Paper 2022/1123

DEEPAND: In-Depth Modeling of Correlated AND Gates for NLFSR-based Lightweight Block Ciphers

Amit Jana, Indian Statistical Institute, Kolkata
Mostafizar Rahman, University of Hyogo, Japan
Dhiman Saha, Lab, Department of Electrical Engineering and Computer Science, Indian Institute of Technology Bhilai

Automated cryptanalysis has taken center stage in the arena of cryptanalysis since the pioneering work by Mouha et al. which showcased the power of Mixed Integer Linear Programming (MILP) in solving cryptanalysis problems that otherwise, required significant effort. Since its inception, research in this area has moved in primarily two directions. One is to model more and more classical cryptanalysis tools as optimization problems to leverage the ease provided by state-of-the-art solvers. The other direction is to improve existing models to make them more efficient and/or accurate. The current work is an attempt to contribute to the latter. In this work, a general model referred to as DEEPAND has been devised to capture the correlation between AND gates in NLFSR-based lightweight block ciphers. DEEPAND builds upon and generalizes the idea of joint propagation of differences through AND gates captured using refined MILP modeling of TinyJAMBU by Saha et al. in FSE 2020. The proposed model has been applied to TinyJAMBU and KATAN and can detect correlations that were missed by earlier models. This leads to more accurate differential bounds for both ciphers. In particular, a 384-round (full-round as per earlier specification) Type-IV trail is found for TinyJAMBU with 14 active AND gates using the new model, while the refined model reported this figure to be 19. This also reaffirms the decision of the designers to increase the number of rounds from 384 to 640. Moreover, the model succeeds in searching a full round Type-IV trail of TinyJAMBU keyed permutation $\mathcal{P}_{1024}$ with probability $2^{-108} (\gg 2^{-128})$. This reveals the non-random properties of $\mathcal{P}_{1024}$ thereby showing it to be non-ideal. Hence it cannot be expected to provide the same security levels as robust block ciphers. Further, the provable security of the TinyJAMBU AEAD scheme should be carefully revisited. Similarly, for KATAN 32, DEEPAND modeling improves the 42-round trail with $2^{-11}$ probability to $2^{-7}$. Also, for KATAN 48 and KATAN 64, this model respectively improves the designer's claimed 43-round and 37-round trail probabilities. Moreover, in the related key setting, the DEEPAND model can make a better 140-round boomerang distinguisher (for both the data and time complexity) compared to the previous boomerang attack by Isobe et al. in ACISP 2013. In summary, DEEPAND seems to capture the underlying correlation better when multiple AND gates are at play and can be adapted to other classes of ciphers as well.

Available format(s)
Attacks and cryptanalysis
Publication info
MILPKATANTinyJAMBUSymmetric-Key Cryptanalysis
Contact author(s)
janaamit001 @ gmail com
mrahman454 @ gmail com
dhiman @ iitbhilai ac in
2023-03-02: last of 2 revisions
2022-08-29: received
See all versions
Short URL
No rights reserved


      author = {Amit Jana and Mostafizar Rahman and Dhiman Saha},
      title = {DEEPAND: In-Depth Modeling of Correlated AND Gates for NLFSR-based Lightweight Block Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1123},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.