Paper 2020/1317

Improved Rectangle Attacks on SKINNY and CRAFT

Hosein Hadipour and Nasour Bagheri and Ling Song

Abstract

The boomerang and rectangle attacks are adaptions of differential cryptanalysis that regard the target cipher $E$ as a composition of two sub-ciphers, i.e., $E = E_{1}\circ E_{0}$, to construct a distinguisher for $E$ with probability $p^{2}q^{2}$ by concatenating two short differential trails for $E_{0}$ and $E_{1}$ with probability $p$ and $q$ respectively. According to the previous research the dependency between these two differential characteristics have a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman \etal proposed the sandwich attack to formalise such dependency that regards $E$ as three parts, i.e., $E = E_{1}\circ E_{m}\circ E_{0}$, where $E_{m}$ contains the dependency between two differential trails, satisfying some differential propagation with probability $r$. Accordingly, the entire probability is $p^{2}q^{2}r$. Recently, Song \etal have proposed a general framework to identify the actual boundaries of $E_{m}$ and systematically evaluate the probability of $E_{m}$ with any number of rounds, and applied their method to accurately evaluate the probabilities of the best \texttt{SKINNY}'s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for \texttt{SKINNY} can be significantly improved in terms of probability and number of rounds. More precisely, we propose related-tweakey boomerang distinguishers for up to 19, 21, 23, and 25 rounds of \texttt{SKINNY}-64-128, \texttt{SKINNY}-128-256, \texttt{SKINNY}-64-192, and \texttt{SKINNY}-128-384 respectively, which improve the previous boomerang distinguishers of these variants of \texttt{SKINNY} by 1, 2, 1, and 1 round respectively. Based on the improved boomerang distinguishers for \texttt{SKINNY}, we provide related-tweakey rectangle attacks on 23 rounds of \texttt{SKINNY}-64-128, 24 rounds of \texttt{SKINNY}-128-256, 29 rounds of \texttt{SKINNY}-64-192, and 30 rounds of \texttt{SKINNY}-128-384. It worth noting that our improved related-tweakey rectangle attacks on \texttt{SKINNY}-64-192, \texttt{SKINNY}-128-256 and \texttt{SKINNY}-128-384 can be directly applied for the same number of rounds of \texttt{ForkSkinny-64-192}, \texttt{ForkSkinny-128-256} and \texttt{ForkSkinny-128-384} respectively. \texttt{craft} is another \texttt{SKINNY}-like tweakable block cipher for which we provide the security analysis against rectangle attack for the first time. As a result, we provide a 14-round boomerang distinguisher for \texttt{craft} in the single-tweak model based on which we propose a single-tweak rectangle attack on 18 rounds of this cipher. Moreover, following the previous research regarding the evaluation of switching in multiple rounds of boomerang distinguishers, we also introduce new tools called \textit{Double Boomerang Connectivity Table} (\texttt{DBCT}), $\texttt{bdt}^{\Dashv}$, and $\texttt{dbt}^{\vDash}$ to evaluate the boomerang switch through the multiple rounds more accurately.

Note: The current version is an early draft and the key recovery part will be included soon.