Automatic Tool for Searching for Differential Characteristics in ARX Ciphers and Applications

Abstract

Motivated by the algorithm of differential probability calculation of Lipmaa and Moriai, we revisit the differential properties of modular addition. We propose an efficient approach to generate the input-output difference tuples with non-zero probabilities. A novel concept of combinational DDT and the corresponding construction algorithm are introduced to make it possible to obtain all valid output differences for fixed input differences. According to the upper bound of differential probability of modular addition, combining the optimization strategies with branch and bound search algorithm, we can reduce the search space of the first round and prune the invalid difference branches of the middle rounds. Applying this tool, the provable optimal differential trails covering more rounds for SPECK32/48/64 with tight probabilities can be found, and the differentials with larger probabilities are also obtained. In addition, the optimal differential trails cover more rounds than exisiting results for SPARX variants are obtained. A 12-round differential with a probability of \(2^{-54.83}\) for SPARX-64, and a 11-round differential trail with a probability of \(2^{-53}\) for SPARX-128 are found. For CHAM-64/128 and CHAM-128/*, the 39/63-round differential characteristics we find cover 3/18 rounds more than the known results respectively.

A. How to Apply to Other ARX Ciphers

For an iterated ARX cipher, assuming that there are \(N_A\) additions modulo \(2^n\) in each round, for example, \(N_A=1/2/4/1\) for SPECK/SPARX-64/SPARX-128/CHAM respectively. And the difference propagation properties of the linear layer between adjacent rounds can also be deduced, for example, as shown in Property 1/2/3/4. The following four steps demonstrate how to model the search strategy for the r-round optimal differential trail of an ARX cipher.

Step 1. Pre-compute and store cDDT. Call Program entry and gradually increase the expected probability weight \(\overline{Bw_r}\).

Step 2. Gradually increasing the probability weights \(w_i\) (\(1 \le i \le r_1\)) of each round for the front \(r_1\) rounds. Simultaneously, generating the input-output difference tuples (\(\alpha _{i,j}, \beta _{i,j}, \gamma _{i,j}\)) for each addition by \(Gen(w_{i,j})\). Where \(w_{i,j} =0\) to \(n-1\), and \(w_i = \sum _{j=1}^{N_A}w_{i,j}\). Make sure all input differences (\(\alpha _{r_1+1,j}, \beta _{r_1+1,j}\)) of each modular addition in the \((r_1+1)\)-round can be determined after the propagation. For example, \(r_1 =1/1/3\) for SPECK/SPARX/CHAM respectively.

Step 3. In the middle rounds (\(r_1 < r_m \le r\)), for each addition, splitting its input differences (\(\alpha _{r_m,j}, \beta _{r_m,j}\)) into n/m m-bit sub-blocks and verifying the pruning condition (7). Call \(Cap(\alpha _{r_m,j}, \beta _{r_m,j})\) for fine-grained pruning, and get the possible \(\gamma _{r_m,j}\) and probability weight \(w_{r_m,j}\), where \(w_{r_m} = \sum _{j=1}^{N_A}w_{r_m,j}\).

Step 4. Iteratively call Step 3 till the last round. Checking whether the expected probability weight \(\overline{Bw_r} = \sum _{s=1}^{r}w_s\) or not. If it is, record the trail and stop, otherwise the execution should continue.