Please wait a minute...
Shopping Cart Email List Chinese
Advanced Search Fig/Tab
Frontiers of Computer Science

ISSN 2095-2228

ISSN 2095-2236(Online)

CN 10-1014/TP

Postal Subscription Code 80-970

2018 Impact Factor: 1.129

Featured Articles  |  Most Downloaded  |  Most Reading
Online Submission Subscribe to Our RSS Content Feed
Front. Comput. Sci.    2023, Vol. 17 Issue (4) : 174808    https://doi.org/10.1007/s11704-022-2206-2
RESEARCH ARTICLE
Zero-correlation linear attack on reduced-round SKINNY
Yi ZHANG, Ting CUI(), Congjun WANG
Department of Applied Mathematics, PLA SSF Information Engineering University, Zhengzhou 450000, China
 Download: PDF(7232 KB)   HTML
 Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks
Abstract

At ToSC 2019, Ankele et al. proposed a novel idea for constructing zero-correlation linear distinguishers in a related-tweakey model. This paper further clarifies this principle and gives a search model for zero-correlation distinguishers. As a result, for the first time, the authors construct 14-round and 16-round zero-correlation linear distinguishers for SKINNY-n-2n and SKINNY-n-3n, respectively, which are both two rounds longer than Anekele et al.’s. Based on these distinguishers, the paper presents related-tweakey zero-correlation linear attacks on 21-round SKINNY-n-2n and 25-round SKINNY-n-3n, respectively.
Keywords tweakable block cipher      zero-correlation      related-tweakey      SKINNY     
Corresponding Author(s): Ting CUI   
About author:

* These authors contributed equally to this work.
Just Accepted Date: 06 July 2022   Issue Date: 12 December 2022
 Cite this article:   
Yi ZHANG,Ting CUI,Congjun WANG. Zero-correlation linear attack on reduced-round SKINNY[J]. Front. Comput. Sci., 2023, 17(4): 174808.
 URL:  
https://academic.hep.com.cn/fcs/EN/10.1007/s11704-022-2206-2
https://academic.hep.com.cn/fcs/EN/Y2023/V17/I4/174808
Attacks on SKINNY-64-128
Attack type Rounds Time Data Memory Ref.
ZC_SK 18 2126 262.68 264 [12]
ZC_RTK 20 297.5 268.4 282 [4]
ID_SK 20 2121.08 247.69 247.69 [13]
ZC_RTK 21 295 268 284 This work
ID_RK 23 2125.9 262.5 2124.0 [14]
ID_RK 23 279 271.4 264 [15]
Rectangle_RK 24 296.83 261.67 284 [16]
Rectangle_RK 25 2118.43 261.67 264.26 [17]
Attacks on SKINNY-64-192
Attack type Rounds Time Data Memory Ref.
ID_SK 22 2183.97 247.84 274.84 [13]
ZC_RTK 23 2155.6 273.2 2138 [4]
ZC_RTK 25 2184 276 2144 This work
Rectangle_RK 27 2165.5 263.5 280 [14]
Rectangle_RK 30 2163.11 262.87 268.5 [16]
Rectangle_RK 31 2182.07 262.87 262.79 [17]
Attacks on SKINNY-128-256
Attack type Rounds Time Data Memory Ref.
ZC_RTK 21 2185 2136 2168 This work
ID_RK 23 2251.47 2124.47 2248 [14]
Rectangle_RK 25 2226.38 2124.48 2168 [16]
Rectangle_RK 26 2254.4 2126.53 2128.44 [17]
Attacks on SKINNY-128-384
Attack type Rounds Time Data Memory Ref.
ZC_RTK 25 2326 2152 2288 This work
Rectangle_RK 30 2341.11 2122 2128.02 [16]
Rectangle_RK 32 2354.99 2123.54 2123.54 [17]
Tab.1  Attacks results of SKINNY
Cipher Attack model Rounds Ref.
SKINNY-64-128 SK 10 [12]
SKINNY-64-128 RK 13 [4]
SKINNY-64-128 RK 14 [18]
SKINNY-64-128 RK 14 This work
SKINNY-64-192 SK 10 [12]
SKINNY-64-192 RK 15 [4]
SKINNY-64-192 RK 16 [18]
SKINNY-64-192 RK 16 This work
Tab.2  Zero-correlation linear distinguishers on SKINNY
Fig.1  Round function of SKINNY
Fig.2  Tweakey schedule of SKINNY
Fig.3  An example of evaluating mask propagation in the tweakey schedule
  
Fig.4  14-round distinguisher for SKINNY-n-2n: the cells’ values are colored as the legeng shown; and the cells in red frame form the Γ sequence
Fig.5  16-round distinguisher for SKINNY-n-3n: the cells’ values are colored as the legeng shown; and the cells in red frame form the Γ sequence
Version Rounds Time Data Memory
SKINNY-64-128 21 295 268 284
SKINNY-128-256 21 2185 2136 2168
SKINNY-64-192 25 2184 276 2144
SKINNY-128-384 25 2326 2152 2288
Tab.3  Result of Zero-Correlation Attacks on SKINNY
Fig.6  21-round key recovery attack: The red cells and green cells are used to compute Z15[2], while the blue cells and green cells are used to compute Z15[14]
Guessed key Data (Log2) Stored texts Memory (Log2) Time (Log2)
? 16c X21[0,4,12], X21[1,5,13], X21[2,6,10,14], X21[3,7,11,15],ΔTK21[6],ΔTK19[4] 16c 16c
STK21[2,6] 13c X21[0,4,12], X21[1,5,13], Y20 [6,14], X21[3,7,11,15],ΔTK19[4] 15c 18c
STK21[1,5] 12c X21[0,4,12], Y20 [1,13], Y20 [6,14], X21[3,7,11,15],ΔTK19[4] 16c 17c
STK21[3,7] 12c X21[0,4,12], Y20 [1,13],Y20 [6,14],Y20 [3,7,11,15],ΔTK19[4] 18c 18c
STK21[0,4] 12c Y20 [0,8,12], Y20 [1,13], Y20 [6,14],Y20 [3,7,11,15],ΔTK19[4] 20c 20c
? 12c X20[0,12], X20[1,5,9,13], X20[6,10,14], X20[3,15],ΔTK19[4] ? ?
STK20 [1,5] 10c X20[0,12], Y19 [5,13], X20[6,10,14], X20[3,15],ΔTK19[4] 20c 22c
STK20 [3] 9c X20[0,12], Y19 [5,13], X20[6,10,14], Y19 [15],ΔTK19[4] 20c 21c
STK20 [0] 8c Y19 [12], Y19 [5,13], X20[6,10,14], Y19 [15],ΔTK19[4] 20c 21c
STK20 [6] 8c Y19 [12], Y19 [5,13], Y19 [2,6,10], Y19 [15],ΔTK19[4] 21c 21c
? 8c X19 [4,8,12], X19 [5,13], X19 [2,14],ΔTK19[4] ? ?
STK19 [4] 5c Y18 [4], X19 [5,13], X19 [2,14] 19c 22c
STK19 [2] 4c Y18 [4], X19 [5,13],Y18 [14] 19c 20c
STK19 [5] 3c Y18 [4],Y18 [9],Y18 [14] 19c 20c
? 3c X18 [7,11,15] ? ?
STK18 [7] c Y17 [7] 18c 20c
? c X17 [6] ? ?
STK17 [6] c Y16 [2] 19c 19c
? c X16 [2] = Z15[2] ? ?
Tab.4  Procedure for computing Z15[2]
Guessed key Data (Log2) Stored texts Memory (Log2) Time (Log2)
? 17c X21[0,4,8,12], X21[1,5,9,13], X21[2,6,10,14], X21[3,7,15],ΔTK21[6],ΔTK19[4] 17c 17c
STK21[2,6] 15c X21[0,4,8,12], X21[1,5,9,13], Y20 [2,6,14], X21[3,7,15],ΔTK19[4] 17c 19c
STK21[0,4] 13c Y20 [4,12], X21[1,5,9,13], Y20 [2,6,14], X21[3,7,15],ΔTK19[4] 17c 19c
STK21[3,7] 12c Y20 [4,12], X21[1,5,9,13],Y20 [2,6,14], Y20 [11,15],ΔTK19[4] 18c 19c
STK21[1,5] 12c Y20 [4,12],Y20 [1,5,9,13],Y20 [2,6,14],Y20 [11,15],ΔTK19[4] 20c 20c
? 12c X20[4,12], X20[1,5,9,13], X20[2,14], X20[7,11,15],ΔTK19[4] ? ?
STK20 [1,5] 10c X20[4,12],Y19 [5,13], X20[2,14], X20[7,11,15],ΔTK19[4] 20c 22c
STK20 [7] 9c X20[4,12],Y19 [5,13], X20[2,14], Y19 [3,7],ΔTK19[4] 20c 21c
STK20 [2] 8c X20[4,12],Y19 [5,13],Y19 [14], Y19 [3,7],ΔTK19[4] 20c 21c
STK20 [4] 7c Y19 [8], Y19 [5,13], Y19 [14],Y19 [3,7],ΔTK19[4] 20c 21c
? 7c X19 [4], X19 [6,10,14], X19 [3,15],ΔTK19[4] ? ?
STK19 [6] 5c X19 [4],Y18 [6], X19 [3,15],ΔTK19[4] 19c 21c
STK19 [4] 4c Y18 [0],Y18 [6], X19 [3,15], 19c 20c
STK19 [3] 3c Y18 [0],Y18 [6],Y18 [15] 19c 20c
? 3c X18 [0,12], X18 [5] ? ?
STK18 [0] 2c Y17 [12], X18 [5] 19c 20c
STK18 [5] 2c Y17 [12],Y17 [1] 20c 20c
? 2c X17 [1,13] ? ?
STK17 [1] c Y16 [13] 20c 21c
? c X16 [14]=Z15[14] ? ?
Tab.5  Procedure for computing Z15[14]
Guessed key Data (Log2) Stored texts Memory (Log2) Time (Log2)
? 18c X25 [0,4,8,12], X25 [1,5,9,13], X25 [2,6,10,14], X25 [3,7,11,15],ΔTK25[3],ΔTK23[5] 18c 18c
STK25 [0,1,2,3,4,5,6,7] 17c X24 [0,4,8,12], X24 [1,5,9,13], X24 [2,6,10,14], X24 [3,7,11,15],ΔTK23[5] 25c 26c
STK24 [0,1,2,3,4,5,6,7] 15c X23 [0,4,12], X23 [1,5,13], X23 [2,6,10,14], X23 [3,7,11,15],ΔTK23[5] 31c 33c
? 15c X23 [0,4,12], X23 [1,5,13], X23 [2,6,10,14], X23 [3,7,11,15],ΔTK23[5] ? ?
STK23 [2,6] 13c X23 [0,4,12], X23 [1,5,13],Y22 [6,14], X23 [3,7,11,15],ΔTK23[5] 31c 33c
STK23 [1,5] 11c X23 [0,4,12],Y22 [1,13], Y22 [6,14], X23 [3,7,11,15] 31c 33c
STK23 [3,7] 11c X23 [0,4,12], Y22 [1,13], Y22 [6,14], Y22 [3,7,11,15] 33c 33c
STK23 [0,4] 11c Y22 [0,8,12], Y22 [1,13], Y22 [6,14], Y22 [3,7,11,15] 35c 35c
? 11c X22 [0,12], X22 [1,5,9,13], X22 [6,10,14], X22 [3,15] ? ?
STK22 [1,5] 9c X22 [0,12],Y21 [5,13], X22 [6,10,14], X22 [3,15] 35c 37c
STK22 [3] 8c X22 [0,12],Y21 [5,13], X22 [6,10,14], Y21 [15] 35c 36c
STK22 [0] 7c Y21 [12],Y21 [5,13], X22 [6,10,14], Y21 [15] 35c 36c
STK22 [6] 7c Y21 [12], Y21 [5,13], Y21 [2,6,10], Y21 [15] 36c 36c
? 7c X21[4,8,12], X21[5,13], X21[2,14] ? ?
STK21[4] 5c Y20 [4], X21[5,13], X21[2,14] 35c 37c
STK21[2] 4c Y20 [4], X21[5,13], Y20 [14] 35c 36c
STK21[5] 3c Y20 [4], Y20 [9],Y20 [14] 35c 36c
? 3c X20[7,11,15] ? ?
STK20 [7] c Y19 [7] 34c 36c
? c X19 [6] ? ?
STK19 [6] c Y18 [2] 35c 35c
? c X18 [2] ? ?
STK18 [2] c Z17 [2] 36c 36c
  Table A1 Procedure for computing Z17[2]
Guessed key Data (Log2) Stored texts Memory (Log2) Time (Log2)
? 19c X25 [0,4,8,12], X25 [1,5,9,13], X25 [2,6,10,14], X25 [3,7,11,15],ΔTK25[3],ΔTK23[5],ΔTK21[6] 19c 19c
STK25 [0,1,2,3,4,5,6,7] 18c X24 [0,4,8,12], X24 [1,5,9,13], X24 [2,6,10,14], X24 [3,7,11,15],ΔTK23[5],ΔTK21[6] 26c 27c
STK24 [0,1,2,3,4,5,6,7] 17c X23 [0,4,8,12], X23 [1,5,9,13], X23 [2,6,10,14], X23 [3,7,15],ΔTK23[5],ΔTK21[6] 33c 34c
? 17c X23 [0,4,8,12], X23 [1,5,9,13], X23 [2,6,10,14], X23 [3,7,15],ΔTK23[5],ΔTK21[6] ? ?
STK23 [0,4] 15c Y22 [4,12], X23 [1,5,9,13], X23 [2,6,10,14], X23 [3,7,15],ΔTK23[5],ΔTK21[6] 33c 35c
STK23 [1,5] 14c Y22 [4,12],Y22 [1,5,9,13], X23 [2,6,10,14], X23 [3,7,15],ΔTK21[6] 34c 35c
STK23 [3,7] 13c Y22 [4,12], Y22 [1,5,9,13], X23 [2,6,10,14], Y22 [11,15],ΔTK21[6] 35c 36c
STK23 [2,6] 12c Y22 [4,12], Y22 [1,5,9,13], Y22 [2,6,14], Y22 [11,15],ΔTK21[6] 36c 37c
? 12c X22 [4,12], X22 [1,5,9,13], X22 [2,14], X22 [7,11,15],ΔTK21[6] ? ?
STK22 [1,5] 10c X22 [4,12], Y21 [5,13], X22 [2,14], X22 [7,11,15],ΔTK21[6] 36c 38c
STK22 [7] 9c X22 [4,12], Y21 [5,13], X22 [2,14], Y21 [3,7],ΔTK21[6] 36c 37c
STK22 [2] 8c X22 [4,12], Y21 [5,13], Y21 [14],Y21 [3,7],ΔTK21[6] 36c 37c
STK22 [4] 7c Y21 [8],Y21 [5,13],Y21 [14], Y21 [3,7],ΔTK21[6] 36c 37c
? 7c X21[4], X21[6,10,14], X21[3,15],ΔTK21[6] ? ?
STK21[6] 4c X21[4],Y20 [6], X21[3,15] 34c 37c
STK21[3] 3c X21[4],Y20 [6],Y20 [15] 34c 35c
STK21[4] 3c Y20 [0],Y20 [6],Y20 [15] 35c 35c
? 3c X20[0,12], X20[5] ? ?
STK20 [0] 2c Y19 [12], X20[5] 35c 36c
STK20 [5] 2c Y19 [12],Y19 [1] 36c 36c
? 2c X19 [1,13] ? ?
STK19 [1] c Y18 [13] 36c 37c
? c X18 [14]= Z17 [14] ? ?
  Table A2 Procedure for computing Z17[14]
  
  
  
  Fig.A1 25-round key recovery attack: The red cells and green cells are used to compute Z17[2], while the blue cells and green cells are used to compute Z17[14]
1 A, Bogdanov V Rijmen . Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Designs, Codes and Cryptography, 2014, 70( 3): 369–383
2 A, Bogdanov M Wang . Zero correlation linear cryptanalysis with reduced data complexity. In: Proceedings of the 19th International Workshop on Fast Software Encryption. 2012, 29–48
3 A, Bogdanov G, Leander K, Nyberg M Wang . Integral and multidimensional linear distinguishers with correlation zero. In: Proceedings of the 18th International Conference on the Theory and Application of Cryptology and Information Security. 2012, 244–261
4 R, Ankele C, Dobraunig J, Guo E, Lambooij G, Leander Y Todo . Zero-correlation attacks on tweakable block ciphers with linear Tweakey expansion. IACR Transactions on Symmetric Cryptology, 2019, 2019( 1): 192–235
https://doi.org/10.13154/tosc.v2019.i1.192-235
5 Z, Gu H, Li S, Khan L, Deng X, Du M, Guizani Z Tian . IEPSBP: a cost-efficient image encryption algorithm based on parallel chaotic system for green IoT. IEEE Transactions on Green Communications and Networking, 2022, 6( 1): 89–106
https://doi.org/10.1109/TGCN.2021.3095707
6 H, Li Z, Gu L, Deng Y, Han C, Yang Z Tian . A fine-grained video encryption service based on the cloud-fog-local architecture for public and private videos. Sensors, 2019, 19( 24): 5366
https://doi.org/10.3390/s19245366
7 C, Beierle J, Jean S, Kölbl G, Leander A, Moradi T, Peyrin Y, Sasaki P, Sasdrich S M Sim . The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Proceedings of the 36th Annual International Cryptology Conference. 2016, 123–153
8 M, Liskov R L, Rivest D Wagner . Tweakable block ciphers. Journal of Cryptology, 2011, 24( 3): 588–613
9 J, Jean I, Nikolić T Peyrin . Tweaks and keys for block ciphers: the TWEAKEY framework. In: Proceedings of the 20th International Conference on the Theory and Application of Cryptology and Information Security. 2014, 274–288
10 Iwata T, Khairallah M, Minematsu K, Peyrin T. Remus v1.0. Submission to NIST Lightweight Cryptography Project. See Csrc.nist.gov/projects/lightweight-cryptography/round-1-candidates website, 2019
11 Iwatas T, Khairallah M, Minematsu K, Peyrin T. Romulus v1.0. Submission to NIST Lightweight Cryptography Project. See Csrc.nist.gov/projects/lightweight-cryptography/round-1-candidates website, 2019
12 S, Sadeghi T, Mohammadi N Bagheri . Cryptanalysis of reduced round skinny block cipher. IACR Transactions on Symmetric Cryptology, 2018, 2018( 3): 124–162
13 M, Tolba A, Abdelkhalek A M Youssef . Impossible differential cryptanalysis of reduced-round SKINNY. In: Proceedings of the 9th International Conference on Cryptology in Africa. 2017, 117–134
14 G, Liu M, Ghosh L Song . Security analysis of skinny under related-Tweakey settings. IACR Transactions on Symmetric Cryptology, 2017, 2017( 3): 37–72
15 R, Ankele S, Banik A, Chakraborti E, List F, Mendel S M, Sim G Wang . Related-key impossible-differential attack on reduced-round SKINNY. In: Proceedings of the 15th International Conference on Applied Cryptography and Network Security. 2017, 208–228
16 L, Qin X, Dong X, Wang K, Jia Y Liu . Automated search oriented to key recovery on ciphers with linear key schedule: applications to boomerangs in SKINNY and ForkSkinny. IACR Transactions on Symmetric Cryptology, 2021, 2021( 2): 249–291
17 X, Dong L, Qin S, Sun X Wang . Key guessing strategies for linear key-schedule algorithms in rectangle attacks. In: Proceedings of the 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques. 2022, 3–33
18 C, Niu M, Li S, Sun M Wang . Zero-correlation linear cryptanalysis with equal treatment for plaintexts and Tweakeys. In: Proceedings of Cryptographers’ Track at the RSA Conference. 2021, 126–147
19 J, Daemen R, Govaerts J Vandewalle . Correlation matrices. In: Proceedings of the 2nd International Workshop on Fast Software Encryption. 1994, 275–285
20 E Biham . On Matsui’s linear cryptanalysis. In: Proceedings of Workshop on the Theory and Application of of Cryptographic Techniques. 1994, 341–355
21 T, Kranz G, Leander F Wiemer . Linear cryptanalysis: key schedules and tweakable block ciphers. IACR Transactions on Symmetric Cryptology, 2017, 2017( 1): 474–505
22 Rijmen V. Cryptanalysis and design of iterated block ciphers. Doctoral Dissertation, KU Leuven, 1997
23 S, Galice M Minier . Improving integral attacks against rijndael-256 up to 9 rounds. In: Proceedings of the 1st International Conference on Cryptology in Africa. 2008, 1–15
24 B, Sun Z, Liu V, Rijmen R, Li L, Cheng Q, Wang H, AlKhzaimi C Li . Links among impossible differential, integral and zero correlation linear cryptanalysis. In: Proceedings of the 35th Annual Cryptology Conference. 2015, 95–115
25 H, Hadipour S, Sadeghi M Eichlseder . Finding the impossible: automated search for full impossible-differential, zero-correlation, and integral attacks. In: Proceedings of the 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques. 2023, 128–157
[1] FCS-22206-OF-YZ_suppl_1 Download
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed