Computing the Differential Probability of a Word-Based Block Cipher

Abstract

Differential cryptanalysis is one of the fundamental cryptanalysis techniques to evaluate the security of the block cipher. In many cases, resistance to differential cryptanalysis is proven through the upper bound of the differential characteristic probability, not the differential probability. Since the attacker uses a differential rather than a differential characteristic, resistance based on a differential characteristic tends to overestimate the security level of the block cipher. Such an overestimation is notably observed in lightweight block ciphers SKINNY, Midori, and CRAFT. In this paper, we examine the gap between the differential characteristics and the differential probability of lightweight block ciphers. We present practical methods for computing differential probability using a multistage graph. Using these methods, we count the exact number of maximum differential characteristics with fixed plaintext/ciphertext difference and activity pattern. By the exact number of maximum differential characteristics, we can calculate the probability that is closer to the real differential probability. In addition, by modifying the method, we compute a more accurate differential probability by considering the characteristics of the lower probability. We find differential distinguishers of 9-round Midori64 with probability $2^{-61.58}$, 9-round SKINNY64 with $2^{-58.67}$ and 14-round CRAFT with $2^{-60.32}$. Furthermore, we find a related-tweakey differential distinguisher of 11-round SKINNY64-64 with $2^{-55.93}$ and a related-tweak differential distinguisher of 17-round CRAFT with probability $2^{-63.37}$. Finally, we explain why these gaps are notable in Midori64, SKINNY64 and CRAFT by relating the S-box differential distribution table.

1. Introduction

From Biham and Shamir in 1990 [1], differential cryptanalysis has become one of the fundamental cryptanalysis techniques of block ciphers. The main idea of differential cryptanalysis is to distinguish between a block cipher and a random permutation by checking whether the ciphertext difference is related to the plaintext difference.

The prior goal of differential cryptanalysis is to find a pair of plaintext and ciphertext differences with high probability. Many studies have been proposed to find differential pairs [2,3,4], and automatic search using off-the-shelf solvers to the modeled problem [5,6,7,8] has recently received attention.

Most of the block ciphers are provided with differential cryptanalysis of the ciphers. However, its resistance to differential cryptanalysis is sometimes proved by computing an upper bound of a single differential characteristic probability rather than a differential. Since differential cryptanalysis uses differential while ignoring intermediate values, the resistance may be overestimated if there is a significant gap between the differential probability and the differential characteristic probability. This phenomenon is noticeable in the lightweight block ciphers Midori64 [9], SKINNY64 [10], and CRAFT [11].

Finding a differential and computing a more accurate differential probability is a fundamental goal of differential cryptanalysis. A basic method to compute the differential probability is to find all the differential characteristics and to sum up the characteristic probabilities. However, finding all differential characteristics for a given differential is infeasible. In our research, instead of trying to find all the differential characteristics, we find some differential characteristics with a fixed activity pattern using a multistage graph. For a given differential, we construct a multistage graph in which the path from the source to the sink is equivalent to a differential characteristic. Using the graph, we can count the number of paths from source to sink, that is, the number of differential characteristics, and we can compute a more accurate differential probability.

1.1. Previoust Work

To find a differential characteristic with high probability, several algorithms have been proposed. The branch-and-bound algorithm of Matsui [4] that finds the differential characteristic of DES-like ciphers recursively searches for the best characteristic of $\mathrm{i}$ rounds based on the best characteristics of $i-1$ rounds. Based on the branch-and-bound algorithm, an improved algorithm [2], which reduces the search space using a pre-search technique, and a related-key differential characteristic search algorithm [3] are proposed.

Recently, several automatic methods to find a differential characteristic using off-the-shelf solvers such as Mixed Integer Linear Programming (MILP), Boolean satisfiability problem (SAT) and Satisfiability Modulo Theories (SMT) have been proposed. From the method by Mouha et al. [8] that counts the number of active S-boxes using the MILP solver, many methods using off-the-shelf solvers are proposed, such as [5,7,12], and are used to show the resistance of block cipher Midori, SKINNY and CRAFT to differential cryptanalysis [9,10,11]. These methos model differential propagation in block ciphers as a specific problem in order to find a solution using MILP, SAT or SMT solvers. A detailed comparison of differential cryptanalysis with MILP, SAT and SMT is also presented [13].

There are also studies on the differential beyond the differential characteristic of a block cipher. Methods using off-the-shelf solvers can be easily extended to find a collection of differential characteristics with a fixed plaintext/ciphertext difference. From the results of the above methods, the differential probabilities of Salsa-20 [14], SIMON [15], SPECK, LEA [6], and PRINCE, QARMA [16] are computed. In addition, there is a study using the SMT solver to find differential probabilities of SKINNY and Midori [17].

Other proposed methods are to find a truncated differential characteristic and then compute the differential probability by multiplying a transition probability matrix. These methods are used to find differential probabilities for TWINE [18], PRINCE [19], LAC [20] and CRAFT [21]. In addition, the method using a subgraph of a multistage graph representing all differential characteristics [22] and the meet-in-the-middle method [23,24] using a cluster made by forward and backward search are also proposed.

1.2. Contributions

In this paper, we present practical algorithms to compute differential probabilities using a multistage graph based on the meet-in-the-middle method using a cluster in [23]. We consider the differential characteristics with a fixed activity pattern of Substitution Permutation Network (SPN) structure block ciphers. We construct a multistage graph from the vertex of plaintext difference to the vertex of ciphertext difference. By the graph, we can count the exact number of maximum probability differential characteristics of a given activity pattern. Moreover, we show generalized algorithms to consider characteristics of lower probability than maximum probability. The algorithms presented in this paper run practically on a personal computer, even for full rounds of a block cipher.

Using our method, we present a differential distinguisher for 9-round Midori64 with probability $2^{-61.58}$, 9-round SKINNY64 with probability $2^{-59.33}$ and 14-round CRAFT with probability $2^{-60.32}$. Compared to previous works, we present differential distinguishers for Midori64 and SKINNY64 that are one round longer. Furthermore, we present the related-tweakey differential distinguisher with probability $2^{-55.93}$ and the related-tweak differential distinguisher with probability $2^{-63.37}$. We find that the gap between the differential probability and the differential characteristic probability is $2^{20.42}$ for Midori64, $2^{22.67}$ for SKINNY64 and $2^{43.68}$ for CRAFT. These large gaps indicate that it is not appropriate for block cipher designers to consider only a single differential characteristic to show resistance to differential cryptanalysis.

Our algorithms are applicable to block ciphers with S-boxes and word-based diffusion layers. But the gaps between differential and characteristic probability are noticeably large in only Midori64, SKINNY64, and CRAFT. We also explain the large gaps that occur in these block ciphers by relating it to the weak diffusion layer and the S-boxes of block ciphers.

1.3. Outline

In Section 2, we introduce some background on differential cryptanalysis. In Section 3, we show that there are a lot of characteristics with fixed difference using the SAT solver. In Section 4, we show algorithms for computing the differential probability by counting the characteristics using graphs. The results of our algorithms and the discussion are given in Section 5.

2. Preliminaries

A block cipher $E$ is a function of ${\mathbb{F}}_2^k\times {\mathbb{F}}_2^n$ to ${\mathbb{F}}_2^n$ by $E\left(K,P\right)=C$ where $E_K≔E(K,\cdot )$ is a permutation of ${\mathbb{F}}_2^n$. $K$ is called the $k$-bit key, and $P$, $C$ are called the $n$-bit plaintext, ciphertext. Most block ciphers are classified as iterated block ciphers that are decomposed into $r$ simple round functions.

$$E_K\left(P\right)=f_r\circ f_{r-1}\circ \dots \circ f_1\left(P\right)$$

(1)

In many ciphers, the $n$-bit input of the round function is separated into $m$ words of $s$-bit each, where $n=m\cdot s$. In this paper, we focus on the cipher in which the non-linear part of the round function is composed of 4-bit S-boxes, i.e., $s=4$. We denote $X_i$ as the output of the round function $f_i$, which is also the input of $f_{i+1}$. The $j$-th word of $X$ is denoted by $X\left[j\right]$. And we denote ${\mathcal{S}}_i$ as the $i$-th round of the S layer, $Y_i$ as the output of ${\mathcal{S}}_i$ and ${\mathcal{L}}_i$ as the $i$-th round of the linear layer.

2.1. Description of Midori64

Midori [9] is a family of lightweight block ciphers proposed in 2015, designed for efficient hardware implementations. There are two variants: Midori64 and Midori128. Midori64 employs a 64-bit block, and Midori128 employs a 128-bit block. Both employ a 128-bit key. Since we focus on Midori64 rather than Midori128, we discard the description of Midori128.

In Modori64, the 64-bit plaintext $P=\left(p\left[0\right],\dots ,p\left[15\right]\right)$ is presented as

$$P=\left[\begin{array}{cccc}p\left[0\right]& p\left[4\right]& p\left[8\right]& p\left[12\right]\\ p\left[1\right]& p\left[5\right]& p\left[9\right]& p\left[13\right]\\ p\left[2\right]& p\left[6\right]& p\left[10\right]& p\left[14\right]\\ p\left[3\right]& p\left[7\right]& p\left[11\right]& p\left[15\right]\end{array}\right]$$

(2)

The encryption process of Midori64 is described in Algorithm 1.

Algorithm 1. Encryption process of Midori64

Input: 64-bit $\mathrm{plaintext} P$, 128-bit $\mathrm{key} K$ Output: 64-bit $\mathrm{ciphertext} C$ $\mathbf{Procedure} \mathrm{Midori}64\_\mathrm{enc}\left(P,K\right)$ $1. K_0\parallel K_1\leftarrow K$ $2. X_0\leftarrow P\oplus K_0\oplus K_1$ $3. \mathrm{For} i=0$$\mathrm{to} 14$      3-1. $\mathrm{For} j=0$$\mathrm{to} 15$$Y_i\left[j\right]\leftarrow \mathrm{Sbox}\left[X_i\left[j\right]\right]$      3-2. $S=\left(s\left[0\right],\dots ,s\left[15\right]\right)\leftarrow (Y_i\left[0\right],Y_i\left[10\right],Y_i\left[5\right],Y_i\left[15\right],Y_i\left[14\right],Y_i\left[4\right],Y_i\left[11\right],Y_i\left[1\right]$                                               $,Y_i\left[9\right],Y_i\left[3\right],Y_i\left[12\right],Y_i\left[6\right],Y_i\left[7\right],Y_i\left[13\right],Y_i\left[2\right],Y_i\left[8\right])$      3-3. $\mathrm{For} j=0,4,8,12$           ${\left(s\left[j\right],s\left[j+1\right],s\left[j+2\right],s\left[j+3\right]\right)}^t\leftarrow \left(\begin{array}{cccc}0& 1& 1& 1\\ 1& 0& 1& 1\\ 1& 1& 0& 1\\ 1& 1& 1& 0\end{array}\right)\cdot {\left(s\left[j\right],s\left[j+1\right],s\left[j+2\right],s\left[j+3\right]\right)}^t$      3-4. $X_{i+1}\leftarrow S\oplus K_{i\mathrm{mod}2}\oplus {\alpha }_i$ $4. \mathrm{For} j=0$ to $15$$Y_{15}\left[j\right]\leftarrow \mathrm{Sbox}\left[X_{15}\left[j\right]\right]$ $5. C\leftarrow Y_{15}\oplus K_0\oplus K_1$ $6. \mathrm{return} C$

The S-box of Midori64 is given in

Table 1. Midori64 S-box in hexadecimal form.

$\mathit{x}$	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
$\mathrm{Sbox}\left[x\right]$	c	a	d	3	e	b	f	7	8	9	1	5	0	2	4	6

. The constant ${\alpha }_i$ used in key addition has no impact on differential cryptanalysis; no further explanation is given here.

2.2. Description of SKINNY64

SKINNY [10] is a tweakable lightweight block cipher proposed in 2016. Like the Midori block cipher, there are two variants: SKINNY64 and SKINNY128. SKINNY64 employs a 64-bit block, and SKINNY128 employs a 128-bit block. Since SKINNY follows the tweakey framework [25], SKINNY takes a unified tweakey input, which integrates the key and the tweak without distinguishing between them. The way of constructing the tweakey is flexible. For a block size $n$(64 or 128), there are three options for tweakey size: $n, 2n, 3n$. Since we focus on SKINNY64, we discard the description of SKINNY128.

In SKINNY, the 64-bit plaintext $P=\left(p\left[0\right],\dots ,p\left[15\right]\right)$ is presented as

$$P=\left[\begin{array}{cccc}p\left[0\right]& p\left[1\right]& p\left[2\right]& p\left[3\right]\\ p\left[4\right]& p\left[5\right]& p\left[6\right]& p\left[7\right]\\ p\left[8\right]& p\left[9\right]& p\left[10\right]& p\left[11\right]\\ p\left[12\right]& p\left[13\right]& p\left[14\right]& p\left[15\right]\end{array}\right]$$

(3)

The encryption process of SKINNY64 is described in Algorithm 2.

Algorithm 2. Encryption process of SKINNY64

Input: 64-bit $\mathrm{plaintext} P$, $\mathrm{tweakey} TK$, $\mathrm{Size} \mathrm{of} \mathrm{tweakey} n$ Output: 64-bit $\mathrm{ciphertext} C$ $\mathbf{Procedure} \mathrm{SKINNY}64\_\mathrm{enc}\left(P,TK,n\right)$ $1. \mathrm{If} n=64$$R=32$ $\mathrm{If} n=128$$R=36$ $\mathrm{If} n=192$$R=40$ $2. RT{K}_{1, \dots ,R}\leftarrow tweakeySchedule(TK,R)$ $3. X_0\leftarrow P$ $4. \mathrm{For} i=0$$\mathrm{to} R-1$       4-1. $\mathrm{For} j=0$$\mathrm{to} 15$ $Y_i\left[j\right]\leftarrow \mathrm{Sbox}\left[X_i\left[j\right]\right]$       4-2. $S\leftarrow Y_i\oplus c_i$       4-3. $S\left[0,\dots ,7\right]\leftarrow S\left[0,\dots ,7\right]\oplus RT{K}_i\left[0,\dots ,7\right]$       4-4. $S\left[4,5,6,7\right]\leftarrow S\left[7,4,5,6\right]$       4-5. $S\left[8,9,10,11\right]\leftarrow S\left[10,11,8,9\right]$       4-6. $S\left[12,13,14,15\right]\leftarrow S\left[13,14,15,12\right]$       4-7. $\mathrm{For} j=0$$\mathrm{to} 3$              ${\left(s\left[j\right],s\left[j+4\right],s\left[j+8\right],s\left[j+12\right]\right)}^t\leftarrow \left(\begin{array}{cccc}1& 0& 1& 1\\ 1& 0& 0& 0\\ 0& 1& 1& 0\\ 1& 0& 1& 0\end{array}\right)\cdot {\left(s\left[j\right],s\left[j+4\right],s\left[j+8\right],s\left[j+12\right]\right)}^t$       4-8. $X_{i+1}\leftarrow S$ $5. C\leftarrow X_R$ $6. \mathrm{return} C$

The S-box of SKINNY64 is given in

Table 2. SKINNY64 S-box in hexadecimal form.

$\mathit{x}$	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
$\mathrm{Sbox}\left[x\right]$	c	6	9	0	1	a	2	b	3	8	5	d	4	e	7	f

. In this paper, we omit the detailed explanation of the tweakey schedule and the constants $c_i$.

2.3. Description of CRAFT

CRAFT [11] is a tweakable lightweight block cipher proposed in 2019. CRAFT is designed to provide security against Differential Fault Analysis as a method of side-channel attack. CRAFT takes a 64-bit block plaintext, a 128-bit key and a 64-bit tweak. The plaintext $P=\left(p\left[0\right],\dots ,p\left[15\right]\right)$ of CRAFT is presented in the same way as in SKINNY.

$$P=\left[\begin{array}{cccc}p\left[0\right]& p\left[1\right]& p\left[2\right]& p\left[3\right]\\ p\left[4\right]& p\left[5\right]& p\left[6\right]& p\left[7\right]\\ p\left[8\right]& p\left[9\right]& p\left[10\right]& p\left[11\right]\\ p\left[12\right]& p\left[13\right]& p\left[14\right]& p\left[15\right]\end{array}\right]$$

(4)

The encryption process of CRAFT is described in Algorithm 3. The linear layer of CRAFT is very simple: it involves only XORing the third row to the first and the third and fourth rows to the second.

The S-box of CRAFT is the same as the Midori64 S-box given in Table 1. In this paper, we omit the detailed explanation of the constants $a_i$ and $b_i$, because they have no impact on differential cryptanalysis.

Algorithm 3. Encryption process of CRAFT

Input: 64-bit $\mathrm{plaintext} P$, 128-bit $\mathrm{key} K$, 64-bit $\mathrm{tweak} T$ Output: 64-bit $\mathrm{ciphertext} C$ $\mathbf{Procedure} \mathrm{CRAFT}\_\mathrm{enc}\left(P,K,T\right)$ $1. K_0\parallel K_1\leftarrow K$ $2. QT\leftarrow (T\left[12\right],T\left[10\right],T\left[15\right],T\left[5\right],T\left[14\right],T\left[8\right],T\left[9\right],T\left[2\right]$ $,T\left[11\right],T\left[3\right],T\left[7\right],T\left[4\right],T\left[6\right],T\left[0\right],T\left[1\right],T\left[13\right])$ $3. T{K}_0,T{K}_1,T{K}_2,T{K}_3\leftarrow K_0\oplus T, K_1\oplus T,K_0\oplus QT,K_1\oplus QT$ $4. X_0\leftarrow P$ $5. \mathrm{For} i=0$$\mathrm{to} 30$       5-1. $S\leftarrow X_i$       5-2. $\mathrm{For} j=0$$\mathrm{to} 3$       ${\left(s\left[j\right],s\left[j+4\right],s\left[j+8\right],s\left[j+12\right]\right)}^t\leftarrow \left(\begin{array}{cccc}1& 0& 1& 1\\ 0& 1& 0& 1\\ 0& 0& 1& 0\\ 0& 0& 0& 1\end{array}\right)\cdot {\left(s\left[j\right],s\left[j+4\right],s\left[j+8\right],s\left[j+12\right]\right)}^t$       5-3. $s\left[4\right]\leftarrow s\left[4\right]\oplus a_i$               $s\left[5\right]\leftarrow s\left[5\right]\oplus b_i$       5-4. $S\leftarrow S\oplus T{K}_{i\mathrm{mod}4}$       5-5. $S\leftarrow (S\left[15\right],S\left[12\right],S\left[13\right],S\left[14\right],S\left[10\right],S\left[9\right],S\left[8\right],S\left[11\right]$ $,S\left[6\right],S\left[5\right],S\left[4\right],S\left[7\right],S\left[1\right],S\left[2\right],S\left[3\right],S\left[0\right])$       5-6. $\mathrm{For} j=0$ $\mathrm{to} 15$ $Y_i\left[j\right]\leftarrow \mathrm{Sbox}\left[S\left[j\right]\right]$       5-7. $X_{i+1}\leftarrow Y_i$ $6. \mathrm{For} j=0$$\mathrm{to} 3$          ${\left(X_{31}\left[j\right],X_{31}\left[j+4\right],X_{31}\left[j+8\right],X_{31}\left[j+12\right]\right)}^t\leftarrow \left(\begin{array}{cccc}1& 0& 1& 1\\ 0& 1& 0& 1\\ 0& 0& 1& 0\\ 0& 0& 0& 1\end{array}\right)\cdot {\left(X_{31}\left[j\right],X_{31}\left[j+4\right],X_{31}\left[j+8\right],X_{31}\left[j+12\right]\right)}^t$ $7. X_{31}\left[4\right]\leftarrow X_{31}\left[4\right]\oplus a_{31}$     $X_{31}\left[5\right]\leftarrow X_{31}\left[5\right]\oplus b_{31}$ $8. C\leftarrow X_{31}\oplus T{K}_3$ $9. \mathrm{return} C$

2.4. Differential Cryptoanalysis

Differential cryptanalysis is one of the fundamental cryptanalysis for block ciphers, and there are many variations such as higher order differential [26], impossible differential [27], Boomerang [28], etc. Below, we introduce some notation and briefly describe differential cryptanalysis.

The differential of a function $f:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^n$ is a pair of input and output differences $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_r\right)\in {\mathbb{F}}_2^n\times {\mathbb{F}}_2^n$, and the differential probability is the probability that the difference of $f\left(X\right)$ and $f\left(X\oplus \mathsf{\Delta }{X}_0\right)$ is equal to $\mathsf{\Delta }{X}_r$., i.e.,

$$\mathrm{Pr}\left(\mathsf{\Delta }{X}_0\stackrel{f}{\to }\mathsf{\Delta }{X}_r\right)={\displaystyle \frac{\left|\left\{X\in {\mathbb{F}}_2^n|f\left(X\right)\oplus f\left(X\oplus \mathsf{\Delta }{X}_0\right)=\mathsf{\Delta }{X}_r\right\}\right|}{2^n}}$$

(5)

We say $\mathsf{\Delta }{X}_0$ propagates to $\mathsf{\Delta }{X}_r$ through $f$ with probability $\mathrm{Pr}\left(\mathsf{\Delta }{X}_0{\to }^f\mathsf{\Delta }{X}_r\right)$.

The attacker is trying to distinguish whether the oracle $O$ is the fixed-key block cipher $E_K$ or random permutation $R$ using differential $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_r\right)$. He randomly chooses a plaintext $P$ and checks that the following equation holds

$$O\left(P\right)\oplus O\left(P\oplus \mathsf{\Delta }{X}_0\right)=\mathsf{\Delta }{X}_r$$

(6)

If $\mathrm{Pr}\left(\mathsf{\Delta }{X}_0{\to }^{E_K}\mathsf{\Delta }{X}_r\right)\gg 2^{-n}$, the attacker can distinguish whether the oracle is the block cipher $E_K$ or random permutation $R$ because $\mathrm{Pr}\left(\mathsf{\Delta }{X}_0{\to }^R\mathsf{\Delta }{X}_r\right)$ is always $2^{-n}$. In general, it is computationally infeasible to compute the differential probability of a block cipher. Therefore, in many cases, the differential characteristic probability is considered to approximate the differential probability.

The differential characteristic of $r$-round block cipher is a sequence of differences $\left(\Delta X_0,\dots ,\Delta X_r\right)\in {\left({\mathbb{F}}_2^n\right)}^{r+1}$, and the differential characteristic probability is the probability that the difference in every $i$-round function of $E_K\left(X\right)$ and $E_K\left(X\oplus \mathsf{\Delta }{X}_0\right)$ is equal to $\mathsf{\Delta }{X}_i$. i.e.,

$$\mathrm{Pr}\left(\Delta X_0\stackrel{f_1}{\to }\dots \stackrel{f_r}{\to }\Delta X_r\right)={\displaystyle \frac{\left|\left\{X\in {\mathbb{F}}_2^n|f_i\circ \dots \circ f_1\left(X\right)\oplus f_i\circ \dots \circ f_1\left(X\oplus \Delta X_0\right)=\Delta X_i,\forall i\right\}\right|}{2^n}}$$

(7)

Under the assumption that the round keys of a block cipher are independent [29], the probability of differential characteristic is easy to compute by multiplying the propagation probabilities of the S-boxes. We say that the S-box is active if the input difference of the S-box is non-zero and define the activity pattern $\delta =\left({\delta }_1,\dots ,{\delta }_r\right)\in {\left({\mathbb{F}}_2^m\right)}^r$ as a vector in which each position indicates an active S-box. And we define the maximum differential characteristic that is a differential characteristic that every difference propagates through the 4-bit S-box with probability $2^{-2}$.

3. Computing Differential Probability Using SAT Solver

Before computing the differential probability, we need to find some differential characteristics. To find differential characteristics using the SAT solver, we model the differential propagation of the block cipher to the SAT problem and obtain the solution using the off-the-shelf SAT solver. The method for modeling the differential propagation of the block cipher is given in the studies of [5,7]. We use the totalizer encoding [30] to model the cardinality constraint on the SAT problem rather than the Sinz encoding [31] because it is empirically solved faster. Throughout our research, all of the results were obtained using a personal computer equipped with an AMD Ryzen 5 1600 CPU, 16 GB of RAM, and Ubuntu 18.04. And to solve SAT problems, we used the off-the-shelf SAT solver cryptominisat5 [32].

To compute the differential probability, we first obtain the best differential characteristic $\left(\mathsf{\Delta }{X}_0,\dots ,\mathsf{\Delta }{X}_r\right)$ with probability $2^{-l}$. Next, we add constraints to the SAT problem that fix the plaintext, ciphertext differences. Since finding all differential characteristics is infeasible, we also add constraints that restrict the probability between $2^{-l}$ and $2^{-k}$ for some $k\ge l$.

For block cipher PRESENT [33], we obtain the best 15-round differential characteristic with probability $2^{-66}$ whose plaintext and ciphertext difference $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_{15}\right)$ are

$$\left(000\mathrm{F}00000000000\mathrm{F}, 0404040400000000\right)$$

(8)

Then, we find all the differential characteristics that satisfy the above difference with probability from $2^{-79}$ to $2^{-66}$. The result with a running time of 5.06 h on a personal computer is given in

Table 3. The number of PRESENT 15-round characteristics ($\#char)$ with probability ($Pro$) from $2^{-79}$ to $2^{-66}$ of differential (000F00000000000F, 0404040400000000).

$Pro$	$2^{-66}$	$2^{-67}$	$2^{-68}$	$2^{-69}$	$2^{-70}$	$2^{-71}$	$2^{-72}$
$\#Char$	24	0	234	3	1051	57	3043
$Pro$	$2^{-73}$	$2^{-74}$	$2^{-75}$	$2^{-76}$	$2^{-77}$	$2^{-78}$	$2^{-79}$
$\#Char$	470	6564	2217	11622	6982	18859	16677

. The lower bound of the 15-round PRESENT differential probability is $2^{-58.02}$ by summing all the differential characteristic probabilities.

For the block cipher SKINNY64, we obtain the best 10-round differential characteristic with probability $2^{-92}$ whose plaintext and ciphertext difference $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_{10}\right)$ are

$$\left(0400000400040040,0110011001010010\right)$$

(9)

To compute the differential probability, we find all the characteristics of $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_{10}\right)$ with probability $2^{-92}$. The result is that there are 670,000 characteristics. Moreover, even after fixing the activity pattern, we obtained the same result. And for a 12-round differential characteristic whose plaintext and ciphertext difference $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_{10}\right)$ are

$$\left(0000000000000400,0600000006000600\right)$$

(10)

with probability $2^{-110}$, there are more than 1,000,000 characteristics. The result of SKINNY64 is significantly different from the result of PRESENT. Moreover, it is also significantly different from [17], which said that there are only 62,382 characteristics for the 12-round differential. This result became the motivation to count the number of differential characteristics using the graphs described in the next section.

4. Computing Differential Probability Using Graph

Since finding all characteristics using the SAT solver is time consuming, we used another approach using a graph based on the meet-in-the-middle approach in [23]. In this section, we focus on the block cipher in which the linear layer of round function consists of a word-based diffusion layer. Since a linear layer without a preceding S-layer is ineffective in differential cryptanalysis, we consider that the round function performs the S-layer first, that is, $f_i={\mathcal{L}}_i\circ {\mathcal{S}}_i$.

First, we find a maximum differential characteristic $\left(\mathsf{\Delta }{X}_0,\dots ,\mathsf{\Delta }{X}_r\right)$ by automatic search and obtain the activity pattern $\delta =\left({\delta }_1,\dots ,{\delta }_r\right)$. We focus on the characteristics of differential $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_r\right)$ following the same activity pattern δ.

We introduce some graph notations. A directed graph $G=\left(V,E\right)$ is a pair of sets, where $V$ is a set of vertices and $E=\left\{\left(u,v\right)\right|u\ne v\in V\}\subset V\times V$ is a set of directed edges. A path $P=\left(V^{\prime },E^{\prime }\right)$ in $G$ is a non-empty subgraph of $G$ with the form $V\prime =\{v_1,v_2,\dots ,v_k\}$, $E^{\prime }=\left\{\left(v_1,v_2\right),\left(v_2,v_3\right),\dots ,\left(v_{k-1},v_k\right)\right\}$ where the $v_i$ are all distinct. We denote a path from a vertex $u$ to a vertex $v$ by $\left(u⟹v\right)$. We focus on a special type of directed graph, called a multistage graph. The multistage graph $G=(V,E)$ is a directed graph where the vertex set $V$ is partitioned in $V_0,\dots ,V_k$ which, if $\left(u,v\right)$ is in $E$, then $u\in V_i$ and $v\in V_{i+1}$ for some $0\le i<k$ and $\left|V_0\right|=\left|V_k\right|=1$. The vertex in $V_0$ is called the source $s$ and the vertex in $V_k$ is called the sink $t$.

4.1. Counting the Maximum Differential Characteristics

We present our methods to count the number of maximum differential characteristics following an activity pattern $\delta$ with a given differential $\left(\mathsf{\Delta }{X}_0,\mathsf{\Delta }{X}_r\right)$. If the number of specific differential characteristics can be counted, we can compute a lower bound on the differential probability. The main idea is to construct a multistage graph such that the vertex set $V_i$ contains the vertex $v$ representing the difference of $i$-round function and count the number of paths $\left(\mathsf{\Delta }{X}_0\Rightarrow \mathsf{\Delta }{X}_r\right)$.

For a given plaintext and ciphertext difference $\mathsf{\Delta }{X}_0$, $\mathsf{\Delta }{X}_r$ and activity pattern $\delta$, we initialize a multistage graph $G$ with $V_0=\left\{\mathsf{\Delta }{X}_0\right\}$, $V_r=\left\{\mathsf{\Delta }{Y}_r\right\}$ where $\mathsf{\Delta }{Y}_r={\mathcal{L}}_r^{-1}\left(\mathsf{\Delta }{X}_r\right)$. We set $V_i=\mathrm{\varnothing }$ for $0<i<r$ and edge set $E=\mathrm{\varnothing }$. The construction graph shown in Figure 1 consists of three parts: forward generation, backward generation, and match.

4.1.1. Forward Generation

In the forward generation part, the vertices of $V_i$ are the output difference of the round function $f_i$. We generate the vertices of $V_i$ that are propagated from the vertex in $V_{i-1}$ through $f_i$ with probability $2^{-2}$ for every active S-box and satisfy the activity pattern ${\delta }_{i+1}$. We also generate the edge $\left(u,v\right)$ from $V_{i-1}$ to $V_i$ if $u$ propagates to $v$ with maximum probability. We check whether it is impossible for the vertex $v$ to propagate to a vertex in the next round with probability $2^{-2}$ per active S-box. If then, since there is no path from the source to the sink through $v$, we disregard $v$. The forward generation algorithm is described in Algorithm 4. The set $\mathcal{F}{\mathcal{M}}_{S,\mathsf{\Delta }X}$ is a set of output differences that are propagated from $\mathsf{\Delta }X$ through S-box $S$ with probability $2^{-2}$, i.e.,

$$\mathcal{F}{\mathcal{M}}_{S,\mathsf{\Delta }X}=\left\{\mathsf{\Delta }Y\in {\mathbb{F}}_2^4|\mathrm{Pr}\left(\mathsf{\Delta }X\stackrel{S}{\to }\mathsf{\Delta }Y\right)=2^{-2}\right\}$$

(11)

Algorithm 4. Forward generation from $V_0$ to $V_{⌊r/2⌋}$

Input: round $r$, graph $G$, activity pattern $\delta =\left({\delta }_1,\dots ,{\delta }_r\right)$ Output: graph $G$ Procedure $\mathrm{ForwardGeneration}\left(r,G,\delta \right)$ 1. for $i\leftarrow 1$ to $⌊r/2⌋$     1-1. for $u\in V_{i-1}$        1-1-1. $\mathrm{ForwardPropagation}\left(u,V_i,{\delta }_{i+1},E\right)$ 2. return $G$ Procedure $\mathrm{ForwardPropagation}\left(u,V_i,{\delta }_{i+1},E\right)$ 1. $w\leftarrow$ zero vertex 2. $\left\{j_1,\dots ,j_k\right\}\leftarrow$ The indices of nonzero word in $u$ 3. for $\left(w\left[j_1\right],\dots ,w\left[j_k\right]\right)\in \mathcal{F}{\mathcal{M}}_{S_{j_1},u\left[j_1\right]}\times \dots \times \mathcal{F}{\mathcal{M}}_{S_{j_k},u\left[j_k\right]}$     3-1. $v\leftarrow {\mathcal{L}}_i\left(w\right)$     3-2. if $v$ does not satisfy ${\delta }_{i+1}$ or $\exists$ nonzero $v\left[j\right]$ s.t. $\mathcal{F}{\mathcal{M}}_{S_j,v\left[j\right]}=\mathrm{\varnothing }$        3-2-1. Go back to for loop     3-3. if $v\notin V_i$        3-3-1. $V_i\leftarrow V_i\cup \left\{v\right\}$     3-4. $E\leftarrow E\cup \left\{\left(u,v\right)\right\}$ 4. return $\left(V_i,E\right)$

4.1.2. Backward Generation

In backward generation, the vertices of $V_i$ are the output differences of the $i$-th S-layer ${\mathcal{S}}_i$ in the round function. We generate the vertices of $V_i$ that can propagate to the vertex in $V_{i+1}$ though ${\mathcal{S}}_{i+1}\circ {\mathcal{L}}_i$ with probability $2^{-2}$ for every active S-box and satisfy ${\delta }_i$. We also generate the edge $(u,v)$ from $V_i$ to $V_{i+1}$ in the same way as forward generation. Similar to forward generation, we check whether it is impossible to propagate from $V_{i-1}$ to $v$ with probability $2^{-2}$ per active S-box. The backward generation algorithm is described in Algorithm 5. The set $\mathcal{B}{\mathcal{M}}_{S,\mathsf{\Delta }Y}$ is a set of input differences such that propagates to $\mathsf{\Delta }Y$ through S-box $S$ with probability $2^{-2}$, i.e.,

$$\mathcal{B}{\mathcal{M}}_{S,\mathsf{\Delta }Y}=\left\{\mathsf{\Delta }X\in {\mathbb{F}}_2^4|\mathrm{Pr}\left(\mathsf{\Delta }X\stackrel{S}{\to }\mathsf{\Delta }Y\right)=2^{-2}\right\}$$

(12)

Algorithm 5. Backward generation from $V_r$ to $V_{⌊r/2⌋+1}$

Input: round $r$, graph $G$, activity pattern $\delta =\left({\delta }_1,\dots ,{\delta }_r\right)$ Output: graph $G$ Procedure $\mathrm{BackwardGeneration}\left(r,G,\delta \right)$ 1. for $i\leftarrow r-1$ to $⌊r/2⌋+1$      1-1. for $u\in V_{i+1}$         1-1-1. →$\mathrm{BackwardPropagation}\left(u,V_i,{\delta }_i,E\right)$ 2. return $G$ Procedure $\mathrm{BackwardPropagation}\left(u,V_i,{\delta }_i,E\right)$ 1. $w\leftarrow$ zero vertex 2. $\left\{j_1,\dots ,j_k\right\}\leftarrow$ The indices of nonzero word in $u$ 3. for $\left(w\left[j_1\right],\dots ,w\left[j_k\right]\right)\in \mathcal{B}{\mathcal{M}}_{S_{j_1},u\left[j_1\right]}\times \dots \times \mathcal{B}{\mathcal{M}}_{S_{j_k},u\left[j_k\right]}$     3-1. $v\leftarrow {\mathcal{L}}_i^{-1}\left(w\right)$     3-2. if $v$ does not satisfy ${\delta }_i$ or $\exists$ nonzero $v\left[j\right]$ s.t. $\mathcal{B}{\mathcal{M}}_{S_j,v\left[j\right]}=\mathrm{\varnothing }$         3-2-1. Go back to for loop     3-3. if $v\notin V_i$         3-3-1. $V_i\leftarrow V_i\cup \left\{v\right\}$     3-4. $E\leftarrow E\cup \left\{\left(u,v\right)\right\}$ 4. return $\left(V_i,E\right)$

4.1.3. Match

By performing forward generation and backward generation, the multistage graph $G$ is almost constructed except for the edges between $V_{⌊r/2⌋}$ and $V_{⌊r/2+1⌋}$. In the match part, we connect $u\in V_{⌊r/2⌋}$ and $v\in V_{⌊r/2+1⌋}$ if $u$ propagates to $v$ through the S-layer ${\mathcal{S}}_{⌊r/2+1⌋}$ with probability $2^{-2}$ for every active S-box. The match algorithm is described in Algorithm 6.

Algorithm 6. Match two vertex sets $V_{⌊r/2⌋}$ and $V_{⌊r/2⌋+1}$

Input: round $r$, graph $G$ Output: graph $G$ Procedure $\mathrm{Match}\left(r,G\right)$ 1. for $u\in V_{⌊r/2⌋}$     1-1. $v\leftarrow 0$     1-2. $\left\{j_1,\dots ,j_k\right\}\leftarrow$ The indices of nonzero word in $u$     1-3. for $\left(v\left[j_1\right],\dots ,v\left[j_k\right]\right)\in \mathcal{F}{\mathcal{M}}_{S_{j_1},u\left[j_1\right]}\times \dots \times \mathcal{F}{\mathcal{M}}_{S_{j_k},u\left[j_k\right]}$         1-3-1. if $v\in V_{⌊r/2⌋+1}$            1-3-1-1. $E\leftarrow E\cup \left\{\left(u,v\right)\right\}$ 2. return $G$

In the constructed multistage graph $G$, the path from the source to the sink is equivalent to the differential characteristic. Thus, we can count the differential characteristics by counting the paths in $G$.

Since we are interested in only the number of paths, we do not need to store the whole graph G. In forward generation, the number of paths from the source $s$ to the vertex in $V_i$ is the sum of paths to connected vertices in $V_{i-1}$, i.e.,

$$\mathrm{for} v\in V_i, \left|\left\{\left(\mathsf{\Delta }{X}_0\Rightarrow v\right)\right\}\right|=\sum _{\left(u,v\right)\in E}\left|\left\{\left(\mathsf{\Delta }{X}_0⟹u\right)\right\}\right|$$

(13)

Therefore, we do not need to store $V_{i-1}$ by marking the number of paths to the vertices of $V_i$. It is similar to backward generation. Thus, we store only $V_{⌊r/2⌋}$ and $V_{⌊r/2+1⌋}$. In match part, we count the number of paths from $\mathsf{\Delta }{X}_0$ to $\mathsf{\Delta }{Y}_r$ by

$$\left|\left\{\mathsf{\Delta }{X}_0⟹\mathsf{\Delta }{Y}_r\right\}\right|=\sum _{\left(u,v\right)\in E^{\prime }}\left|\mathsf{\Delta }{X}_0\Rightarrow u\right|\cdot \left|v\Rightarrow \mathsf{\Delta }{Y}_r\right|$$

(14)

where $E^{\prime }$ is the subset of $E$ that contains edges between $V_{⌊r/2⌋}$ and $V_{⌊r/2⌋+1}$.

For the AES-like ciphers such as Midori, SKINNY and CRAFT, we can simplify the process through precomputation. Since the AES-like cipher uses MixColumns or MixRows operations, there is independence between words for difference propagation through the two S-layers. Figure 2 shows the independent words in the block cipher SKINNY. Although the differences in same-colored words may change through the S-layer and MixColumns(MixRows) operations, they remain independent from those in words of different colors.

By using this property, we make a ${\left(2^4\right)}^4\times {\left(2^4\right)}^4$ table $T$ whose entry $\left(\alpha ,\beta \right)$ contains the number of paths from four-word difference $\alpha$ to four-word difference $\beta$ though two S-layers and one linear layer. Then, we can match the vertices between $V_{⌊r/2⌋-1}$ and $V_{⌊r/2⌋+1}$, not $V_{⌊r/2⌋}$ and $V_{⌊r/2⌋+1}$. In the match part, instead of connecting two vertices, we compute the number of paths between $u\in V_{⌊r/2⌋-1}$, $v\in V_{⌊r/2⌋+1}$ by multiplying the number of paths between the difference of four words marked in table $T$. This precomputation method speeds up dramatically when there are too many active S-boxes in the middle round $⌊r/2⌋$.

If the key(tweak) schedule of block cipher is linear, i.e., the key(tweak) difference in each round is fixed, our algorithms are applicable to related-key(tweak) differential cryptanalysis by considering key(tweak) difference XOR during graph construction. But in this case, the precomputation method cannot be used.

4.2. Generalized Counting Differential Characteristics

In this subsection, we present a generalized method with a weighted graph. We introduce some additional graph notation for a weighted graph. A weighted graph is a graph whose edge is assigned a weight. We denote the weight of edge $e$ by $w\left(e\right)$. And we define the weight of path $\left(u\Rightarrow v\right)$ as $w\left(u\Rightarrow v\right)≔{\prod }_{e\in E\left(u⟹v\right)}w\left(e\right)$.

In the construction of a multistage graph, we assign the probability of propagation from $u$ to $v$ scaled by $2^{-2\cdot hw\left({\delta }_i\right)}$ to the edge weight $w\left(u,v\right)$, i.e.,

$$\mathrm{for} u\in V_{i-1} \mathrm{and} v\in V_i, w\left(u,v\right)={\displaystyle \frac{\mathrm{Pr}\left(u\stackrel{f_i}{\to }v\right)}{2^{-2\cdot hw\left({\delta }_i\right)}}}$$

(15)

The $hw\left({\delta }_i\right)$ is the hamming weight of ${\delta }_i$ indicating the number of active S-boxes in the $i$-round. And then, we construct a weighted multistage graph similar to the construction in Section 4.1. The path with weight 1 is interpreted as one maximum differential characteristic, and a path with weight $2^{-1}$ is interpreted as half of that. We set the lower bound of the edge weight $WLB$ to prevent the graph from getting too large. We generate the vertices $v\in V_i$ only if there exists the vertex $u\in V_{i-1}$ with $w\left(u,v\right)\ge WLB$. Setting $WLB=2^{-1}$ means allowing one word to propagate with probability $2^{-3}$. The forward generation algorithm for constructing a weighted graph is given in Algorithm 7. The set ${\mathcal{F}}_{S,\mathsf{\Delta }X}$ is a set of output differences such that are propagated from $\mathsf{\Delta }X$ through S-box $S$, i.e.,

$${\mathcal{F}}_{S,\mathsf{\Delta }X}=\left\{\mathsf{\Delta }Y\in {\mathbb{F}}_2^4|\mathrm{Pr}\left(\mathsf{\Delta }X\stackrel{S}{\to }\mathsf{\Delta }Y\right)\ne 0\right\}$$

(16)

Algorithm 7. Forward generation from $V_0$ to $V_{⌊r/2⌋}$ (weighted graph)

Input: round $r$, graph $G$, activity pattern $\delta =\left({\delta }_1,\dots ,{\delta }_r\right)$, weight lower bound $WLB$ Output: graph $G$ Procedure $\mathrm{ForwardGeneration}\_\mathrm{weight}\left(r,G,\delta ,WLB\right)$ 1. for $i\leftarrow 1$ to $⌊r/2⌋$     1-1. for $u\in V_{i-1}$        1-1-1. →$\mathrm{ForwardPropagation}\_\mathrm{weight}\left(u,V_i,{\delta }_{i+1},E,WLB\right)$ 2. return $G$ Procedure $\mathrm{ForwardPropagation}\_\mathrm{weight}\left(u,V_i,{\delta }_{i+1},E,WLB\right)$ 1. $w\leftarrow$ zero vertex 2. $\left\{j_1,\dots ,j_k\right\}\leftarrow$ The indices of nonzero word in $u$ 3. for $\left(w\left[j_1\right],\dots ,w\left[j_k\right]\right)\in {\mathcal{F}}_{S_{j_1},u\left[j_1\right]}\times \dots \times {\mathcal{F}}_{S_{j_k},u\left[j_k\right]}$     3-1. $pro\leftarrow {\prod }_{i\in \left\{j_1,\dots ,j_k\right\}}\mathrm{P}\mathrm{r}\left(u\left[i\right]\stackrel{S_i}{\to }w\left[i\right]\right)\cdot 2^2$     3-2. $v\leftarrow {\mathcal{L}}_i\left(w\right)$     3-3. if $v$ does not satisfy ${\delta }_{i+1}$ or $pro<WLB$        3-3-1. Go back to for loop     3-4. if $v\notin V_i$        3-4-1. $V_i\leftarrow V_i\cup \left\{v\right\}$     3-5. $E\leftarrow E\cup \left\{\left(u,v\right)\right\}$     3-4. $e\left(u,v\right)\leftarrow pro$ 4. return $\left(V_i,E\right)$

The constructed graph in Section 4.1 is a special case of a weighted graph with $WLB=1$. By weighted graph with $WLB<1$, we can consider not only the maximum differential characteristic but also the differential characteristic with lower probability.

Like the graph construction in Section 4.1, we also do not need to store the whole graph $G$ and can simplify by precomputation. When we implement precomputation in weighted graph construction, the lower bound of edge weight from $V_{⌊r/2⌋-1}$ to $V_{⌊r/2⌋+1}$ cannot apply because we precompute the path weights from four words to four words, not the whole vertex. So, we implement the precomputation, applying the lower bound $2^{-2}$ to 4-word propagation through two S-layers. This allows us to consider more edges with weights less than $WLB$ from $V_{⌊r/2⌋-1}$ to $V_{⌊r/2⌋+1}$.

5. Results on Midori64, SKINNY64 and CRAFT

In this section, we present the results on lightweight block ciphers Midori64, SKINNY64 and CRAFT. And at the end of this section, we discuss why the gap between the differential and characteristic probability is large for Midori64, SKINNY64 and CRAFT in comparison to other block ciphers. In most cases, the execution time was only about 10 s. However, generating the weighted graph for SKINNY64 required considerably more time. For 12-round SKINNY64, the process took 3.28 h when $WLB$ was set to 0.5 and 61.71 h when $WLB$ was set to 0.25.

For each block cipher, we first find about 1000 maximum differential characteristics using a SAT solver and compute the differential probabilities by using a graph and precomputed ${\left(2^4\right)}^4\times {\left(2^4\right)}^4$ table. We present the differential with the highest probability as a result.

Table 4. Differential probabilities of Midori64, SKINNY64 and CRAFT.

Cipher	Rounds	Probability	Ref.
Midori64	8	$2^{-60.87}$	[16]
	9	$2^{-66.52}$
		$2^{-61.58}$	Ours
SKINNY64	8	$2^{-56.55}$	[16]
	9	$2^{-65.36}$
		$2^{-59.33}$	Ours
CRAFT	14	$2^{-63.80}$	[20]
		$2^{-60.32}$	Ours
SKINNY64-64 (Related tweakey)	11	$2^{-55.93}$	Ours
CRAFT (Related tweak)	17	$2^{-63.37}$	Ours

shows the differential probabilities of block cipher Midori64, SKINNY64 and CRAFT in comparison with previous work.

Figure 3 shows the round-wise differential probabilities of block ciphers Midori64, SKINNY64 and CRAFT. The black line indicates the probability of a single differential characteristic. The green line indicates the differential probability by counting the maximum differential characteristics described in Section 4.1. And the blue and red line indicate the probability by generalized counting described in Section 4.2 with $WLB=0.5$ and $0.25$, respectively. The red dotted line indicates the block size.

We apply our algorithms to the related-tweak differential without precomputation. The gap between the related-tweakey differential and single characteristic probability is not as large as a single-key differential. In the TK1 related-tweakey setting of 15-round SKINNY64, there are only 216 characteristics with fixed plaintext, ciphertext and tweakey difference. But it is large in CRAFT. We present the related-tweak differential probabilities of SKINNY64 and CRAFT in Figure 4.

The detailed results are given in

Table 5. Differential probabilities of Midori64.

Round	Differential	${\mathbf{Pr}}_{\mathit{D}\mathit{C}}$	${\mathbf{Pr}}_{\mathit{D},\mathit{M}}$	${\mathbf{Pr}}_{\mathit{D},0.5}$	${\mathbf{Pr}}_{\mathit{D},0.25}$
4	0x0AA0A0A0AA00AAA0 $\to$ 0xA0AAAA0A0AAA0000	$2^{-32}$	$2^{-23.82}$	$2^{-23.82}$	$2^{-23.82}$
5	0x000000A00A00A000 $\to$ 0x AA0A0AAAAAAAAAA0	$2^{-46}$	$2^{-34.14}$	$2^{-34.14}$	$2^{-34.14}$
6	0x00000000A00A00A0 $\to$ 0x 0000A0A00000AAA0	$2^{-60}$	$2^{-44.15}$	$2^{-44.13}$	$2^{-44.07}$
7	0x000000A000000000 $\to$ 0x0AAA000000000000	$2^{-70}$	$2^{-52.71}$	$2^{-52.65}$	$2^{-52.61}$
8	0xA0000A0000A00000 $\to$ 0x00000AAA00000000	$2^{-76}$	$2^{-57.18}$	$2^{-57.14}$	$2^{-57.12}$
9	0x0000A000000A00A0 $\to$ 0xAA0AA0AAAAA00000	$2^{-82}$	$2^{-61.67}$	$2^{-61.62}$	$2^{-61.58}$
10	0xAAA0AA00A0A00AA0 $\to$ 0xA0AAAA0A0000AAA0	$2^{-100}$	$2^{-75.12}$	$2^{-75.12}$	$2^{-75.01}$
11	0x000000A00000AA00 $\to$ 0x0AAA00AA00000000	$2^{-114}$	$2^{-83.75}$	$2^{-83.75}$	$2^{-83.60}$

,

Table 6. Differential probabilities of SKINNY64.

Round	Differential	${\mathbf{Pr}}_{\mathit{D}\mathit{C}}$	${\mathbf{Pr}}_{\mathit{D},\mathit{M}}$	${\mathbf{Pr}}_{\mathit{D},0.5}$	${\mathbf{Pr}}_{\mathit{D},0.25}$
4	0x0020000000000002 $\to$ 0x0002000000220002	$2^{-16}$	$2^{-11.91}$	$2^{-11}$	$2^{-11}$
5	0x0000040040000044 $\to$ 0x0020000002200020	$2^{-24}$	$2^{-18.20}$	$2^{-17.90}$	$2^{-17.50}$
6	0x0000000100C01100 $\to$ 0x5555500005505550	$2^{-32}$	$2^{-24.73}$	$2^{-24.09}$	$2^{-23.12}$
7	0x0000004004004004 $\to$ 0x0AAAAAAAA0AAAA00	$2^{-52}$	$2^{-41.37}$	$2^{-39.29}$	$2^{-39.07}$
8	0x0220220020002020 $\to$ 0x0220220022022020	$2^{-72}$	$2^{-56.08}$	$2^{-52.61}$	$2^{-51.35}$
9	0x0220220022022020 $\to$ 0x0022000220000002	$2^{-82}$	$2^{-63.99}$	$2^{-59.33}$	$2^{-58.67}$
10	0x0008080008008000 $\to$ 0xA00AA00A0A0AA000	$2^{-92}$	$2^{-72.04}$	$2^{-67.08}$	$2^{-65.67}$
11	0x0000000400404400 $\to$ 0x2A00000020A02000	$2^{-102}$	$2^{-83.09}$	$2^{-76.53}$	$2^{-74.06}$
12	0x0000000000000400 $\to$ 0x0600000006000600	$2^{-110}$	$2^{-86.64}$	$2^{-78.69}$	$2^{-75.90}$

,

Table 7. Differential probabilities of CRAFT.

Round	Differential	${\mathbf{Pr}}_{\mathit{D}\mathit{C}}$	${\mathbf{Pr}}_{\mathit{D},\mathit{M}}$	${\mathbf{Pr}}_{\mathit{D},0.5}$	${\mathbf{Pr}}_{\mathit{D},0.25}$
6	0x00AA000A0AA0000A $\to$ 0x0A0000000AA0000A	$2^{-28}$	$2^{-17.28}$	$2^{-17.22}$	$2^{-17.01}$
7	0xAA000A00A00A0A00 $\to$ 0x00A000AA0A00A00A	$2^{-40}$	$2^{-25.49}$	$2^{-25.17}$	$2^{-25.00}$
8	0xAAAAA0A0000A0AA0 $\to$ 0xA000AA00000A0AA0	$2^{-52}$	$2^{-33.31}$	$2^{-32.61}$	$2^{-32.54}$
9	0xAA0AAA000000AA00 $\to$ 0x0A000000000000AA	$2^{-64}$	$2^{-40.68}$	$2^{-40.28}$	$2^{-40.20}$
10	0xA000A0A00000A0A0 $\to$ 0x00A000000000A0A0	$2^{-72}$	$2^{-43.42}$	$2^{-42.84}$	$2^{-42.42}$
11	0xAA0AAA000000AA00 $\to$ 0x0A000000000000AA	$2^{-80}$	$2^{-50.34}$	$2^{-49.86}$	$2^{-49.66}$
12	0xAA0AAA000000AA00 $\to$ 0x000A00000000AA00	$2^{-88}$	$2^{-55.17}$	$2^{-54.66}$	$2^{-54.38}$
13	0xAA0AAA000000AA00 $\to$ 0x0A000000000000AA	$2^{-96}$	$2^{-60.00}$	$2^{-59.45}$	$2^{-59.08}$
14	0xA000A0A00000A0A0 $\to$ 0x0A000000000A0A0	$2^{-104}$	$2^{-61.81}$	$2^{-60.80}$	$2^{-60.32}$
15	0xAA0AAA000000AA00 $\to$ 0x0A000000000000AA	$2^{-112}$	$2^{-69.65}$	$2^{-69.04}$	$2^{-68.46}$
16	0xAA0AAA000000AA00 $\to$ 0x000A00000000AA00	$2^{-120}$	$2^{-74.48}$	$2^{-73.83}$	$2^{-73.14}$
17	0xAA0AAA000000AA00 $\to$ 0x0A000000000000AA	$2^{-128}$	$2^{-79.31}$	$2^{-78.62}$	$2^{-77.82}$
18	0xA000A0A00000A0A0 $\to$ 0x00A000000000A0A0	$2^{-136}$	$2^{-80.15}$	$2^{-78.97}$	$2^{-78.13}$
19	0xAA0AAA000000AA00 $\to$ 0x0A000000000000AA	$2^{-144}$	$2^{-88.96}$	$2^{-88.21}$	$2^{-87.15}$

,

Table 8. Related-TK1 differential probabilities of SKINNY64.

Round	Differential	${\mathbf{Pr}}_{\mathit{D}\mathit{C}}$	${\mathbf{Pr}}_{\mathit{D},\mathit{M}}$	${\mathbf{Pr}}_{\mathit{D},0.5}$	${\mathbf{Pr}}_{\mathit{D},0.25}$
4	0x0000000000000100 $\to$ 0x0050005000000050 $\mathsf{\Delta }TK1=$ 0x0000000005000000	$2^{-4}$	$2^{-2.42}$	$2^{-2.42}$	$2^{-2.42}$
5	0x0000000000001000 $\to$ 0x00A0000000A000A0 $\mathsf{\Delta }TK1=$ 0x0000000000000500	$2^{-6}$	$2^{-4.42}$	$2^{-4.42}$	$2^{-4.42}$
6	0x0000000000000001 $\to$ 0x0666000606050606 $\mathsf{\Delta }TK1=$ 0x0000000050000000	$2^{-12}$	$2^{-9.42}$	$2^{-9.42}$	$2^{-9.42}$
7	0x2000002002002000 $\to$ 0x0665000506050605 $\mathsf{\Delta }TK1=$ 0x5000000000000000	$2^{-20}$	$2^{-16.68}$	$2^{-16.10}$	$2^{-16.10}$
8	0x4000400000000000 $\to$ 0x0660006006500660 $\mathsf{\Delta }TK1=$ 0x2000200050000000	$2^{-26}$	$2^{-24}$	$2^{-23.68}$	$2^{-23.68}$
9	0x0000000800900800 $\to$ 0x0550005005500550 $\mathsf{\Delta }TK1=$ 0x500000000A200000	$2^{-32}$	$2^{-29}$	$2^{-28.68}$	$2^{-28.68}$
10	0x0000000200900900 $\to$ 0x92A808A0802228A8 $\mathsf{\Delta }TK1=$ 0x5000000002A00000	$2^{-46}$	$2^{-42.42}$	$2^{-41.61}$	$2^{-41.61}$
11	0x04C4144004010010 $\to$ 0x0A28082000BA8828 $\mathsf{\Delta }TK1=$ 0x0B80000001000000	$2^{-64}$	$2^{-58.10}$	$2^{-56.19}$	$2^{-55.93}$
12	0x2000200000000000 $\to$ 0x00AA0000208A00AA $\mathsf{\Delta }TK1=$ 0x5000300020000000	$2^{-76}$	$2^{-67.88}$	$2^{-65.30}$	$2^{-65}$
13	0x0000000400400100 $\to$ 0x00A20000200200A2 $\mathsf{\Delta }TK1=$ 0x2000000005300000	$2^{-82}$	$2^{-72.29}$	$2^{-69.71}$	$2^{-69.42}$
14	0x0004000000004000 $\to$ 0x5450015050005150 $\mathsf{\Delta }TK1=$ 0x0000000001000000	$2^{-90}$	$2^{-77.97}$	$2^{-71.80}$	$2^{-70.12}$
15	0x0000100000000400 $\to$ 0x2280000022822280 $\mathsf{\Delta }TK1=$ 0x0100550000000000	$2^{-98}$	$2^{-88.67}$	$2^{-86.54}$	$2^{-85.39}$

and

Table 9. Related-tweak differential probabilities of CRAFT. For each round, the tweak difference is 0x0000000000A00000 or 0x00000000000A0000.

Round	Differential	${\mathbf{Pr}}_{\mathit{D}\mathit{C}}$	${\mathbf{Pr}}_{\mathit{D},\mathit{M}}$	${\mathbf{Pr}}_{\mathit{D},0.5}$	${\mathbf{Pr}}_{\mathit{D},0.25}$
6	0x0F0055000A000500 $\to$ 0x0000A00000000000	$2^{-24}$	$2^{-17.55}$	$2^{-17.55}$	$2^{-17.55}$
7	0x0F00A5000A000500 $\to$ 0x0000000000A0D000	$2^{-28}$	$2^{-19.55}$	$2^{-19.55}$	$2^{-19.55}$
8	0x0000000AA0000000 $\to$ 0x00000000A00A0000	$2^{-38}$	$2^{-25.12}$	$2^{-25.12}$	$2^{-25.09}$
9	0x5000000AA0000000 $\to$ 0x000000A00000005A	$2^{-44}$	$2^{-30.12}$	$2^{-30.12}$	$2^{-30.09}$
10	0x5AA055000AA05000 $\to$ 0x0000A00000000000	$2^{-50}$	$2^{-32.08}$	$2^{-32.08}$	$2^{-31.93}$
11	0x5AA055000AA05000 $\to$ 0x0000000000A0A000	$2^{-54}$	$2^{-34.08}$	$2^{-34.08}$	$2^{-33.93}$
12	0x00070005A0070000 $\to$ 0x0000000000000005	$2^{-64}$	$2^{-45.12}$	$2^{-44.19}$	$2^{-43.19}$
13	0x7007000DA0070000 $\to$ 0xA000000F000A00A0	$2^{-72}$	$2^{-51.12}$	$2^{-50.19}$	$2^{-49.19}$
14	0x0000A00000000000 $\to$ 0x0000500000000000	$2^{-76}$	$2^{-54.14}$	$2^{-53.70}$	$2^{-53.19}$
15	0x0000A00000000000 $\to$ 0x0000000000A05000	$2^{-80}$	$2^{-56.14}$	$2^{-55.70}$	$2^{-55.19}$
16	0x0000A00000000000 $\to$ 0x0A00500000A0AA0A	$2^{-92}$	$2^{-66.14}$	$2^{-65.70}$	$2^{-65.19}$
17	0x00000005A0000000 $\to$ 0x00000005A0000000	$2^{-98}$	$2^{-65.51}$	$2^{-64.14}$	$2^{-63.37}$
18	0xA00ADAA000AA00A0 $\to$ 0x0000F00000000000	$2^{-102}$	$2^{-72.81}$	$2^{-72.38}$	$2^{-71.86}$
19	0xA00A5AA000AA00A0 $\to$ 0x0000000000A05000	$2^{-106}$	$2^{-74.81}$	$2^{-74.38}$	$2^{-73.86}$

. In the tables, ${\mathrm{Pr}}_{DC}$ is the single differential characteristic probability and ${\mathrm{Pr}}_{D,M}$ is the differential probability by counting the maximum differential characteristics. ${\mathrm{Pr}}_{D,0.5}$ and ${\mathrm{Pr}}_{D,0.25}$ are the probabilities by generalized counting with $WLB=0.5$ and $0.25$, respectively.

For $4i+2(i\ge 2)$ rounds of CRAFT, we found an activity pattern that provides higher differential probability than presented in [21]. It is given in Appendix A.

Our algorithm is applicable to all block ciphers using 4-bit S-boxes and word-based diffusion layers such as LED [34], TWINE [35] and LBlock [36]. However, there are a few gaps between the differential and characteristic probabilities compared to the results that we present. Here, we explain the reason that the gaps are large on Midori64, SKINNY64 and CRAFT. The first reason is the weak diffusion layer composed only of XOR with a low branch number. However, it is not enough to explain why the gap is large only in Midori64, SKINNY64 and CRAFT. Although it is a Feistel network structure, TWINE and LBlock have diffusion layers composed only of XOR with low branch numbers. But there is only one maximum differential characteristic for 11-round TWINE and no more than three maximum differential characteristics for 14-round LBlock with fixed input, output difference and an activity pattern. So, we found another reason related to the S-box. By the weak diffusion layer that is composed only of XOR, the difference is rarely changed through the diffusion layer. So, the output difference of the S-layer almost becomes the input of the next S-layer. Thus, the number of paths from plaintext to ciphertext difference through the block cipher is related to the number of word difference paths through S-boxes.

From a difference distribution table of S-box, we generate a directed graph $G_S$ such that their vertices are a nonzero difference, and edges $\left(\alpha ,\beta \right)$ exist if

$$\mathrm{Pr}\left(\alpha \stackrel{S}{\to }\beta \right)=2^{-2}.$$

(17)

We also obtain an adjacent matrix $A$ of $G_S$ that is a square matrix where each element indicates whether a pair of vertices is connected by an edge. Figure 5 shows the graph $G_S$ and adjacent matrix $A$ of the SKINNY64 S-box difference distribution table.

We can also calculate the $i$-power of matrix $A$. The entry $\left(\alpha , \beta \right)$ of $A^i$ means the number of $i$ length path from vertex $\alpha$ to $\beta$ in $G_S$. That is the number of word difference paths from difference $\alpha$ to $\beta$ through the S-box $i$ times. We compute the average value of $A^i$ for some S-boxes shown in

Table 10. Average value of the $i$-th power of the adjacent matrix corresponding to the difference distribution table graph of the block cipher S-boxes.

	$\mathit{i}$	1	2	3	4	5	6	7
S-box
Midori64		0.11	0.25	0.53	1.37	3.22	8.44	20.85
SKINNY64		0.11	0.23	0.46	0.94	1.80	3.66	7.02
$G_2$		0.11	0.20	0.37	0.68	1.25	2.32	4.28
PRESENT		0.11	0.20	0.36	0.67	1.21	2.20	3.97

. The S-box $G_2$ is the optimal 4-bit S-box presented in [37].

By Table 10, the average number of paths from a non-zero difference to a non-zero difference is the highest in the Midori64 S-box, followed by the SKINNY64 S-box. To verify that the number of $i$ length path in $G_S$ is significantly related to the gap between the differential and characteristic probabilities, we compute the number of maximum differential characteristic of SKINNY64, replacing the S-box with another one.

Table 11. The number of maximum differential characteristics ($\#char$) with replacement of another S-box in 10-round SKINNY64.

S-box	Midori64	SKINNY64	${\mathit{G}}_2$	PRESENT
$\#char$	$2^{31.78}$	$2^{19.97}$	$2^{13.76}$	$2^{7.39}$

shows the results of 10 rounds.

Table 11 shows that the use of Midori64 S-box with a weak diffusion layer is more vulnerable to differential cryptanalysis than the use of other S-boxes. The differential probability using Modir64 S-box is at least $2^{-60.22}$. On the other hand, the probability is $2^{-84.61}$ when using PRESENT S-box. This explains why the gap between differential and characteristic probabilities is largest in CRAFT, which uses a Midori64 S-box and a very weak diffusion layer.

6. Conclusions

In this work, we present an approach to computing the lower bound of the differential probability of block ciphers with a word-based diffusion layer and S-layer. Our approach is to obtain the best differential characteristic by using an off-the-shelf SAT solver and then count the number of maximum differential characteristics with a given plaintext, ciphertext difference, and activity pattern. We constructed a multistage graph to count in which the path from source to sink is equivalent to the difference characteristic. Moreover, we present a generalized approach by using a weighted graph to consider more characteristics, not only the maximum characteristic. By using our method, we provide more accurate differential probabilities of Midori64, SKINNY64 and CRAFT.

Further, we propose that the gap between the probability of differential and characteristic in a block cipher with weak diffusion is significantly related to the S-box. We explain the relation by an adjacent matrix of the difference distribution table of the S-box. The average value of the adjacent matrix’s $i$-th power is significantly related to the gap between differential and characteristic probabilities, when the S-box is used with a weak diffusion layer in which the passed difference is rarely changed. We claim that using Midori64 S-box, which has the highest average value of the adjacent matrix’s $i$-th power, with a weak diffusion layer, is vulnerable to differential cryptanalysis, as seen in the results of CRAFT.