Cryptology ePrint Archive: Report 2021/1641

Differential Cryptanalysis of WARP

Je Sen Teh and Alex Biryukov

Abstract: The proliferation of resource-constrained Internet-of-Things (IoT) devices that transmit sensitive data on a daily basis has led to the need for lightweight ciphers with minimal computational requirements. WARP is an energy-efficient lightweight block cipher that is currently the smallest 128-bit block cipher in terms of hardware. It was proposed by Banik et al. in SAC 2020 as a lightweight replacement for AES-128 without changing the mode of operation. This paper proposes key-recovery attacks on WARP based on differential cryptanalysis in single and related-key settings. We searched for differential trails for up to 20 rounds of WARP, with the first 19 having optimal differential probabilities. We also found that the cipher has a strong differential effect, whereby 16 to 20-round differentials have substantially higher probabilities than their corresponding individual trails. A 23-round key-recovery attack was then realized using an 18-round differential distinguisher. Next, we formulated an automatic boomerang search using SMT that relies on the Feistel Boomerang Connectivity Table to identify valid switches. We designed the search as an add-on to the CryptoSMT tool, making it applicable to other Feistel-like ciphers such as TWINE and LBlock-s. For WARP, we found a 21-round boomerang distinguisher which was used in a 24-round rectangle attack. In the related-key setting, we describe a family of 2-round iterative differential trails, which we used in a practical related-key attack on the full 41-round WARP.

Category / Keywords: secret-key cryptography / Constrained devices, IoT, symmetric-key, block ciphers, differential cryptanalysis, boomerang distinguisher, rectangle attack, related-key, WARP, GFN

Date: received 15 Dec 2021, last revised 6 Jan 2022

Contact author: jesen_teh at usm my, alex biryukov at uni lu

Available format(s): PDF | BibTeX Citation

Note: Slight correction - Previous attack described in a prior ePrint is indeed valid.

Version: 20220106:154531 (All versions of this report)

Short URL: ia.cr/2021/1641


[ Cryptology ePrint archive ]