Cryptology ePrint Archive: Report 2013/853

Automatic Search for Differential Trails in ARX Ciphers (Extended Version)

Alex Biryukov and Vesselin Velichkov

Abstract: We propose a tool for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui's algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui's algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations. The source code of the tool is publicly available as part of a larger toolkit for the analysis of ARX at the following address: https://github.com/vesselinux/yaarx .

Category / Keywords: secret-key cryptography / symmetric-key, differential trail, tools for cryptanalysis, automatic search, ARX, TEA, XTEA, SPECK, RAIDEN

Original Publication (with major differences): Cryptographers' Track at the RSA Conference (CT-RSA '14)

Date: received 17 Dec 2013, last revised 17 Dec 2013

Contact author: vesselin velichkov at uni lu

Available format(s): PDF | BibTeX Citation

Version: 20131217:162616 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]