Cryptology ePrint Archive: Report 2016/1108

Security Analysis of SKINNY under Related-Tweakey Settings (Long Paper)

Guozhen Liu and Mohona Ghosh and Ling Song

Abstract: In CRYPTO'16, a new family of tweakable lightweight block ciphers - SKINNY was introduced. Denoting the variants of SKINNY as SKINNY-$n$-$t$, where $n$ represents the block size and $t$ represents the tweakey length, the design specifies $t \in \{n, 2n, 3n\}$. In this work, we evaluate the security of SKINNY against differential cryptanalysis in the related-tweakey model. First, we investigate truncated related-tweakey differential trails of SKINNY and search for longest impossible and rectangle distinguishers where there is only one active cell in the input and the output. Based on the distinguishers obtained, $19$, $23$ and $27$ rounds of SKINNY-$n$-$n$, SKINNY-$n$-$2n$ and SKINNY-$n$-$3n$ can be attacked respectively. Moreover, actual differential trails for SKINNY under related-tweakey model are also explored and optimal differential trails of SKINNY-64 within certain number of rounds are searched with an indirect searching method based on Mixed-Integer Linear Programming. The results show a trend that as the number of rounds increases, the probability of optimal differential trails is much lower than the probability derived from lower bounds of active Sboxes in SKINNY.

Category / Keywords: Lightweight Block Cipher, SKINNY, Impossible Differential Attack, Rectangle Attack, Related-Tweakey

Original Publication (with minor differences): IACR-FSE-2018

Date: received 24 Nov 2016, last revised 28 Aug 2017

Contact author: songling at ntu edu sg;mohona@iiitdmj ac in;liuguozhen@sjtu edu cn

Available format(s): PDF | BibTeX Citation

Note: Better attacks are given in this version. Specifically, 19 rounds and 23 rounds can be attacked for SKINNY-n-n and SKINNY-n-2n, which cover one more round than the attacks in the original version.

Version: 20170829:020932 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]