This paper provides the first third-party analysis of the DBST cipher, challenging its security claims. The analysis reveals significant vulnerabilities within the cipher's structure, allowing the identification of distinguishers that can differentiate all 32 rounds of the cipher from a random permutation with a probability of one. This contradicts the designers' claim that the probability of a successful differential attack on any 32-round characteristic is bounded by $2^{-170}$. Additionally, the existence of differential distinguishers for the full round implies the existence of full-round impossible differential distinguishers, contradicting the designers' claim that the best impossible differential characteristic would require at most 6 rounds.

Integral, impossible-differential (ID), and zero-correlation (ZC) attacks are three of the most important attacks on block ciphers. However, manually finding these attacks can be a daunting task, which is why automated methods are becoming increasingly important. Most automatic tools regarding integral, ZC, and ID attacks have focused only on finding distinguishers rather than complete attacks. At EUROCRYPT~2023, Hadipour et al. proposed a generic and efficient constraint programming (CP) model based on satisfiability for finding ID, ZC, and integral distinguishers. This new model can be extended to a unified CP model for finding full key recovery attacks. However, it has limitations, including determining the contradiction location beforehand and a cell-wise model unsuitable for weakly aligned ciphers like Ascon and PRESENT. They also deferred developing a CP model for the partial-sum technique in key recovery as future work. In this paper, we enhance Hadipour et al.'s method in several ways. First, we remove the limitation of determining the contradiction location in advance. Second, we show how to extend the distinguisher model to a bit-wise model, considering the internal structure of S-boxes and keeping the model based on satisfiability. Third, we introduce a CP model for the partial-sum technique for the first time. To show the usefulness and versatility of our approach, we apply it to various designs, from strongly aligned ones like ForkSKINNY and QARMAv2 to weakly aligned ones such as Ascon and PRESENT, yielding significantly improved results. To mention a few of our results, we improve the integral distinguisher of QARMAv2-128 (resp. QARMAv2-64) by 7 (resp. 5) rounds, and the integral distinguisher of ForkSKINNY by 1 round, only thanks to our cell-wise distinguisher modelings. By using our new bit-wise modeling, our tool can find a group of $2^{155}$ 5-round ID and ZC distinguishers for Ascon in only one run, taking a few minutes on a regular laptop. The new CP model for the partial-sum technique enhances integral attacks on all SKINNY variants, notably improving the best attack on SKINNY-n-n in the single-key setting by 1 round. We also enhance ID attacks on ForkSKINNY and provide the first analysis of this cipher in a limited reduced-round setting. Our methods are generic and applicable to other block ciphers.

Impossible differential (ID), zero-correlation (ZC), and integral attacks are a family of important attacks on block ciphers. For example, the impossible differential attack was the first cryptanalytic attack on 7 rounds of AES. Evaluating the security of block ciphers against these attacks is very important but also challenging: Finding these attacks usually implies a combinatorial optimization problem involving many parameters and constraints that is very hard to solve using manual approaches. Automated solvers, such as Constraint Programming (CP) solvers, can help the cryptanalyst to find suitable attacks. However, previous CP-based methods focus on finding only the ID, ZC, and integral distinguishers, often only in a limited search space. Notably, none can be extended to a unified optimization problem for finding full attacks, including efficient key-recovery steps. In this paper, we present a new CP-based method to search for ID, ZC, and integral distinguishers and extend it to a unified constraint optimization problem for finding full ID, ZC, and integral attacks. To show the effectiveness and usefulness of our method, we applied it to several block ciphers, including SKINNY, CRAFT, SKINNYe-v2, and SKINNYee. For the ISO standard block cipher SKINNY, we significantly improve all existing ID, ZC, and integral attacks. In particular, we improve the integral attacks on SKINNY-n-3n and SKINNY-n-2n by 3 and 2 rounds, respectively, obtaining the best cryptanalytic results on these variants in the single-key setting. We improve the ZC attack on SKINNY-n-n (SKINNY-n-2n) by 2 (resp. 1) rounds. We also improve the ID attacks on all variants of SKINNY. Particularly, we improve the time complexity of the best previous single-tweakey (related-tweakey) ID attack on SKINNY-128-256 (resp. SKINNY-128-384) by a factor of $2^{22.57}$ (resp. $2^{15.39}$). On CRAFT, we propose a 21-round (20-round) ID (resp. ZC) attack, which improves the best previous single-tweakey attack by 2 (resp. 1) rounds. Using our new model, we also provide several practical integral distinguishers for reduced-round SKINNY, CRAFT, and Deoxys-BC. Our method is generic and applicable to other strongly aligned block ciphers.

Cloud-based RFID is gaining popularity in tandem with the growth of cloud computing and the Internet of Things (IoT). The cloud-based RFID system is developed with the intent of providing real-time data that can be sent into the cloud for easy access and interpretation. The security and privacy of constrained devices in these systems is a challenging issues for many applications. To deal with this problem, we first introduce $\Xi$per, as a new hardware/software friendly component that can be implemented using bit-wise operations and extensively analyze its security. Next, we propose $\Xi$perbp, a lightweight authentication protocol based on $\Xi$per component. To evaluate the performance efficiency of our proposed scheme, we implement the $\Xi$perbp scheme on an FPGA module Xilinx Kintex-7 using the hardware description language VHDL. Our security and cost analysis of the proposed protocol shows that the proposed protocol provides desired security against various attacks, at a reasonable cost. Also, formal security evaluation using BAN logic and the Scyther tool indicates its security correctness. Besides, we analyze the security of a related protocol which has been recently proposed by Fan et al. It is a cloud-based lightweight mutual authentication protocol for RFID devices in an IoT system. The authors have claimed that their scheme is secure against active and passive attacks, however, our detailed security analysis in this paper demonstrates the major drawbacks of this protocol. More precisely, the proposed attack discloses the tag’s secrets efficiently. Given the tag’s secrets, any other attack will be trivial.

SFN is a lightweight block cipher designed to be compact in hardware and efficient in software for constrained environment such as the Internet of Things (IoT) edge devices. Compared to the conventional block ciphers it uses both the SP network structure and Feistel network structure to encrypt. The SFN supports key lengths of 96 bits and its block length is 64 bits and includes 32 rounds. In this paper, we propose a deterministic related key distinguisher for 31 rounds of the SFN. we are able to use the proposed related key distinguisher to attack the SFN in the known-plaintext scenario with the time complexity of $2^{60.58}$ encryptions. The data and memory complexity of those attacks are negligible. In addition, we will extend it to a practical chosen-plaintext-ciphertext key recovery attack on full SFN (32 rounds) with the complexity of $2^{20}$. We also experimentally verified this attack. Also, in the single key mode, we present a meet in the middle attack against the full rounds block cipher for which the time complexity is $2^{80}$ the SFN calculations and the memory complexity is $2^{35.6}$ bytes. The data complexity of this attack is only two known plaintext and their corresponding ciphertext.

Persistent Fault Analysis (PFA) is an innovative and powerful analysis technique in which fault persists throughout the execution. The prior prominent results on PFA were on SPN block ciphers, and the security of Feistel ciphers against this attack has received less attention. In this paper, we introduce a framework to utilize Statistical Ineffective Fault Analysis (SIFA) in the persistent fault setting by proposing Statistical Ineffective Persistent Faults Analysis (SIPFA) that can be efficiently applied to Feistel ciphers in a variety of scenarios. To demonstrate the effectiveness of our technique, we apply SIFPA on three widely used Feistel schemes, DES, 3DES, and Camellia. Our analysis reveals that the secret key of these block ciphers can be extracted with a complexity of at most $2^50$ utilizing a single unknown fault. Furthermore, we demonstrate that the secret can be recovered in a fraction of a second by increasing the adversary’s control over the injected faults. To evaluate SIPFA in a variety of scenarios, we conducted both simulations and real experiments utilizing electromagnetic fault injection on DES and 3DES.

With the increase of connected devices being introduced into the market each day, the Internet of Things (IoT) vision is progressively becoming a reality. This phenomenon however increases key security risks flagged by the scientific and research community and industry professionals. Devices featuring limited security capabilities are of particular concern in IoT adoption, including passive Radio Frequency Identification (RFID) tags. In response to such security limitations, several ultra-lightweight authentication protocols have been proposed, although, most of them exhibit various vulnerabilities. In this study, we evaluate the security level of recent ultra-lightweight mutual authentication protocols and show their susceptibility to replay and desynchronization attacks. Through this research, we also show that these protocols can be grouped into a generalized version of ultra-lightweight mutual authentication protocols (GUMAPs) and classify them into two categories: (i) GUMAP1, where both parties (tag and reader) maintain a history of old parameters; and (ii) GUMAP2, where only one party maintains a history of old parameters. We then establish that both groups are vulnerable to replay and desynchronization attacks. To eliminate these vulnerabilities, we propose a more secure generalized improved mutual authentication protocol (GIMAP). To address the security issues, we present a new message authentication code (MAC) function for GIMAP and prove that the new protocol can satisfy the security requirement involved in lightweight protocols. The security analysis of GIMAP is also supported by the formal security analysis, using two widely accepted approaches, namely BAN logic and the Scyther tool.

ARX symmetric ciphers use three operations: Additional, Rotational, and XOR in their structures. The SPECK, MARX, MARX2, and CHASKEY are examples of ARX block ciphers. In this paper, we consider the zero-correlation linear cryptanalysis of MARX, MARX2 and impossible differential cryptanalysis of MARX, MARX2, and CHASKEY. To our knowledge, this cryptanalysis has not been performed on any of the mentioned ciphers so far. Among the available methods for finding the best impossible differential and zero correlation characteristic in the corresponding cryptanalysis, we use Mixed Integer Linear Programming (MILP). The MILP is an automated search method to find the best differential (linear) characteristics of a cipher with a specified number of rounds. Thanks to the MILP method, for the CHASKEY cipher, we find 4-round impossible differential characteristics. For MARX, we present a 13-round attack by using a 10-round impossible differential characteristic. Also, for MARX2, we find 7-round impossible differential characteristics that cause the 11 rounds attack. Moreover, we apply zero-correlation linear cryptanalysis on 10 and 7-round of MARX and MARX2, respectively.

Search for the right pairs of inputs in difference-based distinguishers is an important task for the experimental verification of the distinguishers in symmetric-key ciphers. In this paper, we develop an MILP-based approach to verify the possibility of difference-based distinguishers and extract the right pairs. We apply the proposed method to some presented difference-based trails (Related-Key Differentials (RKD), Rotational-XOR (RX)) of block ciphers SIMECK, and SPECK. As a result, we show that some of the reported RX-trails of SIMECK and SPECK are incompatible, i.e. there are no right pairs that follow the expected propagation of the differences for the trail. Also, for compatible trails, the proposed approach can efficiently speed up the search process of finding the exact value of a weak-key from the target weak- key space. For example, in one of the reported 14-round RX trails of SPECK, the probability of a key pair to be a weak-key is $2^{94.91}$ when the whole key space is $2^{96}$; our method can find a key pair for it in a comparatively short time. It is worth noting that it was impossible to find this key pair using a traditional search. As another result, we apply the proposed method to SPECK block cipher, to construct longer related-key differential trails of SPECK which we could reach 15, 16, 17, and 19 rounds for SPECK32/64, SPECK48/96, SPECK64/128, and SPECK128/256, respectively. It should be compared with the best previous results which are 12, 15, 15, and 20 rounds, respectively, that both attacks work for a certain weak key class. It should be also considered as an improvement over the reported result of rotational XOR cryptanalysis on SPECK.

LRBC is a new lightweight block cipher that has been proposed for resource-constrained IoT devices. The cipher is claimed to be secure against differential cryptanalysis and linear cryptanalysis. However, beside short state length which is only 16-bits, the structures of the cipher only use the linear operations, the its s-boxes, and this is a reason why the cipher is completely in- secure against the mentioned attacks. we present a few examples to show that. Also, we show that the round function of LRBC has some structural problem and even if we fix them the cipher does not provide complete diffusion. Hence, even with replacement of the cipher s-boxes with proper s-boxes, the problem will not be fixed and it is possible to provide deterministic distinguisher for any number of round of the cipher. In addition, we show that for any fixed key, it is possible to create a full code book for the cipher with the complexity of $2^n/2$, which should be compared with $2^n$ for any secure n-bit block cipher.

In this paper, we present some attacks on GAGE, InGAGE, and CiliPadi which are candidates of the first round of the NIST-LWC competition. GAGE and InGAGE are lightweight sponge based hash function and Authenticated Encryption with Associated Data (AEAD), respectively and support different sets of parameters. The length of hash, key, and tag are always 256, 128, and 128 bits, respectively. We show that the security bounds for some variants of its hash and AEAD are less than the designers' claims. For example, the designers' security claim of preimage attack for a hash function when the rate is 128 bits and the capacity is $256$ bits, is $2^{256}$, however, we show that the security of preimage for this parameter set is $2^{128}$. Also, the designer claimed security of confidentiality for an AEAD, when the rate is 8 bits and the capacity is 224 bits, is $2^{116}$, however, we show the security of confidentiality for it is $2^{112}$. We also investigate the structure of the permutation used in InGAGE and present an attack to recover the key for reduced rounds of a variant of InGAGE. In an instance of AEAD of InGAGE, when the rate is 8 bits and the capacity is 224 bits, we recover the key when the number of the composition of the main permutation with itself, i.e., $r_{1}$, is less than 8. We also show that CiliPadi is vulnerable to the length extension attack by presenting concrete examples of forged messages.

CRAFT is a lightweight block cipher, designed to provide efficient protection against differential fault attacks. It is a tweakable cipher that includes 32 rounds to produce a ciphertext from a 64-bit plaintext using a 128-bit key and 64-bit public tweak. In this paper, compared to the designers’ analysis, we provide a more detailed analysis of CRAFT against differential and zero-correlation cryptanalysis, aiming to provide better distinguishers for the reduced rounds of the cipher. Our distinguishers for reduced-round CRAFT cover a higher number of rounds compared to the designers’ analysis. In our analysis, we observed that, for any number of rounds, the differential effect of CRAFT has an extremely higher probability compared to any differential trail. As an example, while the best trail for 11 rounds of the cipher has a probability of at least $2^{80}$, we present a differential with probability $2^{49.79}$, containing 229.66 optimal trails, all with the same optimum probability of $2^{80}$. Next, we use a partitioning technique, based on optimal expandable truncated trails to provide a better estimation of the differential effect on CRAFT. Thanks to this technique, we are able to find differential distinguishers for 9, 10, 11, 12, 13, and 14 rounds of the cipher in single tweak model with the probabilities of at least $2^{40.20}$, $2^{45.12}$, $2^{49.79}, 2^{54.49}, 2^{59.13}, $ and $2^{63.80}$, respectively. These probabilities should be compared with the best distinguishers provided by the designers in the same model for 9 and 10 rounds of the cipher with the probabilities of at least $2^{54.67}$ and $2^{62.61}$, respectively. In addition, we consider the security of CRAFT against the new concept of related tweak zero-correlation (ZC) linear cryptanalysis and present a new distinguisher which covers 14 rounds of the cipher, while the best previous ZC distinguisher covered 13 rounds. Thanks to the related tweak ZC distinguisher for 14 rounds of the cipher, we also present 14 rounds integral distinguishers in related tweak mode of the cipher. Although the provided analysis does not compromise the cipher, we think it provides a better insight into the designing of CRAFT.

SIMECK is a family of lightweight block ciphers that relies on Feistel structure. Being proposed at CHES in 2015, the round function of SIMECK is slightly modified from SIMON. A cipher in this family with K-bit key and n-bit block is called SIMECK$n/K$, for $n/K \in \{32/64,48/96,64/128 \}$. SIMECK has already received a number of third-party analyses. However, the security level on SIMECK against the related-key impossible differential has never been evaluated. In this paper, we consider related-key impossible differential distinguishers for the variants of SIMECK. We first propose some distinguishers on SIMECK using the miss-in-the-middle approach. More specifically, 15/16/19-round related-key impossible differential distinguishers on SIMECK32/48/64 are presented first while the best previously known results were 11/15/17-round on SIMECK32/48/64 in the single-key setting. Afterwards, thanks to MILP approach, we automatically prove that these characteristics are the best related-key impossible differentials of SIMECK when we limit the input and output differences to 1 active bit.

SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible differential characteristics for different versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY- 64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible differential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible differential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the first attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible differential attack are the best reported ones.

SIMECK is a family of three lightweight block ciphers designed by Yang et al., following the framework used byBeaulieu et al. from the United States National Security Agency to design SIMON and SPECK. In this study, the authors employan improved miss-in-the-middle approach to find zero correlation linear distinguishers and impossible differentials on SIMECK48and SIMECK64. Based on this novel technique, they will be able to present zero-correlation linear approximations for 15-roundSIMECK48 and 17-round SIMECK64 and these zero-correlation linear approximations improve the previous best result by tworounds for SIMECK48 and SIMECK64. Moreover, they attack 27-round SIMECK48 and 31-round SIMECK64 based on thesezero-correlation linear distinguishers. In addition, due to the duality of zero-correlation and impossible differential, they searchfor the impossible differential characteristics for SIMECK48 and SIMECK64 so that they will be able to present 15-roundSIMECK48 and 17-round SIMECK64 while the best previously known results were 13-round impossible differentials forSIMECK48 and 15-round impossible differentials for SIMECK64. Moreover, they propose impossible differential attacks on 22-round SIMECK48 and 24-round SIMECK64 based on these impossible differential characteristics. The results significantlyimprove the previous zero correlation attack and impossible differential characteristic results for these variants of SIMECK to thebest of the authors’ knowledge.

Recently, a new ultra lightweight block cipher called QTL has been proposed. The authors claim to achieve a fast diffusion in QTL by using a new variant of a generalized Feistel network structure that changes all block messages in one iterative round in contrast to traditional Feistel-type structures changing only half of block messages. In this paper, we evaluate the security claims of the esigners and show that their claims are not valid as QTL is vulnerable to the standard statistical attacks on block ciphers.