variety of widths and key sizes. The Speck cipher, as an ARX cipher, provides efficient software implementations, while Simon provides efficient hardware implementations. Moreover, both families perform well in both hardware and software and offer the flexibility across different platforms that will be required by future applications [1,2]. In this paper, we focus on the Speck family as an example lightweight ARX block cipher to illustrate our attack.

Pseudo-linear cryptanalysis [3,4,5] is a method of analyzing and measuring the security of an ARX block cipher. The main idea of the pseudo-linear approximation is to examine a window (group of contiguous bits) of size w, for some $w<n$, and approximate addition modulo ${2}^{n}$ by addition modulo ${2}^{w}$. If the carry into the window is estimated correctly, the approximation will be perfect. The probability of correctness for a random guess of the value of the window is $\frac{1}{{2}^{w}}$, but the accuracy of the pseudo-linear approximation can be much larger.

This paper presents a new approximation and corresponding key recovery attack, Partly-Pseudo-Linear attack, combining pseudo-linear approximation with linear cryptanalysis of addition modulo ${2}^{n}$ using Cho and Pieprzyk’s property of modular addition [6,7]. This combination of linear and pseudo-linear attack is original to the best of our knowledge. We illustrate, on Speck, improvements due to this approximation over the Cho–Pieprzyk approximation for all rounds. We further use our approximation to describe key recovery attacks. Additionally, for Speck 32/64, we are able to provide experimental results of a few implemented six-round attacks verifying our proposal. We have demonstrated a similar approach to cryptanalysing the SPARX cipher in a later paper [8].

We compare our attack to [9,10] which present linear distinguishers using the Cho–Pieprzyk property. Our key recovery attacks are able to either cover more rounds with similar or better bias, or, when we cover same rounds, our bias is better. We are able to attack nine rounds for Speck 32/64, 11 rounds for Speck 48/96, 14 rounds for Speck 64/128, 12 rounds for Speck 96/144 and 14 rounds for Speck 128/256 (see Section 3 for more detailed comparisons). Note that our approximation is itself a key recovery attack for more than a single bit of key, because its use requires nonlinear operations with some key bits. Though they do not discuss this, the linear distinguishers of [9,10] could possibly be extended to key recovery attacks, bias permitting, by appending rounds of encryption and/or decryption. In this instance, our attack covers more rounds for the variants Speck 64/96 and 64/128, and covers same rounds for Speck 48/72, determining a few more key bits. For Speck 96/96 and 128/128, the data complexity of the attacks of [9,10] is large enough that they cannot add encryption/decryption rounds and hence can perform no key recovery, while we are able to determine 46 (of 96) and 50 (of 128) key bits respectively. While [9,10] do not report key recovery, they would need to reduce their covered rounds in order to determine key bits. In other instances too, when we are not able to cover same rounds, we often find many more key bits.

We find that our proposed Partly-Pseudo-Linear attack, a combination of Cho–Pieprzyk linear approximations with pseudo-linear approximations, is not necessarily more powerful than attacks that use other approaches to linear trails, such as Wallen’s approach [11,12,13]. This seems reasonable, as the correct comparison with these would be a combination of their linear trails with pseudo-linear approximations, which is out of the scope of this paper.

This paper is organized as follows. In Section 2, we present a brief description of Speck and the notation used in this paper. In Section 3 we focus on the most relevant related work. In Section 4, we present our first contribution by applying the pseudo-linear attack on Speck—specifically, Speck 32. In Section 5, we present our proposed Partly-Pseudo-Linear attack on Speck and the results of the implementation. We conclude in Section 6.

This section presents our notation and briefly describes the Speck cipher.

The following describes the notation used in this paper.

- ${\u229e}_{n}$: Addition modulo ${2}^{n}$
- ${\boxminus}_{n}$: Subtraction modulo ${2}^{n}$
- ⊕: The bitwise exclusive-or
- ${\u22d9}_{r}$: r-bit right rotation on an n-bit word
- ${\u22d8}_{r}$: r-bit left rotation on an n-bit word
- $PL\left(CL\right)$: Left word of the Plaintext (Ciphertext)
- $PR\left(CR\right)$: Right word of the Plaintext (Ciphertext)
- $x{l}^{j}\left(x{r}^{j}\right)$: Left (right) word at round j
- $x{l}_{t}^{j}\left(x{r}_{t}^{j}\right)$: $t\mathrm{th}$ window of state $xl$ ($xr$) at round j
- $x{l}_{t}^{j}(i,i+w)$ ($x{r}_{t}^{j}(i,i+w)$): window t with size w of the left (right) word x, where the msb is at i and the lsb is at $i+w-1$, for $0\le i<\frac{n}{2}$ and $1\le w\le \frac{n}{2}$.
- $x{l}_{t}^{j}\left(i\right)$ ($x{r}_{t}^{j}\left(i\right)$): Bit at index i of the window where $0\le i<w$ the left (right) word x.

The Speck cipher is a family of lightweight block ciphers, proposed by inventors from the National Security Agency (NSA) in June 2013 [1,2]. A member of the family is denoted by Speck $2n$/$mn$, where the block size is $2n$ and the key size is $mn$ for some $m\in \{2,3,4\}$.

Each round function in Speck has three main operations:

- Addition modulo ${2}^{n}$, denoted ${\u229e}_{n}$
- Rotation: right rotation by $\alpha $, denoted $\u22d9\alpha $ and left rotation by $\beta $, denoted $\u22d8\beta $
- bitwise XOR, denoted ⊕

In this construction the block of the plaintext is split into two words, PL and PR, which are then added, XORed and rotated by the round function. Figure 1 shows one round from Speck; where $x{l}^{j}$ ($x{r}^{j}$) denotes to the left (right) input words of round j and ${k}^{j}$ denotes to the key of round j.

The output of the round function for the left word of Speck is:

$$x{l}^{j+1}=\left((x{l}^{j}\u22d9\alpha ){\u229e}_{n}x{r}^{j}\right)\oplus {k}^{j}.$$

The output of the round function for the right word is:

$$x{r}_{R}^{j+1}=(x{r}^{j}\u22d8\beta )\oplus x{l}^{j+1}.$$

The parameters specifying the Speck versions are listed in Table 1.

In this section, we review previous works that are relevant to our contributions. We first review linear cryptanalysis and pseudo-linear cryptanalysis, as we will combine the two approaches for our attack. We then describe cryptanalysis of Speck, as we will illustrate our attack on the Speck family.

Linear cryptanalysis [14] is one of the most powerful and widely used attacks on block ciphers. It was introduced by Matsui in 1998, and is a known plaintext attack where the attacker has access to both the plaintext and its encrypted version ciphertext [14,15]. Using linear cryptanalysis, an adversary is able to find a linear expression that approximates a non-linear function that connects plaintext, ciphertext, and key bits with high probability.

The quality of the linear approximation is measured by the bias $\u03f5$ which is defined as $\u03f5=p-\frac{1}{2}$; a higher bias in absolute value, $\left|\u03f5\right|$, implies a better approximation and a more efficient attack. The number of required known plaintext and ciphertext pairs (data complexity, pairs) depends on the success probability desired and is roughly proportional to ${\u03f5}^{-2}$. For example, pairs $={2}^{4}\times {\u03f5}^{-2}$ corresponds to a $99.80\%$ success rate. Table 2 shows different small multiple of ${\u03f5}^{-2}$ with their success rate of the linear approximation [14,15].

The Piling Up Lemma [14] provides an expression for the bias of an approximations that results from the xor of s approximations, each with bias ${\u03f5}_{i}$:

$$\u03f5={2}^{s-1}\prod _{i=1}^{s}{\u03f5}_{i}$$

The modular addition operation is nonlinear as an operation in ${\mathbb{Z}}_{2}$. The result of modular addition in a certain position is the exclusive-or (addition in ${\mathbb{Z}}_{2}$) of the two bits in that position and the carry into the position. The carry, in turn, depends on a non-linear operation (the and operation, multiplication over ${\mathbb{Z}}_{2}$) of previous bits.

Cho and Pieprzyk [6] describe in their paper the behavior of neighboring bits in modular additions. Consider $c=a\u229eb$ where $a,b\in {\{0,1\}}^{32}$ and ⊞ corresponds to addition modulo ${2}^{32}$. Let $a=({a}_{n-1},\dots ,{a}_{0})$, $b=({b}_{n-1},\dots ,{b}_{0})$ and $c=({c}_{n-1},\dots ,{c}_{0})$.

(Practically verbatim from Cho and Pieprzyk [6]) Let ${c}_{i}$ be the ith output bit of the modular addition. Then, ${c}_{0}$ = ${a}_{0}\oplus {b}_{0}$, ${c}_{1}={a}_{1}\oplus {b}_{1}\oplus {a}_{0}\times {b}_{0}$ and for $2\le i\le n-1$:

$${c}_{i}={a}_{i}\oplus {b}_{i}\oplus {a}_{i-1}\times {b}_{i-1}\oplus \sum _{t=0}^{i-2}{a}_{t}\times {b}_{t}\times \prod _{r=t+1}^{i-1}{({a}_{r}\oplus {b}_{r})}^{\prime \prime}$$

According to Cho and Pieperzyk [7], if $Cr(a,b)$ denotes the carry of modular addition, from Lemma 2:

$$C{r}_{i}(a,b)={a}_{i}\times {b}_{i}\oplus \sum _{t=0}^{i-1}{a}_{t}\times {b}_{t}\times \prod _{r=t+1}^{i}({a}_{r}\oplus {b}_{r}),\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}i=0,\dots ,n-2$$

Then, obviously, ${c}_{i}$ = ${a}_{i}\oplus {b}_{i}\oplus C{r}_{i-1}(a,b)$ for $i=1,\dots ,31$. Due to Equation (5), the carry $C{r}_{i}(a,b)$ has the following recursive relation [7].

$$C{r}_{i}(a,b)={a}_{i}\times {b}_{i}\oplus ({a}_{i}\oplus {b}_{i})\times C{r}_{i-1}(a,b)$$

All these equations with ${a}_{i}$, ${b}_{i}$ and ${c}_{i}$ represent one bit each. In another paper, Cho and Pieprzyk [6] describe a property of modular addition that removes the carry chain from Equation (4) and this property uses consecutive bits. Two consecutive bits can be approximated as:

$${c}_{i}\oplus {c}_{i+1}={a}_{i}\oplus {b}_{i}\oplus {a}_{i+1}\oplus {b}_{i+1},\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}with\phantom{\rule{0.277778em}{0ex}}probability\phantom{\rule{0.277778em}{0ex}}\phantom{\rule{0.277778em}{0ex}}P=\frac{3}{4}.$$

This means:

$$Pr[C{r}_{i}(a,b)\oplus C{r}_{i-1}(a,b)=0]=\frac{3}{4}$$

Removing the carry chain from Equation (4), using a mask $\lambda $ to mask the bits that we want to throw away and keep the bits that we are interested in, we can write:

$$P[\lambda \times (a\u229eb)=\lambda \times (a\oplus b)]=\frac{3}{4}$$

The mask $\lambda $ contains exactly the two consecutive bits we are interested in and we can replace $\lambda \times (a\u229eb)$ by $\lambda \times (a\oplus b)$ to obtain a linear expression. This approximation holds with a probability equal to $\frac{3}{4}$. Consequently, the bias is equal to $\frac{1}{4}$. In fact, a prerequisite for Equation (9) is that the following two cases are avoided, because these two cases do not adhere to the Cho and Pieprzyk framework [6]:

- Bitwise rotation breaks the two consecutive bits. After the rotation, one of these two bits will be in the most significant bit position (msb) and the other will be in the least significant bit position (lsb).Example: $00011000\u22d94=10000001$
- Bitwise exclusive-or breaks the two consecutive bits. These two bits will be not consecutive any more.Example: $00011000\oplus 00110000=00101000$

McKay and Vora present the idea of pseudo-linear cryptanalysis [3,4,5] which aims to overcome the limitations of traditional linear cryptanalysis by approximating addition modulo ${2}^{n}$ for large values of n with addition modulo ${2}^{w}$, for a small window size w, $0<w\le n$. In other words, the pseudo-linear approximations use addition modulo ${2}^{w}$ and exclusive-or over a w-bit strings of contiguous bits (windows) instead of using the entire n-bit strings. In this section we provide detail about the approach, which was first developed to analyze Threefish for the SHA-3 competition [5].

McKay and Vora [5] illustrate why this is an improvement over traditional linear cryptanalysis. Consider the following example:

In Figure 2, there are two n-bit words added modulo ${2}^{n}$, only the value of the dark square, labeled z, is needed and it is of size w in bits. Denote by x and y the operand windows in the same position as z. Thus, z can be approximated as $x{\u229e}_{w}y$. The correctness of this approximation is dependent on the value of the carry into the window z.

Let $part(x,s,e)$ represent bits of the word x in positions $[s,e)$, where s represents the index of the word that the window starts with and e is the size of this window, $0\le s<n$, $0\le e<n$, and the least significant bit (lsb) is at index s. We have two scenarios, illustrated by examples for $n=12$. We have two strings added modulo ${2}^{12}$, z = x⊞y. The adversary wants to approximate only a window of 4 bits of z. Thus, $part(z,4,4)\approx part(x,4,4)$ ${\u229e}_{2}$ $part(y,4,4)$. Note that the approximation implicitly assumes that the carry into bit s is zero.

- Suppose $x=001001000100$ and $y=100010101010$. In this case the approximation is correct because the carry into the window is correctly assumed to be zero (See Figure 3).
- Suppose $x=00100100110$ and $y=100010101010$. In this case the approximation is incorrect because the carry into the window is incorrectly assumed to be zero (See Figure 4).

The probability that the carry is 0 is exactly the probability that the approximation is correct when it is applied for the first time and both summand windows are correct (and not yet the result of approximations). This probability is equal to $\frac{1}{2}+{2}^{-(s+1)}$ where s is the lsb of the window [4]. Note that the probability of correctly estimating an entire window is slightly larger than $\frac{1}{2}$. How does one measure the efficacy of this approximation?

Consider the approximation of a single bit, whether by linear approximation or any other technique. A guess made at random with no information would be correct with probability $\frac{1}{2}$. The bias of the approximation is defined as the deviation from $\frac{1}{2}$.

If $w>1$, the pseudo-linear approach provides an approximation for multiple bits, and we define an error measure for the approximation as the difference between the probability of correctly approximating the (entire) window and $\frac{1}{{2}^{w}}$. Thus the pseudo-linear approximation is more advantageous if the size of the window is larger.

Note that the pseudo-linear approximation capture the influence of intermediate carries, which are not typically captured by linear approaches. This is expected to improve the result, even when the aim is to approximate the parity of the final window (see, for example, Section 5.1).

Additionally, intuitively, for a large window, a non-zero carry will not always affect the higher-order bits. Thus, if one is measuring the number of bits that are well-approximated by the pseudo-linear expression (in the previous paragraph, we considered only whether the entire w-bit window was correctly evaluated or not), the higher order bits are more likely to be correct.

Finally, because addition modulo ${2}^{w}$ and exclusive-or do not distribute, the composition of the pseudo-linear approximation and the key injection includes key bits combined in a non-linear manner. For this reason, the use of the pseudo-linear approximation for key recovery requires guessing multiple key bits. In spite of this, we are able to obtain attacks more efficiently than the brute force attack because pseudo-linear approximations enable the reduction of the number of key bits from those required by the cipher [5].

McKay and Vora [3] provide some properties of the approximation over addition windows. Consider two n-bit words, x and y, selected uniformly at random, and a window size $w<n$. The following notation is used in the lemmas: (quoted verbatim from [4])

- ⊕ Bitwise exclusive-or
- ⊞ Addition modulo ${2}^{n}$
- ${\u229e}_{w}$ Addition modulo ${2}^{w}$
- ⊟ Subtraction modulo ${2}^{n}$
- ${\boxminus}_{w}$ Subtraction modulo ${2}^{w}$

“Let $0\le s<s+w<n$. Then $Pr\left[\phantom{\rule{0.166667em}{0ex}}part\phantom{\rule{0.166667em}{0ex}}\right(x\u229ey,s,s+w)$ = $part\phantom{\rule{0.166667em}{0ex}}(x,s,s+w)$${\u229e}_{w}$$part\phantom{\rule{0.166667em}{0ex}}(y,s,s+w)]>\frac{1}{2}$”.

In the proof of this lemma, McKay and Vora demonstrate that

$$Pr[\phantom{\rule{0.166667em}{0ex}}part\phantom{\rule{0.166667em}{0ex}}(x\u229ey,s,s+w)=part\phantom{\rule{0.166667em}{0ex}}(x,s,s+w){\u229e}_{w}part\phantom{\rule{0.166667em}{0ex}}(y,s,s+w)]=\frac{1}{2}+{2}^{-(s+1)}.$$

Note that this is the probability of the entire window being correctly approximated. The probability of bit parities being correctly approximated will typically be larger.

$Pr[\phantom{\rule{0.166667em}{0ex}}part\phantom{\rule{0.166667em}{0ex}}(x\u229ey,0,w)=part\phantom{\rule{0.166667em}{0ex}}(x,0,w){\u229e}_{w}part\phantom{\rule{0.166667em}{0ex}}(y,0,w)]=1$.

$Pr\left[\phantom{\rule{0.166667em}{0ex}}part\right(x\oplus y,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n)=part(x,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n)\oplus \phantom{\rule{0.166667em}{0ex}}part(y,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n\left)\right]=1$.

Let $0\le s<n$ and $(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n<s$. $Pr[\phantom{\rule{0.166667em}{0ex}}part(x\u229ey,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n)=part(x,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n){\u229e}_{w}\phantom{\rule{0.166667em}{0ex}}part(y,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n)]>\frac{1}{2}$.

$Pr[\phantom{\rule{0.166667em}{0ex}}part(x\boxminus y,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n)=part\phantom{\rule{0.166667em}{0ex}}(x,s,(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n){\boxminus}_{w}\phantom{\rule{0.166667em}{0ex}}part\phantom{\rule{0.166667em}{0ex}}(y,s,$*$(s+w)\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}n\left)\right]=\frac{1}{2}$.

Corollary 1 is for the case when the window wraps around from the higher end of the n-bit word to the lower end. If the window does not wrap around in the word, the corresponding result is presented in Lemma 3.

The use of these equations will lead us to approximate windows derived from a single addition. However, the ARX block cipher is an iterated cipher. Thus, after the first approximated addition, the input of all further subsequent additions changes. In particular, the input for the further additions is dependent on the input of the operand bits that precede this addition over all rounds approximated [5].

- Base ApproximationThe base approximation is a simple approximation that follows the windows until the target window. All exclusive-or operations and addition modulo ${2}^{n}$ operations are preserved, assuming that the carry into all windows is 0 [3].
- Carry PatternsA carry pattern is a series of carry values, ${c}_{i}$∈$\{0,1\}$ where i denotes to the approximated addition window that may have a carry into it.Multiple carry patterns, indexed by j, ${C}^{j}$ = $({c}_{0},\dots ,{c}_{i},\dots ,{c}_{m-1})$ can be constructed for each base approximation; here j denotes a specific carry pattern for the approximation, i the approximated window, and m the total number of windows approximated. If ${c}_{i}$ = 1, then the carry going into the $ith$ approximated addition window is 1. Thus, the base approximation is overlaid by the m carry patterns, ${C}^{j}+base$ to result in m estimates of the target window. [5].
- Computing BiasIf $cp$ carry patterns are used, the bias may be experimentally computed to be the difference between the probability of the approximation being correct and the probability of correctly guessing a carry pattern at random, with $cp$ tries. The carry patterns will be correct with probability $\frac{cp}{{2}^{w}}$ instead of $\frac{1}{{2}^{w}}$ since each pattern represents a different approximation. According to McKay [3] the bias is computed using Equation (10)$$bias=\frac{times\phantom{\rule{0.277778em}{0ex}}correct\phantom{\rule{0.277778em}{0ex}}-\frac{\#patterns}{{2}^{w}}\phantom{\rule{0.277778em}{0ex}}\times pairs}{pairs}.$$

Since the publication of Speck in 2013 [1,2], there have been several analyses of the cipher, most focused on differential and linear cryptanalysis. Beaulieu et al. summarise the cryptanalysis and implementation results [16]. Section 3.4.1, reviews different methods of cryptanalysis on Speck. Section 3.4.2, reviews some key results on linear cryptanalysis, as the focus of this paper is to combine linear and pseudo-linear cryptanalysis.

There are two previous works that have the best results of the differential cryptanalysis on Speck. Ling et al. (2016) [17] present differential cryptanalysis of ARX block ciphers. They develop a framework for finding differential characteristics. Lee et al. (2018) [18] present a method of approximating the differentials probability using a SAT solver. In addition, Yunwen et al. (2017) [19] presents a rotational-XOR cryptanalysis on Speck.

Table 4 summarizes the result of Differential and rotational cryptanalysis on the Speck family.

Ashur and Bodden (2016) [10] find a linear approximation of reduced round Speck using Cho and Pieprzyk’s property of modular addition. Bodden (2018) [9] improves on [10] by using the Wallén algorithm to increase the number of attacked rounds by one. These two papers do not have the best results on linear cryptanalysis of Speck but they present different techniques and both of them are focused on discovering a distinguisher and do not attempt to recover key bits.

Yao et al. (2015) [11] were the first to implement Wallén’s enumeration algorithm for the purpose of obtaining linear distinguishers and key recovery attacks on the Speck family. For Speck 32/64, Speck 48/72, Speck 48/96, Speck 64/96, Speck 64/128, and Speck 96/96 they have the distinction of having attacked the largest number of rounds.

Liu et al. (2016) [13] have the largest number of attacked rounds on the two largest size members of the Speck family. They show in their paper that they are able to attack more rounds on the large Speck with large key size especially for Speck 96/144, Speck 128/192, and Speck 128/256. The number of the attacked rounds is larger than [11]. Moreover, they present a new search method for linear approximations of the Speck family by using the partial linear mask table (pLMT).

Fu et al. [12] present differential and linear trails (hull) for an ARX cipher and implement their approach on Speck. For the linear trails (hull), they use the Wallén algorithm and the Mixed Integer Linear Programming model (MILP). Table 5 summarises the results of these previous works.

This paper presents a novel attack: the combination of linear and pseudo-linear attacks. It illustrates improvements to Speck attacks based solely on Cho–Pieprzyk approximations by combining them with pseudo-linear approximations.

In this section, we derive pseudo-linear approximations for 4 and 6 round attacks on Speck 32/64. That is, we approximate the addition mod ${2}^{n}$ by addition mod ${2}^{w}$, for $w=2,3,4$, using some carry patterns for each approximated addition window unless its right end is at the least significant bit (lsb) of the word. In later sections, we combine these approximations with linear approximations.

We begin our work by implementing the pseudo-linear cryptanalysis on four rounds of Speck 32/64, as a meet-in-the-middle attack with a four-bit window approximated by two rounds in the forward direction and two backward. The approximation requires 12 key bits. The first addition operation is before the key round injection, thus it can be performed for the full word without windows or carry patterns, and is denoted $NewPL$ in Table 6, which shows the approximation for four rounds meeting at $x{l}_{1}^{2}(0,1)$. Note that $x(i,i+w-1)$ is a window of size w beginning at msb i and ending at lsb $i+w-1$.

Figure 5 shows how we drive our target window through two rounds of Speck 32/64 and how a meet-in-the-middle attack works for four rounds. Approximations for windows of sizes $w=3$ and $w=4$ are available in the Appendix A.

There are two approximations of interest, $x{l}_{1}^{2}(0,1)$ (Table 6, Round 2) and $x{l}_{1}^{3}(0,1)$ (Table 6, Round 3), each of size $w=2$. $x{l}_{1}^{2}(0,1)$ is the first window (windows are denoted in subscript) of the second round (rounds are denoted in superscript) in the left half. It consists of bits 0 through 1. Similarly, $x{l}_{1}^{3}(0,1)$ is the first window in the third round, consisting of the two least significant bits of the left half state. Each window represents a pseudo-linear approximation from a particular direction (forward or backward), and the approximation meets in the middle, at the target window, $x{l}_{1}^{2}(0,1)$ ≡ $x{l}_{1}^{3}(0,1)$. Note that for window $x{l}_{1}^{2}(0,1)$, the approximation is exact when the key is correct because the summands are exact and the window begins at the least significant bit and the incoming carry is always zero. The approximation for window $x{l}_{1}^{3}(0,1)$ needs an approximation for $x{l}_{1}^{4}(9,10)$ and $x{r}_{1}^{3}(9,10)$, which, in turn, needs an approximation for window $x{l}_{2}^{4}(11,12)$ (window $x{r}_{3}^{4}(11,12)$, $x{r}_{2}^{4}(6,7)$, and $x{r}_{1}^{4}(2,3)$ are computed exactly).

First, we begin with approximating windows $x{l}_{1}^{4}(9,10)$, $x{l}_{2}^{4}(11,12)$, which use the correct value of summand windows, and the approximation error is only due to an error in carry.

McKay shows [4] that the bias of an incoming carry into a window with lsb at position s, assuming a uniform distribution of the bits that have lower significance, is ${2}^{-(s+1)}$. If $carr{y}_{s}$ denotes the carry coming into a window with the least significant bit s, and ${e}_{1},{e}_{2}$ are the error in the first and second bit in a window.

$$Pr[{e}_{1}{e}_{0}=00\mid carr{y}_{s}=0]=1$$

In addition, the probability with which the intermediate carry is correctly computed (by the pseudo-linear summation which assumes the incoming carry is zero) when the incoming carry is actually one is $\frac{1}{2}$, which is also the probability with which the msb is correctly computed when the incoming carry is one (of the four possibilities for the pairs of lsbs of the summand window, when both lsbs are 0, the approximated intermediate carry is 0 as is the true one. Similarly, when both lsbs are 1, both the true and the approximated intermediate carries are 1. When one of the two lsbs is 0 and the other is 1, the approximated carry is zero, but the true carry is one.). Hence:

$$Pr[{e}_{1}{e}_{0}=01\mid carr{y}_{s}=1]=Pr[{e}_{1}{e}_{0}=11\mid carr{y}_{s}=1]=\frac{1}{2}$$

An approximation which uses the correct values for summand windows can never have an error in the msb if the lsb is correct (that is, the carry was correctly estimated), hence:

$$Pr[{e}_{1}{e}_{0}=10\mid carr{y}_{s}=1]=0$$

We start from round 4 to approximate $x{l}_{1}^{4}(9,10)$ and $x{l}_{2}^{4}(11,12)$ (note: $x{l}_{1}^{4}$, the first two-bit window of the fourth round, is located at $(2,3)$ before rotation and, similarly, $x{l}_{2}^{4}$ is located at $(4,5)$). Thus, we need to calculate the probabilities of these two windows as follows:

For window $x{l}_{1}^{4}$ at $(2,3)$:

- $Pr[{e}_{1}{e}_{0}=00]$ = $Pr[carr{y}_{s}=0]$ = $\frac{1}{2}+{2}^{-\left(3\right)}$ = $0.625$
- $Pr[{e}_{1}{e}_{0}=01]$ = $Pr[carr{y}_{s}=1]Pr[carry+s+1=0\mid carr{y}_{s}=1]$ = $\frac{1}{2}(1-Pr[carr{y}_{s}=0])$ = $\frac{1}{2}(1-{2}^{-\left(3\right)})$ = $0.1875$
- $Pr[{e}_{1}{e}_{0}=10]$ = 0
- $Pr[{e}_{1}{e}_{0}=11]$ = $\frac{1}{2}(1-{2}^{-\left(3\right)})$ = $0.1875$

For window $x{l}_{2}^{4}$ at $(4,5)$:

- $Pr[{e}_{1}{e}_{0}=00]$ = $Pr[carr{y}_{s}=0]$ = $\frac{1}{2}+{2}^{-\left(5\right)}$ = $0.53125$
- $Pr[{e}_{1}{e}_{0}=01]$ = $Pr[carr{y}_{s}=1]Pr[carry+s+1=0\mid carr{y}_{s}=1]$ = $\frac{1}{2}(1-Pr[carr{y}_{s}=0])$ = $\frac{1}{2}(1-{2}^{-\left(5\right)})$ = $0.2343$
- $Pr[{e}_{1}{e}_{0}=10]$ = 0
- $Pr[{e}_{1}{e}_{0}=11]$ = $\frac{1}{2}(1-{2}^{-\left(5\right)})$ = $0.2343$

For window $x{r}_{1}^{3}(9,10)$:

- $x{r}_{1}^{3}(9,10)\approx x{l}_{2}^{4}(11,12)\oplus x{r}_{3}^{4}(11,12)$; the error probabilities are those of $x{l}_{2}^{4}$, as $x{r}_{3}^{4}$ is approximated with zero error.

Finally, window $x{l}_{1}^{3}(0,1)$:

- is obtained by adding $x{r}_{1}^{3}(9,10)$ and $x{l}_{1}^{4}(9,10)$. This is the target window and we are trying to compute the entire window correctly, so we compute $Pr[{e}_{1}{e}_{0}=00]$. If the incoming carry is $carr{y}_{s}=0$, we have 16 possibilities for two bit errors in each summand window, 6 of these, with an incoming carry of zero (the possibilities are: both summands have error 00 or 10; with probability half, when both have error patterns 01 or 11; with probability half when the summands are 01 and 11 (two possibilities).), and 8 with an incoming carry of one (with probability half, each of the following pairs of summand errors will result in an error of 00 in the approximated window when the true value of the incoming carry is one; each pair occurs twice: 00 and 01, 00 and 11, 01 and 10, 10 and 11) ,give ${e}_{1}{e}_{0}=00$. The total probability is obtained using the probabilities of errors in windows $x{l}_{1}^{4}(9,10)$ and $x{l}_{2}^{4}(11,12)$ computed above to obtain:
- $Pr[{e}_{1}{e}_{0}=00]$ = $0.4198\left(Pr[carr{y}_{s}=0]\right)+0.1992\left(Pr[carr{y}_{s}=1]\right)$ = $0.3097$.

To experimentally verify our probability, we carried out 200 experiments for the pseudo-linear approximation each with a key chosen at random. We used ${2}^{10}$ P/C pairs for each experiment. The average empirically determined probability for the $x{l}_{1}^{2}(0,1)$ ≡ $x{l}_{1}^{3}(0,1)$ was $0.3476$

The maximum number of rounds we can analyze for key recovery in Speck 32/64 using the pseudo-linear approximation is 6. We are limited by the fact that there are several key bits involved in the approximation and the pseudo-linear cryptanalysis requires the adversary to try all possibility of the key bits that are involved in the approximation. Using this approximation 44 key bits may be recovered with data complexity ${2}^{10}$ and time complexity ${2}^{54}$.

In this paper, we present a new attack for the ARX block cipher which we term the Partly-Pseudo-Linear attack: a meet-in-the-middle combination of pseudo-linear and linear attacks. We show that linear cryptanalysis relying on Cho–Pieprzyk approximations of modular addition is improved by replacing some rounds of linear approximation with pseudo-linear approximations. Using the approach of Bodden and Ashur [9,10], we find the longest linear trails to approximate a window of two consecutive bits in each direction (forward and backward). Of these, we choose the trail(s) that would combine with a lower-error pseudo-linear attack.

The pseudo-linear attack itself first uses pseudo-linear approximations for each addition operation. The approximations require the use of key bits, but because the approximation is limited to a window, fewer key bits are used than in the entire round. Every bit of the window is computed with considerable accuracy as a function of a few key bits. The larger the window size the more key bits are required; similarly, the more rounds one covers (the more additions one approximates) the more key bits are required. This typically limits the window size, and we focus on window sizes of two bits. Thus, our pseudo-linear approximation computes each bit of a window of size two bits in one direction, as a function of some key bits. We use the xor of this window and compare it to the xor computed using linear cryptanalysis in the other direction as described above.

We have done this analysis in the forward direction and backward direction since we will use one of these directions by combining it with the pseudo-linear attack. Figure 6 shows an approximated round of Speck using Cho–Pieperzyk approximations in each direction. Note that the constraint of requiring two consecutive bits in the window to be approximated restricts the windows that can be approximated.

The final linear approximation approximates the xor of the two bits of the window. The bias of the Partly-Pseudo-Linear cryptanalysis approximation hence consists of two parts.

- The first part is the bias of xor of the bits of the window when the window is computed using the pseudo-linear approximation.
- The second part is the bias for the linear approximation, computed using traditional linear approaches. The combination of these two biases using the piling up lemma allows us to determine the number of plaintext and ciphertext pairs that we should use in our experiments.

We illustrate the Partly-Pseudo-Linear attack (including the analytical approach to determining the bias of a pseudo-linear attack) on 6 and 9 rounds of Speck 32/64.

We find the longest linear trail arising from a two-consecutive-bit target window, discovering one that covers four rounds in the backward direction and combines it with two rounds approximated using pseudo-linear cryptanalysis in the forward direction. Table 8 shows the derivation of the mask that is used in the linear part of the Partly-Pseudo-Linear attack. Note that we do not cover more rounds than four rounds because rotation breaks the requirement for two consecutive ones.

The window size of the pseudo-linear approximation is two, $w=2$, and 6 key bits are required for the approximation. In the first round, the addition operation is performed before the key round injection; thus, it can be performed exactly for the full word without any need for an approximation. The second round involves a single modular addition that is approximated by an addition over ${2}^{w}={2}^{2}$ with zero carry. Table 9 shows the Partly-Pseudo-Linear approximation for six rounds meeting at $x{l}_{1}^{2}(1,2)$, which denotes the first (and only) window in round 2. The window is in the left word. (Recall that $x{l}_{t}^{j}$ represents the tth window of the left word in the jth round.)

Figure 7 shows how the target window travels through two rounds of Speck 32/64.

Linear cryptanalysis, and the techniques for computing bias are well-established. On the other hand, pseudo-linear cryptanalysis is new, and we describe here an approach to computing the bias of the xor of a 2-bit window approximated using one instance of the pseudo-linear approximation, as in this case.

Consider the 2-bit target window of interest, $x{l}_{1}^{2}(1,2)$ (Table 9, Round 2), where the pseudo-linear approximation meets the linear approximation. The pseudo-linear part of the attack approximates the xor of the two bits of the window, $x{l}_{1}^{2}\left(1\right)\oplus x{l}_{1}^{2}\left(2\right)$, by approximating the window through multiple rounds, and then, finally, xoring the two bits. The linear part of the attack follows the Cho–Pieprzyk property of modular addition through multiple rounds.

Let the pseudo-linear approximation of the xor be denoted $\zeta $. Because this is the first instance of pseudo-linear approximation, the values of the component windows being added to obtain the target window are correct. That is, no approximations have been used while obtaining $x{l}_{2}^{1}\u22d97$ and $x{r}_{1}^{1}$. Thus, if the incoming carry is zero, the entire target window, $x{l}_{1}^{2}(1,2)$, is estimated correctly and, hence, so is $\zeta $. McKay shows [4] that the bias of an incoming carry into a window with lsb s, assuming a uniform distribution of the bits that have lower significance, is ${2}^{-(s+1)}$. If $carr{y}_{s}$ denotes the carry coming into a window with the least significant bit s,

$$Pr[\zeta \phantom{\rule{3.33333pt}{0ex}}is\phantom{\rule{3.33333pt}{0ex}}correct\mid carr{y}_{s}=0]=1$$

Now consider the case when the incoming carry is 1. The lsb in the approximated window of the sum will be incorrect with probability 1. However, there will be instances when the msb is also approximated incorrectly, in which case the xor will be correct. Because the component windows being added are correct, the msb will be correct if and only if the intermediate carry, going from the lsb to the msb, is incorrect. Of the four possible combinations of the lsbs of the two windows that are being summed, the pseudo-linear approximation approximates the intermediate carry correctly when:

- (a)
- Both bits are zero (and the intermediate carry is zero, its value does not depend on the value of the incoming carry).
- (b)
- Both bits are one (the intermediate carry is one, independent of the incoming carry).

Thus the probability with which the intermediate carry is correctly computed when the incoming carry is one is $\frac{1}{2}$, which is also the probability with which the msb is correctly computed when the incoming carry is one. Hence:

$$Pr[\zeta \phantom{\rule{3.33333pt}{0ex}}is\phantom{\rule{3.33333pt}{0ex}}correct\mid carr{y}_{s}=1]=\frac{1}{2}$$

Hence:

$$Pr\left[\zeta \phantom{\rule{3.33333pt}{0ex}}is\phantom{\rule{3.33333pt}{0ex}}correct\right]=Pr[\zeta \phantom{\rule{3.33333pt}{0ex}}is\phantom{\rule{3.33333pt}{0ex}}correct\mid carr{y}_{s}=0]Pr[carr{y}_{s}=0]+Pr[\zeta \phantom{\rule{3.33333pt}{0ex}}is\phantom{\rule{3.33333pt}{0ex}}correct\mid carr{y}_{s}=1]Pr[carr{y}_{s}=1]$$

$$=1\times (\frac{1}{2}+{2}^{-(s+1)})+\frac{1}{2}\times (\frac{1}{2}-{2}^{-(s+1)})$$

$$=\frac{1}{2}+\frac{1}{4}+{2}^{-(s+2)}$$

For the pseudo-linear approximation of Table 9, we observe that $s=1$, hence:

$$Pr[\zeta \phantom{\rule{3.33333pt}{0ex}}=\phantom{\rule{3.33333pt}{0ex}}correct]=\frac{1}{2}+\frac{3}{8}\approx \frac{1}{2}+{2}^{-1.415}$$

Our bias for the first approximation is larger than the bias of a first-round Cho–Pieprzyk approximation.

To experimentally verify our bias prediction, we carried out 150 experiments for the pseudo-linear approximation each with a key chosen at random. We used ${2}^{10}$ P/C pairs for each experiment. The average empirically determined bias for the xor of the target window was ${2}^{-1.41}$.

Thus, the attack of the approximation of Table 9, using the masks of Table 8, has the following characteristics.

- Bias: The bias for this approximation is a combination of the experimentally-verified bias of the pseudo-linear approximation of the exclusive-or of the two-bit window (${2}^{-1.415}$)and the bias of the linear approximation (${2}^{-10}$) using the piling-up lemma: $2\times {2}^{-1.415}\times {2}^{-10}$ = ${2}^{-10.415}$
- Data complexity: We use the square of the inverse of the bias of the linear approximation: ${2}^{20.83}$
- Time complexity: Data complexity multiplied by the complexity of trying all possibilities for the number of key bits in the pseudo-linear approximation: ${2}^{20.83}\times {2}^{6}={2}^{26.83}$

The summary of attack properties is presented in Table 10. We were able to determine all six key bits correctly for each of the randomly-chosen keys in a list of three best keys.

We describe a nine-round key recovery attack. Here in this nine-round attack, we use a different mask that covers four rounds and can be combined with our pseudo-linear approximation. Table 11 shows the mask that is used in this attack.

We use five rounds forward of pseudo-linear approximation (the maximum given the time complexity constraints of the non-linear approximation) and four rounds backward using a linear approximation. The window size of the pseudo-linear approximation is two, $w=2$. Table 12 shows the approximation for nine rounds meeting at $x{l}_{1}^{5}(10,11)$; note that 36 key bits are required. Figure 8 shows how we derive the pseudo-linear approximation of the target window through five rounds of Speck 32/64.

For Speck 32/64, the maximum number of rounds we can reach is nine rounds with a recovery of 36 key bits (See Table 13).

The larger variants of Speck correspond to a larger block with two or three different key sizes. This gives us two features. First, with a larger key size, we have a larger brute-force attack to compare with, so a pseudo-linear attack can cover more rounds in spite of requiring key bits in the approximation. Second, with a larger block size, it is harder to break the mask $\lambda $ through bitwise rotation.

Table 14 summarizes the results of the Partly-Pseudo-Linear attack on the Speck family. Details of the individual attacks are in Appendix B, Appendix C, Appendix D and Appendix E. For the attacks on larger rounds, our bias predictions are limited by the ability to experimentally determines the error of pseudo-linear approximation.

This paper presents a new cryptanalysis of the ARX block cipher Partly-Pseudo-Linear attack: combining linear and the pseudo-linear cryptanalysis. We illustrate this attack by combining linear approximations using Cho–Pieprzyk and pseudo-linear approximations on the Speck family. We are able to extend distinguishers using Cho–Pieprzyk to key recovery attacks.

We are able to recover 36 encryption key bits for 9 rounds of Speck 32/64, 45 key bits for 11 rounds of Speck 48/96, 49 key bits for 14 rounds of Speck 64/128, 76 key bits for 12 rounds of Speck 96/144 and 173 key bits for 14 rounds of Speck 128/256. We propose to apply our Partly-Pseudo-Linear attack to other ARX block ciphers with a design similar to Speck. Moreover, we are exploring the combination of the pseudo-linear cryptanalysis attack with a linear cryptanalysis attack that uses Wallen’s algorithm to improve our Partly-Pseudo-Linear attack.

This work contributes to the doctoral dissertation of S.A.A., who did 80% of the work. All authors, S.A.A. and P.L.V. have read and approved the final version of the manuscript. All authors have read and agreed to the published version of the manuscript.

This research received no external funding.

Not applicable.

The authors would like to thank Kerry McKay for suggesting we look at the Speck cipher. PV was supported in part by NSF Award No. 2015253.

The authors declare no conflict of interest.

Pseudo-linear cryptanalysis of four-round Speck 32/64 with different window sizes:

- Window size $w=3$. The following Table A1 shows the approximation for four rounds meeting at $x{l}_{1}^{2}(0,2)$.

Round | Encryption | Decryption |
---|---|---|

1 | $NewPL=(PL\u22d97){\u229e}_{16}PR$ | |

$x{l}_{1}^{1}=NewPL(0,2)\oplus {k}_{1}^{1}(0,2)$ | ||

$x{l}_{2}^{1}=NewPL(7,9)\oplus {k}_{2}^{1}(7,9)$ | ||

$x{r}_{1}^{1}=(PR(14,16\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}{2}^{4})\u22d82)\oplus x{l}_{1}^{1}$ | ||

2 | $x{l}_{1}^{2}=\left((x{l}_{2}^{1}\u22d97){\u229e}_{3}x{r}_{1}^{1}\right)\oplus {k}_{1}^{2}(0,2)$ | |

$x{l}_{1}^{2}$ ≡ $x{l}_{1}^{3}$ | ||

3 | $x{l}_{1}^{3}\approx \left((x{l}_{1}^{4}\oplus {k}_{1}^{3}(9,11)){\boxminus}_{3}x{r}_{1}^{3}\right))\u22d87$ | |

$x{r}_{1}^{3}\approx \left((x{l}_{2}^{4}\oplus x{r}_{3}^{4})\right)\u22d92$ | ||

4 | $x{l}_{2}^{4}\approx \left((CL(4,6)\oplus {k}_{1}^{4}(4,6)){\boxminus}_{3}x{r}_{2}^{4}\right)\u22d87$ | |

$x{l}_{1}^{4}\approx \left((CL(2,4)\oplus {k}_{1}^{4}(2,4)){\boxminus}_{3}x{r}_{1}^{4}\right)\u22d87$ | ||

$x{r}_{1}^{4}=(CR(4,6)\oplus CL(4,6))\u22d92$ | ||

$x{r}_{2}^{4}=(CR(6,8)\oplus CL(6,8))\u22d92$ | ||

$x{r}_{3}^{4}=(CR(13,15)\oplus CL(13,15))\u22d92$ |

- 2.
- Window size $w=4$. The following Table A2 shows the approximation for four rounds meeting $x{l}_{1}^{2}(0,3)$.

Round | Encryption | Decryption |
---|---|---|

1 | $NewPL=(PL\u22d97){\u229e}_{16}PR$ | |

$x{l}_{1}^{1}=NewPL(0,3)\oplus {k}_{1}^{1}(0,3)$ | ||

$x{l}_{2}^{1}=NewPL(7,10)\oplus {k}_{2}^{1}(7,10)$ | ||

$x{r}_{1}^{1}=\left(PR(14,17\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}{2}^{4})\right)\u22d82)\oplus x{l}_{1}^{1}$ | ||

2 | $x{l}_{1}^{2}=\left((x{l}_{2}^{1}\u22d97){\u229e}_{2}x{r}_{1}^{1}\right)\oplus {k}_{1}^{2}(0,3)$ | |

$x{l}_{1}^{2}$ ≡ $x{l}_{1}^{3}$ | ||

3 | $x{l}_{1}^{3}\approx \left((x{l}_{1}^{4}\oplus {k}_{1}^{3}(9,12)){\boxminus}_{2}x{r}_{1}^{3}\right))\u22d87$ | |

$x{r}_{1}^{3}\approx \left((x{l}_{2}^{4}\oplus x{r}_{3}^{4})\right)\u22d92$ | ||

4 | $x{l}_{2}^{4}\approx \left((CL(4,7)\oplus {k}_{2}^{4}(4,7)){\boxminus}_{2}x{r}_{2}^{4}\right)\u22d87$ | |

$x{l}_{1}^{4}\approx \left((CL(2,5)\oplus {k}_{1}^{4}(2,5)){\boxminus}_{2}x{r}_{1}^{4}\right)\u22d87$ | ||

$x{r}_{1}^{4}=\left(NewCR(4,7)\right)\u22d92$ | ||

$x{r}_{2}^{4}=\left(NewCR(6,9)\right)\u22d92$ | ||

$x{r}_{3}^{4}=\left(NewCR(13,16\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}{2}^{4})\right)\u22d92$ | ||

$NewCR=CL\oplus CR$ |

In Speck 48 there are two key sizes: 72 bits and 96 bits. With Speck 48/72, we are able to attack 10 rounds (four rounds using a pseudo-linear approximation and six rounds using a linear approximation). Using this approach, we are able to recover 27 key bits. With Speck 48/96, we increase the pseudo-linear approximation by one more round and are able to recover 45 key bits.

In the previous attacks in Section 5, we show that the longest linear trail covers four rounds of Speck 32/64 in the backward direction and Table 8 and Table 11 show that the reason to stop after four rounds was that rotation broke the requirement for two consecutive ones. Here in this attack, we use a mask that covers six rounds and the reason to stop is that exclusive-or breaks the requirement for two consecutive ones. Table A3 shows the mask that is used in this attack. As with Speck 32, we can drive our target window $x{l}_{1}^{7}(1,0)$ backward from the ciphertext to build the pseudo-linear approximation.

Round | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}}}$ | Cost |
---|---|---|---|---|---|

1 | $\mathtt{0}\mathtt{xe}\mathtt{3036}\mathtt{d}$ | $\mathtt{0}\mathtt{xe}\mathtt{03}\mathtt{f}\mathtt{62}$ | $\mathtt{0}\mathtt{x}\mathtt{3}\mathtt{c}\mathtt{0}\mathtt{f}\mathtt{03}$ | $\mathtt{0}\mathtt{x}\mathtt{5}\mathtt{f}\mathtt{3}\mathtt{be}\mathtt{3}$ | 5 |

2 | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{f}\mathtt{0063}$ | $\mathtt{0}\mathtt{x}\mathtt{03000}\mathtt{f}$ | $\mathtt{0}\mathtt{xe}\mathtt{3036}\mathtt{d}$ | $\mathtt{0}\mathtt{xe}\mathtt{03}\mathtt{f}\mathtt{62}$ | 6 |

3 | $\mathtt{0}\mathtt{x}\mathtt{000363}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{f}\mathtt{0063}$ | $\mathtt{0}\mathtt{x}\mathtt{03000}\mathtt{f}$ | $\mathtt{0}\mathtt{x}\mathtt{6}\mathtt{ee}\mathtt{30}\mathtt{c}$ | 3 |

4 | $\mathtt{0}\mathtt{x}\mathtt{030300}$ | $\mathtt{0}\mathtt{x}\mathtt{600303}$ | $\mathtt{0}\mathtt{x}\mathtt{000363}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{f}\mathtt{0063}$ | 3 |

5 | $\mathtt{0}\mathtt{x}\mathtt{000300}$ | $\mathtt{0}\mathtt{x}\mathtt{000003}$ | $\mathtt{0}\mathtt{x}\mathtt{030300}$ | $\mathtt{0}\mathtt{x}\mathtt{600303}$ | 2 |

6 | $\mathtt{0}\mathtt{x}\mathtt{000003}$ | $\mathtt{0}\mathtt{x}\mathtt{000000}$ | $\mathtt{0}\mathtt{x}\mathtt{000300}$ | $\mathtt{0}\mathtt{x}\mathtt{000003}$ | 1 |

In Speck 64 there are two key sizes: 96 bits and 128 bits. With Speck 64/96, we are able to attack 13 rounds (four rounds using a pseudo-linear approximation and nine rounds using linear approximations). Thus, we are able to recover 28 key bits. With Speck 64/128, we increase the pseudo-linear approximation by one more rounds and are able to recover 49 key bits.

Table A4 shows the mask that is used in this attack. As with Speck 32, we can drive our target window $x{l}_{1}^{10}(0,1)$ backward from the ciphertext to build the pseudo-linear approximation.

Round | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}}}$ | Cost |
---|---|---|---|---|---|

1 | $\mathtt{0}\mathtt{x}\mathtt{30}\mathtt{c}\mathtt{03030}$ | $\mathtt{0}\mathtt{x}\mathtt{30}\mathtt{f}\mathtt{6}\mathtt{e}\mathtt{836}$ | $\mathtt{0}\mathtt{x}\mathtt{36}\mathtt{d}\mathtt{80600}$ | $\mathtt{0}\mathtt{xc}\mathtt{6280500}$ | 5 |

2 | $\mathtt{0}\mathtt{x}\mathtt{36018000}$ | $\mathtt{0}\mathtt{x}\mathtt{06314030}$ | $\mathtt{0}\mathtt{x}\mathtt{30}\mathtt{c}\mathtt{03030}$ | $\mathtt{0}\mathtt{x}\mathtt{30}\mathtt{f}\mathtt{6}\mathtt{e}\mathtt{836}$ | 4 |

3 | $\mathtt{0}\mathtt{x}\mathtt{300}\mathtt{c}\mathtt{0}\mathtt{c}\mathtt{00}$ | $\mathtt{0}\mathtt{x}\mathtt{303}\mathtt{a}\mathtt{0}\mathtt{d}\mathtt{80}$ | $\mathtt{0}\mathtt{x}\mathtt{36018000}$ | $\mathtt{0}\mathtt{x}\mathtt{06314030}$ | 3 |

4 | $\mathtt{0}\mathtt{x}\mathtt{8060006}\mathtt{d}$ | $\mathtt{0}\mathtt{x}\mathtt{80500}\mathtt{c}\mathtt{61}$ | $\mathtt{0}\mathtt{x}\mathtt{300}\mathtt{c}\mathtt{0}\mathtt{c}\mathtt{00}$ | $\mathtt{0}\mathtt{x}\mathtt{303}\mathtt{a}\mathtt{0}\mathtt{d}\mathtt{80}$ | 3 |

5 | $\mathtt{0}\mathtt{x}\mathtt{0303030}\mathtt{f}$ | $\mathtt{0}\mathtt{x}\mathtt{6}\mathtt{e}\mathtt{83630}\mathtt{f}$ | $\mathtt{0}\mathtt{x}\mathtt{8060006}\mathtt{d}$ | $\mathtt{0}\mathtt{x}\mathtt{80500}\mathtt{c}\mathtt{61}$ | 4 |

6 | $\mathtt{0}\mathtt{x}\mathtt{03000360}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{c}\mathtt{030063}$ | $\mathtt{0}\mathtt{x}\mathtt{0303030}\mathtt{f}$ | $\mathtt{0}\mathtt{x}\mathtt{6}\mathtt{e}\mathtt{83630}\mathtt{f}$ | 5 |

7 | $\mathtt{0}\mathtt{x}\mathtt{00030300}$ | $\mathtt{0}\mathtt{x}\mathtt{60000303}$ | $\mathtt{0}\mathtt{x}\mathtt{03000360}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{c}\mathtt{030063}$ | 3 |

8 | $\mathtt{0}\mathtt{x}\mathtt{00000300}$ | $\mathtt{0}\mathtt{x}\mathtt{00000003}$ | $\mathtt{0}\mathtt{x}\mathtt{00030300}$ | $\mathtt{0}\mathtt{x}\mathtt{60000303}$ | 2 |

9 | $\mathtt{0}\mathtt{x}\mathtt{00000003}$ | $\mathtt{0}\mathtt{x}\mathtt{00000000}$ | $\mathtt{0}\mathtt{x}\mathtt{00000300}$ | $\mathtt{0}\mathtt{x}\mathtt{00000003}$ | 1 |

In Speck 96 there are two key sizes: 96 bits and 144 bits. With Speck 96/96, we are able to attack 10 rounds (five rounds using a pseudo-linear approximation and five rounds using linear approximations). Thus, we are able to recover 46 key bits. With Speck 96/144, we increase the pseudo-linear approximation by one round and increase the linear approximation by one round too. Thus, the total is 12 rounds and we are able to recover 76 key bits.

Table A5 shows the mask that is used in this attack. As with Speck 32 and Speck 48, in Speck 96/96, we can drive our target window $x{l}_{1}^{5}(1,0)$ backward from the ciphertext to build the pseudo-linear approximation. On the other hand, for Speck 96/144, we increase the attacked rounds by two rounds and the target window is $x{l}_{1}^{6}(0,1)$.

Round | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}}}$ | Cost |
---|---|---|---|---|---|

1 | $\mathtt{0}\mathtt{x}\mathtt{83000060036}\mathtt{d}$ | $\mathtt{0}\mathtt{x}\mathtt{803300600}\mathtt{c}\mathtt{62}$ | $\mathtt{0}\mathtt{x}\mathtt{3300000}\mathtt{f}\mathtt{0}\mathtt{f}\mathtt{03}$ | $\mathtt{0}\mathtt{x}\mathtt{5335600}\mathtt{c}\mathtt{0}\mathtt{e}\mathtt{83}$ | 7 |

2 | $\mathtt{0}\mathtt{x}\mathtt{00030303030}\mathtt{c}$ | $\mathtt{0}\mathtt{x}\mathtt{6}\mathtt{d}\mathtt{800303630}\mathtt{f}$ | $\mathtt{0}\mathtt{x}\mathtt{83000060036}\mathtt{d}$ | $\mathtt{0}\mathtt{x}\mathtt{803300600}\mathtt{c}\mathtt{62}$ | 6 |

3 | $\mathtt{0}\mathtt{x}\mathtt{000003000360}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{c}\mathtt{0000030063}$ | $\mathtt{0}\mathtt{x}\mathtt{00030303030}\mathtt{c}$ | $\mathtt{0}\mathtt{x}\mathtt{6}\mathtt{d}\mathtt{800303630}\mathtt{f}$ | 5 |

4 | $\mathtt{0}\mathtt{x}\mathtt{000000030300}$ | $\mathtt{0}\mathtt{x}\mathtt{600000000303}$ | $\mathtt{0}\mathtt{x}\mathtt{000003000360}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{c}\mathtt{0000030063}$ | 3 |

5 | $\mathtt{0}\mathtt{x}\mathtt{000000000300}$ | $\mathtt{0}\mathtt{x}\mathtt{000000000003}$ | $\mathtt{0}\mathtt{x}\mathtt{000000030300}$ | $\mathtt{0}\mathtt{x}\mathtt{600000000303}$ | 2 |

6 | $\mathtt{0}\mathtt{x}\mathtt{000000000003}$ | $\mathtt{0}\mathtt{x}\mathtt{000000000000}$ | $\mathtt{0}\mathtt{x}\mathtt{000000000300}$ | $\mathtt{0}\mathtt{x}\mathtt{000000000003}$ | 1 |

In Speck 128 there are three key sizes: 128 bits, 192 bits, and 256 bits. With Speck 128/128, we are able to attack 11 rounds (five rounds using a pseudo-linear approximation and 6 rounds using a linear approximations). Thus, we are able to recover 50 key bits. With Speck 128/192, we increase the pseudo-linear approximation by two more rounds (Total rounds is 13) and are able to recover 122 key bits. With Speck 128/256, we increase the pseudo-linear approximation by one round (Total rounds is 14) and are able to recover 173 key bits.

Table A6 shows the mask that is used in this attack. As with Speck 32, we can drive our target window $x{l}_{1}^{7}(0,1)$ backward from the ciphertext to build the pseudo-linear approximation.

R | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}}}$ | Cost |
---|---|---|---|---|---|

1 | $\mathtt{0}\mathtt{x}\mathtt{800003000060036}\mathtt{d}$ | $\mathtt{0}\mathtt{x}\mathtt{8030000300600}\mathtt{c}\mathtt{62}$ | $\mathtt{0}\mathtt{x}\mathtt{30030300000}\mathtt{f}\mathtt{0}\mathtt{f}\mathtt{00}$ | $\mathtt{0}\mathtt{x}\mathtt{50360303600}\mathtt{c}\mathtt{0}\mathtt{e}\mathtt{83}$ | 7 |

2 | $\mathtt{0}\mathtt{x}\mathtt{000000030303030}\mathtt{c}$ | $\mathtt{0}\mathtt{x}\mathtt{6}\mathtt{d}\mathtt{8000000303630}\mathtt{f}$ | $\mathtt{0}\mathtt{x}\mathtt{800003000060036}\mathtt{d}$ | $\mathtt{0}\mathtt{x}\mathtt{8030000300600}\mathtt{c}\mathtt{62}$ | 6 |

3 | $\mathtt{0}\mathtt{x}\mathtt{0000000003000360}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{c}\mathtt{00000000030063}$ | $\mathtt{0}\mathtt{x}\mathtt{000000030303030}\mathtt{c}$ | $\mathtt{0}\mathtt{x}\mathtt{6}\mathtt{d}\mathtt{8000000303630}\mathtt{f}$ | 5 |

4 | $\mathtt{0}\mathtt{x}\mathtt{0000000000030300}$ | $\mathtt{0}\mathtt{x}\mathtt{6000000000000303}$ | $\mathtt{0}\mathtt{x}\mathtt{0000000003000360}$ | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{c}\mathtt{00000000030063}$ | 3 |

5 | $\mathtt{0}\mathtt{x}\mathtt{0000000000000300}$ | $\mathtt{0}\mathtt{x}\mathtt{0000000000000003}$ | $\mathtt{0}\mathtt{x}\mathtt{0000000000030300}$ | $\mathtt{0}\mathtt{x}\mathtt{6000000000000303}$ | 2 |

6 | $\mathtt{0}\mathtt{x}\mathtt{0000000000000003}$ | $\mathtt{0}\mathtt{x}\mathtt{0000000000000000}$ | $\mathtt{0}\mathtt{x}\mathtt{0000000000000300}$ | $\mathtt{0}\mathtt{x}\mathtt{0000000000000003}$ | 1 |

- Beaulieu, R.; Shors, D.; Smith, J.; Treatman-Clark, S.; Weeks, B.; Wingers, L. The SIMON and SPECK Families of Lightweight Block Ciphers. IACR Cryptol. EPrint Arch.
**2013**, 2013, 404. [Google Scholar] - Beaulieu, R.; Shors, D.; Smith, J.; Treatman-Clark, S.; Weeks, B.; Wingers, L. The SIMON and SPECK lightweight block ciphers. In Proceedings of the 52nd Annual Design Automation Conference, San Francisco, CA, USA, 7–11 June 2015; pp. 175:1–175:6. [Google Scholar] [CrossRef]
- McKay, K.A.; Vora, P.L. Analysis of ARX Functions: Pseudo-linear Methods for Approximation, Differentials, and Evaluating Diffusion. IACR Cryptol. EPrint Arch.
**2014**, 2014, 895. [Google Scholar] - McKay, K.A. Analysis of ARX Round Functions in Secure Hash Functions. Ph.D. Thesis, The George Washington University, Washington, DC, USA, 2014. [Google Scholar]
- McKay, K.A.; Vora, P.L. Pseudo-Linear Approximations for ARX Ciphers: With Application to Threefish. In Proceedings of the Second SHA-3 Candidate Conference, Santa Barbara, CA, USA, 23–24 August 2010; p. 282. [Google Scholar]
- Cho, J.Y.; Pieprzyk, J. Multiple Modular Additions and Crossword Puzzle Attack on NLSv2. In Proceedings of the 10th International Conference on Information Security (ISC 2007), Valparaiso, Chile, 9–12 October 2007; Lecture Notes in Computer Science. Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4779, pp. 230–248. [Google Scholar] [CrossRef]
- Cho, J.Y.; Pieprzyk, J. Algebraic Attacks on SOBER-t32 and SOBER-t16 without Stuttering. In Fast Software Encryption, Proceedings of the 11th International Workshop, (FSE 2004), Delhi, India, 5–7 February 2004; Revised Papers; Lecture Notes in Computer Science; Roy, B.K., Meier, W., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3017, pp. 49–64. [Google Scholar] [CrossRef]
- Alzakari, S.; Vora, P. Linear and Partly-Pseudo-Linear Cryptanalysis of Reduced-Round SPARX Cipher. IACR Cryptol. EPrint Arch.
**2020**, 2020, 978. [Google Scholar] - Bodden, D. Linear Cryptanalysis of Reduced-Round Speck with a Heuristic Approach: Automatic Search for Linear Trails. In Proceedings of the Information Security–21st International Conference (ISC 2018), Guildford, UK, 9–12 September 2018; Lecture Notes in Computer Science. Chen, L., Manulis, M., Schneider, S., Eds.; Springer: Berlin/Heidelberg, Germany, 2018; Volume 11060, pp. 132–150. [Google Scholar] [CrossRef]
- Ashur, T.; Bodden, D. Linear Cryptanalysis of Reduced-Round Speck. In Proceedings of the 37th Symposium on Information Theory in the Benelux 2016, Louvain-la-Neuve, Belgium, 19–20 May 2016. [Google Scholar]
- Yao, Y.; Zhang, B.; Wu, W. Automatic Search for Linear Trails of the SPECK Family. In Proceedings of the Information Security—18th International Conference (ISC 2015), Trondheim, Norway, 9–11 September 2015; Lecture Notes in Computer Science. Lopez, J., Mitchell, C.J., Eds.; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9290, pp. 158–176. [Google Scholar] [CrossRef]
- Fu, K.; Wang, M.; Guo, Y.; Sun, S.; Hu, L. MILP-Based Automatic Search Algorithms for Differential and Linear Trails for Speck. In Proceedings of the Fast Software Encryption—23rd International Conference (FSE 2016), Bochum, Germany, 20–23 March 2016; Revised Selected Papers; Lecture Notes in Computer Science. Peyrin, T., Ed.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9783, pp. 268–288. [Google Scholar] [CrossRef]
- Liu, Y.; Fu, K.; Wang, W.; Sun, L.; Wang, M. Linear cryptanalysis of reduced-round SPECK. Inf. Process. Lett.
**2016**, 116, 259–266. [Google Scholar] [CrossRef] - Matsui, M. Linear Cryptanalysis Method for DES Cipher. In Advances in Cryptology—EUROCRYPT ’93, Proceedings of the Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, 23–27 May 1993; Lecture Notes in Computer Science; Helleseth, T., Ed.; Springer: Berlin/Heidelberg, Germany, 1993; Volume 765, pp. 386–397. [Google Scholar] [CrossRef]
- Heys, H.M. A Tutorial on Linear and Differential Cryptanalysis. Cryptologia
**2002**, 26, 189–221. [Google Scholar] [CrossRef] - Beaulieu, R.; Shors, D.; Smith, J.; Treatman-Clark, S.; Weeks, B.; Wingers, L. SIMON and SPECK: Block Ciphers for the Internet of Things. IACR Cryptol. EPrint Arch.
**2015**, 2015, 585. [Google Scholar] - Song, L.; Huang, Z.; Yang, Q. Automatic Differential Analysis of ARX Block Ciphers with Application to SPECK and LEA. In Proceedings of the Information Security and Privacy—21st Australasian Conference (ACISP 2016), Melbourne, VIC, Australia, 4–6 July 2016; Part II; Lecture Notes in Computer Science. Liu, J.K., Steinfeld, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9723, pp. 379–394. [Google Scholar] [CrossRef]
- HoChang, L.; Seojin, K.; HyungChul, K.; Deukjo, H.; Jaechul, S.; Hong, S. Calculating the Approximate Probability of Differentials for ARX-Based Cipher Using SAT Solver. J. Korea Inst. Inf. Secur. Cryptol.
**2018**, 28, 15–24. [Google Scholar] [CrossRef] - Liu, Y.; Witte, G.D.; Ranea, A.; Ashur, T. Rotational-XOR Cryptanalysis of Reduced-round SPECK. IACR Trans. Symmetric Cryptol.
**2017**, 2017, 24–36. [Google Scholar] [CrossRef] - Dwivedi, A.D.; Morawiecki, P.; Srivastava, G. Differential Cryptanalysis of Round-Reduced SPECK Suitable for Internet of Things Devices. IEEE Access
**2019**, 7, 16476–16486. [Google Scholar] [CrossRef]

Block Size, 2n | Key Size, mn | Word Size, n | $\mathit{\alpha}$ | $\mathit{\beta}$ | Rounds |
---|---|---|---|---|---|

32 | 64 | 16 | 7 | 2 | 22 |

48 | 72 | 24 | 8 | 3 | 22 |

96 | 23 | ||||

64 | 96 | 32 | 8 | 3 | 26 |

128 | 27 | ||||

96 | 96 | 48 | 8 | 3 | 28 |

144 | 29 | ||||

128 | 128 | 64 | 8 | 3 | 32 |

192 | 33 | ||||

256 | 34 |

Pairs | $2\times {\mathit{\u03f5}}^{-2}$ | ${2}^{2}\times {\mathit{\u03f5}}^{-2}$ | ${2}^{3}\times {\mathit{\u03f5}}^{-2}$ | ${2}^{4}\times {\mathit{\u03f5}}^{-2}$ |
---|---|---|---|---|

Rate | $48.6\%$ | $78.5\%$ | $96.7\%$ | $99.9\%$ |

Linear Cryptanalysis | Pseudo-Linear Cryptanalysis |
---|---|

The effect of several approximations can be easily concatenated and simplified because there is only one operation (exclusive-or). | The effect of several approximations cannot be concatenated and simplified because the two operations (exclusive-or and addition modulo ${2}^{w}$) do not commute. |

Combining key bits across rounds into a single function of the key, independent of plaintext bits, is possible. | Cannot combine key bits across rounds into a single function of the key independent of plaintext. |

The approximation may be used for a distinguisher as well as for key recovery. | The approximation includes a non-linear function of key and plaintext bits, and cannot be used as a distinguisher but can be used for key recovery. |

Approximation of a single modular addition for large window sizes has low bias. | Approximation of a single modular addition can result in high accuracy prediction of large windows. |

N/K | Ref. | Type of Attack | Number of Rounds | Data Complexity | Time Complexity |
---|---|---|---|---|---|

32/64 | [19] | Rotational | 12 | NA | NA |

[20] | Differential | 12 | ${2}^{31}$ | ${2}^{63}$ | |

[17] | Differential | 14 | ${2}^{30.47}$ | ${2}^{62.47}$ | |

[18] | Differential | 15 | ${2}^{31.39}$ | ${2}^{63.39}$ | |

48/72 | [17] | Differential | 15 | ${2}^{45.31}$ | ${2}^{69.31}$ |

[18] | Differential | 16 | ${2}^{47.8}$ | ${2}^{95.8}$ | |

48/96 | [20] | Differential | 13 | ${2}^{48}$ | ${2}^{96}$ |

[19] | Rotational | 15 | NA | NA | |

[17] | Differential | 16 | ${2}^{45.31}$ | ${2}^{93.31}$ | |

[18] | Differential | 17 | ${2}^{47.8}$ | ${2}^{71.8}$ | |

64/96 | [17] | Differential | 19 | ${2}^{61.56}$ | ${2}^{93.56}$ |

64/128 | [19] | Rotational | 13 | NA | NA |

[20] | Differential | 15 | ${2}^{64}$ | ${2}^{128}$ | |

[17] | Differential | 20 | ${2}^{61.56}$ | ${2}^{125.56}$ | |

96/96 | [17] | Differential | 20 | ${2}^{95.94}$ | ${2}^{95.94}$ |

96/144 | [19] | Rotational | 13 | NA | NA |

[20] | Differential | 13 | ${2}^{93}$ | ${2}^{141}$ | |

[17] | Differential | 21 | ${2}^{95.94}$ | ${2}^{143.94}$ | |

128/128 | [17] | Differential | 23 | ${2}^{125.35}$ | ${2}^{125.35}$ |

128/128 | [17] | Differential | 24 | ${2}^{125.35}$ | ${2}^{189.35}$ |

128/128 | [19] | Rotational | 13 | NA | NA |

[20] | Differential | 15 | ${2}^{126}$ | ${2}^{254}$ | |

[17] | Differential | 25 | ${2}^{125.35}$ | ${2}^{253.35}$ |

N | Ref. | Number of Rounds | Guessed Key Bit/K | Bias | Data Complexity | Time Complexity |
---|---|---|---|---|---|---|

32 | [10] | 7 | LT | ${2}^{-14}$ | ${2}^{28}$ | ${2}^{28}$ |

[9] | 8 | LT | ${2}^{-15}$ | ${2}^{30}$ | ${2}^{30}$ | |

This work | 9 | 36/64 | ${2}^{-13.348}$ | ${2}^{26.68}$ | ${2}^{62.68}$ | |

[12] | 9 | LT | ${2}^{-14}$ | NA | NA | |

[13] | 9 | LT | ${2}^{-14}$ | NA | NA | |

[11] | 12 | 29/64 | ${2}^{-14}$ | ${2}^{30.87}$ | ${2}^{60.21}$ | |

48 | [10] | 8 | LT | ${2}^{-22}$ | ${2}^{44}$ | ${2}^{44}$ |

[9] | 9 | LT | ${2}^{-23}$ | ${2}^{46}$ | ${2}^{46}$ | |

This work | 10 | 27/72 | ${2}^{-22.436}$ | ${2}^{44.872}$ | ${2}^{71.872}$ | |

[12] | 10 | LT | ${2}^{-22}$ | NA | NA | |

[13] | 10 | LT | ${2}^{-22}$ | NA | NA | |

[11] | 11 | 24/72 | ${2}^{-20}$ | ${2}^{43.72}$ | ${2}^{67.93}$ | |

This work | 11 | 45/96 | ${2}^{-24}$ | ${2}^{48}$ | ${2}^{93}$ | |

[11] | 12 | 48/96 | ${2}^{-20}$ | ${2}^{43.72}$ | ${2}^{91.93}$ | |

64 | [9] | 11 | LT | ${2}^{-31}$ | ${2}^{62}$ | ${2}^{62}$ |

[10] | 11 | LT | ${2}^{-32}$ | ${2}^{64}$ | ${2}^{64}$ | |

[13] | 12 | LT | ${2}^{-30}$ | NA | NA | |

This work | 13 | 28/96 | ${2}^{-29.88}$ | ${2}^{59.76}$ | ${2}^{87.76}$ | |

[11] | 13 | 31/96 | ${2}^{-25}$ | ${2}^{54.63}$ | ${2}^{85.74}$ | |

[12] | 13 | LT | ${2}^{-30}$ | NA | NA | |

[11] | 14 | 31/96 | ${2}^{-31}$ | ${2}^{62.73}$ | ${2}^{94.87}$ | |

[11] | 14 | 63/128 | ${2}^{-25}$ | ${2}^{54.80}$ | ${2}^{117.7}$ | |

This work | 14 | 49/128 | ${2}^{-31.58}$ | ${2}^{63.16}$ | ${2}^{112.16}$ | |

[11] | 15 | 63/128 | ${2}^{-31}$ | ${2}^{62.73}$ | ${2}^{126.9}$ | |

96 | [11] | 8 | 47/96 | ${2}^{-11}$ | ${2}^{27.65}$ | ${2}^{74.7}$ |

[11] | 9 | 95/144 | ${2}^{-11}$ | ${2}^{27.65}$ | ${2}^{122.7}$ | |

[10] | 10 | LT | ${2}^{-47}$ | ${2}^{92}$ | ${2}^{92}$ | |

This work | 10 | 46/96 | ${2}^{-21.86}$ | ${2}^{43.72}$ | ${2}^{89.72}$ | |

[9] | 12 | LT | ${2}^{-48}$ | ${2}^{96}$ | ${2}^{96}$ | |

This work | 12 | 76/144 | ${2}^{-29.238}$ | ${2}^{58.476}$ | ${2}^{134.476}$ | |

[12] | 15 | LT | ${2}^{-45}$ | NA | NA | |

[13] | 17 | NA/144 | ${2}^{-45}$ | ${2}^{92}$ | ${2}^{96}$ | |

128 | [11] | 7 | 191/256 | ${2}^{-11}$ | ${2}^{28.30}$ | ${2}^{220.7}$ |

[11] | 8 | 63/128 | ${2}^{-11}$ | ${2}^{28.30}$ | ${2}^{92.69}$ | |

[11] | 9 | 127/192 | ${2}^{-11}$ | ${2}^{28.30}$ | ${2}^{156.7}$ | |

[10] | 11 | LT | ${2}^{-63}$ | ${2}^{144}$ | ${2}^{144}$ | |

This work | 11 | 50/128 | ${2}^{-28.179}$ | ${2}^{56.358}$ | ${2}^{106.358}$ | |

[9] | 13 | LT | ${2}^{-58}$ | ${2}^{116}$ | ${2}^{116}$ | |

This work | 13 | 122/192 | ${2}^{-31.299}$ | ${2}^{62.598}$ | ${2}^{184.598}$ | |

This work | 14 | 173/256 | ${2}^{-33.415}$ | ${2}^{66.83}$ | ${2}^{239.83}$ | |

[12] | 16 | LT | ${2}^{-58}$ | NA | NA | |

[13] | 18 | NA/192 | ${2}^{-61}$ | ${2}^{124}$ | ${2}^{128}$ | |

[13] | 19 | NA/256 | ${2}^{-61}$ | ${2}^{124}$ | ${2}^{192}$ |

N is the block size and K is the key size. LT refers to a Linear Trail used as a distinguisher. NA refers to Not Available (not reported in the paper).

Round | Encryption | Decryption |
---|---|---|

1 | $NewPL=(PL\u22d97){\u229e}_{16}PR$ | |

$x{l}_{1}^{1}=NewPL(0,1)\oplus {k}_{1}^{1}(0,1)$ | ||

$x{l}_{2}^{1}=NewPL(7,8)\oplus {k}_{2}^{1}(7,8)$ | ||

$x{r}_{1}^{1}=\left(PR(14,15)\right)\u22d82)\oplus x{l}_{1}^{1}$ | ||

2 | $x{l}_{1}^{2}(0,1)=\left((x{l}_{2}^{1}\u22d97){\u229e}_{2}x{r}_{1}^{1}\right)\oplus {k}_{1}^{2}(0,1)$ | |

$x{l}_{1}^{2}(0,1)$ ≡ $x{l}_{1}^{3}(0,1)$ | ||

3 | $x{l}_{1}^{3}(0,1)\approx \left((x{l}_{1}^{4}(9,10)\oplus {k}_{1}^{3}(9,10)){\boxminus}_{2}x{r}_{1}^{3}(9,10)\right))\u22d87$ | |

$x{r}_{1}^{3}(9,10)\approx \left((x{l}_{2}^{4}(11,12)\oplus x{r}_{3}^{4}(11,12))\right)\u22d92$ | ||

4 | $x{l}_{2}^{4}(11,12)\approx \left((CL(4,5)\oplus {k}_{1}^{4}(4,5)){\boxminus}_{2}x{r}_{2}^{4}(4,5)\right)\u22d87$ | |

$x{l}_{1}^{4}(9,10)\approx \left((CL(2,3)\oplus {k}_{1}^{4}(2,3)){\boxminus}_{2}x{r}_{1}^{4}(2,3)\right)\u22d87$ | ||

$x{r}_{1}^{4}(2,3)=(CR(4,5)\oplus CL(4,5))\u22d92$ | ||

$x{r}_{2}^{4}(4,5)=(CR(6,7)\oplus CL(6,7))\u22d92$ | ||

$x{r}_{3}^{4}(11,12)=(CR(13,14)\oplus CL(13,14))\u22d92$ |

Approximation | Window Size | Guessed Key Bits | Bias | Data Complexity | Time Complexity |
---|---|---|---|---|---|

Table 6 | 2 bits | 12 | ${2}^{-3.35}$ | ${2}^{10}$ | ${2}^{22}$ |

Appendix A | 3 bits | 17 | ${2}^{-2.01}$ | ${2}^{10}$ | ${2}^{27}$ |

Appendix A | 4 bits | 22 | ${2}^{-1.65}$ | ${2}^{10}$ | ${2}^{32}$ |

Round | Cost | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}+1}}$ | Reason to Stop |
---|---|---|---|---|---|---|

1 | 1 | $\mathtt{0}\mathtt{x}\mathtt{0006}$ | $\mathtt{0}\mathtt{x}\mathtt{0000}$ | $\mathtt{0}\mathtt{x}\mathtt{7800}$ | $\mathtt{0}\mathtt{x}\mathtt{6000}$ | |

2 | 2 | $\mathtt{0}\mathtt{x}\mathtt{7800}$ | $\mathtt{0}\mathtt{x}\mathtt{6000}$ | $\mathtt{0}\mathtt{x}\mathtt{8331}$ | $\mathtt{0}\mathtt{x}\mathtt{83}\mathtt{c}\mathtt{1}$ | |

3 | 3 | $\mathtt{0}\mathtt{x}\mathtt{8331}$ | $\mathtt{0}\mathtt{x}\mathtt{83}\mathtt{c}\mathtt{1}$ | $\mathtt{0}\mathtt{xe}\mathtt{019}$ | $\mathtt{0}\mathtt{x}\mathtt{831}\mathtt{f}$ | |

4 | 3 | $\mathtt{0}\mathtt{xe}\mathtt{019}$ | $\mathtt{0}\mathtt{x}\mathtt{831}\mathtt{f}$ | $\mathtt{0}\mathtt{xf}\mathtt{0}\mathtt{be}$ | $\mathtt{0}\mathtt{xc}\mathtt{37}\mathtt{e}$ | |

5 | $\mathtt{0}\mathtt{xf}\mathtt{0}\mathtt{be}$ | $\mathtt{0}\mathtt{xc}\mathtt{37}\mathtt{e}$ | Broke requirement of consecutive ones for | |||

$\mathtt{0}\mathtt{xf}\mathtt{0}\mathtt{be}\u22d97$. |

Round | Encryption | Decryption |
---|---|---|

1 | $NewPL=(PL\u22d97){\u229e}_{16}PR$ | |

$x{l}_{1}^{1}=NewPL(1,2)\oplus {k}_{1}^{1}(1,2)$ | ||

$x{l}_{2}^{1}=NewPL(8,9)\oplus {k}_{2}^{1}(8,9)$ | ||

$x{r}_{1}^{1}=(PR(15,16\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}16)\u22d82)\oplus x{l}_{1}^{1}$ | ||

2 | $x{l}_{1}^{2}(1,2)\approx \left((x{l}_{2}^{1}\u22d97){\u229e}_{2}x{r}_{1}^{1}\right)\oplus {k}_{1}^{2}(1,2)$ | |

$x{l}_{1}^{2}\left(1\right)\oplus x{l}_{1}^{2}\left(2\right)$ ≡ $linearT$ | ||

3 to 6 | $linearT\approx {\lambda}_{{x}^{4}}$$.CL\oplus {\lambda}_{{y}^{4}}.CR$ |

Approximation | Window | No. of Key Bits Correctly Determined | Bias | Data Complexity | Time Complexity |
---|---|---|---|---|---|

Table 9 | 2 bits | 6 | ${2}^{-10.415}$ | ${2}^{20.83}$ | ${2}^{26.83}$ |

Round | Cost | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}}}$ | ${\mathit{\lambda}}_{{\mathit{x}}^{\mathit{i}+1}}$ | ${\mathit{\lambda}}_{{\mathit{y}}^{\mathit{i}+1}}$ | Reason to Stop |
---|---|---|---|---|---|---|

1 | 1 | $\mathtt{0}\mathtt{x}\mathtt{0}\mathtt{c}\mathtt{00}$ | $\mathtt{0}\mathtt{x}\mathtt{0000}$ | $\mathtt{0}\mathtt{x}\mathtt{0078}$ | $\mathtt{0}\mathtt{x}\mathtt{0060}$ | |

2 | 2 | $\mathtt{0}\mathtt{x}\mathtt{0078}$ | $\mathtt{0}\mathtt{x}\mathtt{0060}$ | $\mathtt{0}\mathtt{x}\mathtt{3183}$ | $\mathtt{0}\mathtt{xc}\mathtt{183}$ | |

3 | 3 | $\mathtt{0}\mathtt{x}\mathtt{3183}$ | $\mathtt{0}\mathtt{xc}\mathtt{183}$ | $\mathtt{0}\mathtt{x}\mathtt{19}\mathtt{e}\mathtt{0}$ | $\mathtt{0}\mathtt{x}\mathtt{1}\mathtt{f}\mathtt{83}$ | |

4 | 3 | $\mathtt{0}\mathtt{x}\mathtt{19}\mathtt{e}\mathtt{0}$ | $\mathtt{0}\mathtt{x}\mathtt{1}\mathtt{f}\mathtt{83}$ | $\mathtt{0}\mathtt{xbef}\mathtt{0}$ | $\mathtt{0}\mathtt{x}\mathtt{7}\mathtt{ec}\mathtt{3}$ | |

5 | $\mathtt{0}\mathtt{xbef}\mathtt{0}$ | $\mathtt{0}\mathtt{x}\mathtt{7}\mathtt{ec}\mathtt{3}$ | Broke requirement for consecutive ones for | |||

$\mathtt{0}\mathtt{xfbc}\mathtt{2}\u22d97$. |

Round | Encryption | Decryption |
---|---|---|

1 | $NewPL=(PL\u22d97){\u229e}_{16}PR$ | |

$x{l}_{1}^{1}=NewPL(15,16\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}{2}^{4})\oplus {k}_{1}^{1}(15,16\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}{2}^{4})$ | ||

$x{l}_{2}^{1}=NewPL(1,2)\oplus {k}_{2}^{1}(1,2)$ | ||

$x{l}_{3}^{1}=NewPL(4,5)\oplus {k}_{3}^{1}(4,5)$ | ||

$x{l}_{4}^{1}=NewPL(6,7)\oplus {k}_{4}^{1}(6,7)$ | ||

$x{l}_{5}^{1}=NewPL(8,9)\oplus {k}_{5}^{1}(8,9)$ | ||

$x{l}_{6}^{1}=NewPL(10,11)\oplus {k}_{6}^{1}(10,11)$ | ||

$x{l}_{7}^{1}=NewPL(13,14)\oplus {k}_{7}^{1}(13,14)$ | ||

$x{r}_{1}^{1}=(PR(13,14)\u22d82)\oplus x{l}_{1}^{1}$ | ||

$x{r}_{2}^{1}=(PR(15,16\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}{2}^{4})\u22d82)\oplus x{l}_{2}^{1}$ | ||

$x{r}_{3}^{1}=(PR(2,3)\u22d82)\oplus x{l}_{3}^{1}$ | ||

$x{r}_{4}^{1}=(PR(4,5)\u22d82)\oplus x{l}_{4}^{1}$ | ||

$x{r}_{5}^{1}=(PR(6,7)\u22d82)\oplus x{l}_{5}^{1}$ | ||

$x{r}_{6}^{1}=(PR(8,9)\u22d82)\oplus x{l}_{6}^{1}$ | ||

$x{r}_{7}^{1}=(PR(11,12)\u22d82)\oplus x{l}_{7}^{1}$ | ||

2 | $x{l}_{1}^{2}\approx \left((x{l}_{4}^{1}\u22d97){\u229e}_{2}x{r}_{1}^{1}\right)\oplus {k}_{1}^{2}(15,16\phantom{\rule{0.166667em}{0ex}}mod\phantom{\rule{0.166667em}{0ex}}{2}^{4})$ | |

$x{l}_{2}^{2}\approx \left((x{l}_{5}^{1}\u22d97){\u229e}_{2}x{r}_{2}^{1}\right)\oplus {k}_{2}^{2}(1,2)$ | ||

$x{l}_{3}^{2}\approx \left((x{l}_{7}^{1}\u22d97){\u229e}_{2}x{r}_{4}^{1}\right)\oplus {k}_{3}^{2}(6,7)$ | ||

$x{l}_{4}^{2}\approx \left((x{l}_{1}^{1}\u22d97){\u229e}_{2}x{r}_{5}^{1}\right)\oplus {k}_{4}^{2}(8,9)$ | ||

$x{l}_{5}^{2}\approx \left((x{l}_{2}^{1}\u22d97){\u229e}_{2}x{r}_{6}^{1}\right)\oplus {k}_{5}^{2}(10,11)$ | ||

$x{r}_{1}^{2}\approx (x{r}_{7}^{1}\u22d82)\oplus x{l}_{1}^{2}$ | ||

$x{r}_{2}^{2}\approx (x{r}_{1}^{1}\u22d82)\oplus x{l}_{2}^{2}$ | ||

$x{r}_{3}^{2}\approx (x{r}_{3}^{1}\u22d82)\oplus x{l}_{3}^{2}$ | ||

$x{r}_{4}^{2}\approx (x{r}_{4}^{1}\u22d82)\oplus x{l}_{4}^{2}$ | ||

$x{r}_{5}^{2}\approx (x{r}_{5}^{1}\u22d82)\oplus x{l}_{5}^{2}$ | ||

3 | $x{l}_{1}^{3}\approx \left((x{l}_{4}^{2}\u22d97){\u229e}_{2}x{r}_{2}^{2}\right)\oplus {k}_{1}^{3}(1,2)$ | |

$x{l}_{2}^{3}\approx \left((x{l}_{1}^{2}\u22d97){\u229e}_{2}x{r}_{4}^{2}\right)\oplus {k}_{2}^{3}(8,9)$ | ||

$x{l}_{3}^{3}\approx \left((x{l}_{2}^{2}\u22d97){\u229e}_{2}x{r}_{5}^{2}\right)\oplus {k}_{3}^{3}(10,11)$ | ||

$x{r}_{1}^{3}\approx (x{r}_{1}^{2}\u22d82)\oplus x{l}_{1}^{3}$ | ||

$x{r}_{2}^{3}\approx (x{r}_{3}^{2}\u22d82)\oplus x{l}_{2}^{3}$ | ||

$x{r}_{3}^{3}\approx (x{r}_{4}^{2}\u22d82)\oplus x{l}_{3}^{3}$ | ||

4 | $x{l}_{1}^{4}\approx \left((x{l}_{2}^{3}\u22d97){\u229e}_{2}x{r}_{1}^{3}\right)\oplus {k}_{1}^{4}(1,2)$ | |

$x{l}_{2}^{4}\approx \left((x{l}_{1}^{3}\u22d97){\u229e}_{2}x{r}_{3}^{3}\right)\oplus {k}_{2}^{4}(10,11)$ | ||

$x{r}_{1}^{4}\approx (x{r}_{2}^{3}\u22d82)\oplus x{l}_{2}^{4}$ | ||

5 | $x{l}_{1}^{5}(10,11)\approx \left((x{l}_{1}^{4}\u22d97){\u229e}_{2}x{r}_{1}^{4}\right)\oplus {k}_{1}^{5}(10,11)$ | |

$x{l}_{1}^{5}\left(10\right)\oplus x{l}_{1}^{5}\left(11\right)$ ≡ $linearT$ | ||

6 to 9 | $linearT\approx {\lambda}_{{x}^{4}}.CL\oplus {\lambda}_{{y}^{4}}.CR$ |

Approximation | Window Size | Key | Bias | Data Complexity | Time Complexity |
---|---|---|---|---|---|

Table 12 | 2 bits | 36 | ${2}^{-13.348}$ | ${2}^{26.68}$ | ${2}^{62.68}$ |

Block Size | Key Size | Rounds | Guessed Key Bits | Bias | Data Complexity | Time Complexity | Approximation |
---|---|---|---|---|---|---|---|

32 | 64 | 9 | 36 | ${2}^{-13.348}$ | ${2}^{26.68}$ | ${2}^{62.68}$ | Table 12 |

48 | 72 | 10 | 27 | ${2}^{-22.436}$ | ${2}^{44.872}$ | ${2}^{71.872}$ | Appendix B |

96 | 11 | 45 | ${2}^{-24}$ | ${2}^{48}$ | ${2}^{93}$ | ||

64 | 96 | 13 | 28 | ${2}^{-29.88}$ | ${2}^{59.76}$ | ${2}^{87.76}$ | Appendix C |

128 | 14 | 49 | ${2}^{-31.58}$ | ${2}^{63.16}$ | ${2}^{112.16}$ | ||

96 | 96 | 10 | 46 | ${2}^{-21.86}$ | ${2}^{43.72}$ | ${2}^{89.72}$ | Appendix D |

144 | 12 | 76 | ${2}^{-29.238}$ | ${2}^{58.476}$ | ${2}^{134.476}$ | ||

128 | 128 | 11 | 50 | ${2}^{-28.179}$ | ${2}^{56.358}$ | ${2}^{106.358}$ | Appendix E |

192 | 13 | 122 | ${2}^{-31.299}$ | ${2}^{62.598}$ | ${2}^{184.598}$ | ||

256 | 14 | 173 | ${2}^{-33.415}$ | ${2}^{66.83}$ | ${2}^{239.83}$ |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).