Congruent Differential Cluster for Binary SPN Ciphers

This study is focused on the differential clustering effect of the SPN block cipher, which employs a binary matrix as its diffusion layer. We present a novel strategy for differential estimation, named the congruent differential cluster. This method does not guarantee the optimization of each single differential characteristic but gathers a large number of characteristics satisfying a specific condition, i.e., the output differences of active S-boxes are equal. Given a binary SPN cipher, the exact probability of the congruent differential cluster can be obtained with negligible computational resources. Moreover, we consider a popular instance, binary <monospace>AES</monospace>-like ciphers, since the processing of their column-mixing layer can be divided into several independent parts. Therefore, if we set the output differences of the active S-boxes in the same partition to be equal, we can obtain more differential characteristics in the cluster, known as a semicongruent differential cluster. To demonstrate the application of the proposed method, we apply it to several block ciphers, i.e., <monospace>Midori-64</monospace>, <monospace>CRAFT-64</monospace>, <monospace>SKINNY-64</monospace> and their variants proposed in Todo and Sasaki (2022). Compared with the active S-box counting method, the congruent differential clusters have considerably higher probabilities for most instances. In addition, we find a 7-round semicongruent differential cluster for <monospace>Midori-64</monospace> with probability 2−52.25, an 8-round semicongruent differential cluster for <monospace>SKINNY-64</monospace> with probability 2−50.72 and a 10-round semicongruent differential cluster for <monospace>CRAFT-64</monospace> with probability 2−42.32. To the best of our knowledge, the semicongruent differential clusters we identify for 7-round <monospace>Midori-64</monospace>, 8-round <monospace>SKINNY-64</monospace> and 10-round <monospace>CRAFT-64</monospace> have the highest probabilities thus far among the existing differential clusters with the same rounds. Therefore, we believe that the proposed method is a valuable tool for evaluating the differential security of associated block ciphers.


Congruent Differential Cluster for
Binary SPN Ciphers Ting Cui , Yiming Mao, Yang Yang, Yi Zhang, Jiyan Zhang , and Chenhui Jin Abstract-This study is focused on the differential clustering effect of the SPN block cipher, which employs a binary matrix as its diffusion layer.We present a novel strategy for differential estimation, named the congruent differential cluster.This method does not guarantee the optimization of each single differential characteristic but gathers a large number of characteristics satisfying a specific condition, i.e., the output differences of active S-boxes are equal.Given a binary SPN cipher, the exact probability of the congruent differential cluster can be obtained with negligible computational resources.Moreover, we consider a popular instance, binary AES-like ciphers, since the processing of their column-mixing layer can be divided into several independent parts.Therefore, if we set the output differences of the active S-boxes in the same partition to be equal, we can obtain more differential characteristics in the cluster, known as a semicongruent differential cluster.To demonstrate the application of the proposed method, we apply it to several block ciphers, i.e., Midori-64, CRAFT-64, SKINNY-64 and their variants proposed in Todo and Sasaki (2022).Compared with the active S-box counting method, the congruent differential clusters have considerably higher probabilities for most instances.In addition, we find a 7-round semicongruent differential cluster for Midori-64 with probability 2 −52.25 , an 8-round semicongruent differential cluster for SKINNY-64 with probability 2 −50.72 and a 10-round semicongruent differential cluster for CRAFT-64 with probability 2 −42.32 .To the best of our knowledge, the semicongruent differential clusters we identify for 7-round Midori-64, 8-round SKINNY-64 and 10-round CRAFT-64 have the highest probabilities thus far among the existing differential clusters with the same rounds.Therefore, we believe that the proposed method is a valuable tool for evaluating the differential security of associated block ciphers.

I. INTRODUCTION
I N THE last several decades, block ciphers have played a central role in the development of cryptology.Open research on block ciphers started with the proposal of the DES in 1977 [2], which provided the most important target for Manuscript received 14 June 2023; revised 20 October 2023 and 1 January 2024; accepted 2 January 2024.Date of publication 5 January 2024; date of current version 11 January 2024.This work was supported in part by the National Natural Science Foundations of China under Grant 62372463 and Grant 62302518 and in part by the Natural Science Foundation of Henan Province under Grant 222300420100.The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Hossein Pishro-Nik.(Corresponding authors: Jiyan Zhang; Yang Yang.) The authors are with the Department of Applied Mathematics, PLA SSF Information Engineering University, Zhengzhou 450000, China (e-mail: cuit-ing_1209@126.com;mym220615@163.com;yangyang_wawa@sina.com;yizhang0796@foxmail.com; xdzhangjiyan@126.com;jinchenhui@126.com).
Differential cryptanalysis forced designers to reconsider their design methodologies.The basic idea to ensure robustness against cryptanalysis is to introduce an upper bound on the probability of any differential of the cipher.For an upper bound p, the data complexity of the attack is approximately 1/ p [6].In the mid 1990's, Luke O'connor [7] studied the differential and linear properties of random permutations for the first time.They give the probabilistic upper bound for a differential characteristic.However, it remains challenging to accurately estimate the probability of the differential of the target cipher.
Another milestone in the development of block ciphers is the proposal of the AES.To ensure robustness against differential/linear cryptanalysis, Daemen and Rijimen introduced the wide trail design strategy during the design of Rijndael [8].This strategy helps designers more easily evaluate the security boundary against differential (and linear) cryptanalysis.Compared with previous designs, the wide trail strategy eliminates the necessity of heavy arguments or programming work in ensuring differential security.Generally, if the cipher has no less than n active S-boxes after an r -round cascade, then there never exists an r -round differential characteristic with a probability greater than p n max , where p max denotes the highest differential probability of the S-box.
In recent years, many researchers have attempted to design block ciphers under the wide trail strategy framework.Furthermore, with the continuous progress in automated cryptanalysis technologies, increasing efforts are being made to evaluate the resistance of block ciphers against differential cryptanalysis by counting the active S-boxes.
For 4-round AES, there are at least 25 active S-boxes and the highest differential probability of AES's S-box is 2 −6 .Theoretically, there is no differential characteristic with a probability exceeding 2 −6×25 = 2 −150 .However, in 2005, Keliher proved that for 4-round AES, there exists a differential hold with probability 1.881 × 2 −114 [9].This finding indicates that the probability of the identified characteristic may be considerably smaller than the differential in AES.Furthermore, Ankele and Kölbl [10] developed an automated approach for enumerating the characteristics with the highest probability of contributing to a differential based on SMT solvers, and in 2020, Dunkelman et al. [11] noted that counting the minimum number of active S-boxes may not always be sufficiently accurate.The authors introduced a 4-round Feistel with the SPSPSPSP layer as its round function, and their block cipher had at least 36 active AES S-boxes.However, there exist differentials with a considerably higher probability.Although Dunkelman's block cipher is artificial, and the evidence of the high probability differential is based on a mathematical deduction instead of the real differential, it indicates that a provable secure block cipher (other than the AES) against differential cryptanalysis may still be insecure in practice.
In ASIACRYPT 2021 [12], Leurent et al. considered the clustering effect of differential/linear properties in Simon and Simeck, resulting in stronger distinguishers than previously proposed differential/linear characteristics.
Our Contribution: This study focuses on binary SPN ciphers, i.e., ciphers that use only S-box level XOR as their diffusion layers.This kind of diffusion layer often has better hardware and software implementation as well as lower energy consumption, making them widely used in lightweight cryptography.Typical representatives are SKINNY [13], Midori [14], CRAFT [15], etc.The objective is to establish a novel differential cluster (named congruent differential cluster and its variant semicongruent differential cluster which we will define later) for such ciphers.The main contributions of this research can be summarized as follows: • We present the theoretical framework of the congruent differential cluster for binary SPN ciphers.Instead of optimizing the probability of a single differential characteristic, we collect a large number of differential characteristics following several special differential patterns to attain an appreciable probability effect.Moreover, we prove that the exact probability of the congruent differential cluster can be obtained by computing the multiplication of r matrices of scale 2 n × 2 n , where n and r indicate the size of the S-box and the number of cascading rounds of the target cipher, respectively.Thus, the computational cost of the proposed approach is negligible for widely used S-boxes.
• For a special type of binary SPN ciphers, i.e., binary AESlike ciphers, we add more differential characteristics to the cluster and obtain the semicongruent differential cluster with higher probabilities.The column-mixing layer of binary AES-like ciphers divides the intermediate state into a number of independent parts.Thus, if we set the output differences of the active S-boxes in the same partition to be equal, we can obtain more differential characteristics.We establish a realistic and feasible algorithm to calculate the probabilities of semicongruent differential clusters.Experimentally, semicongruent differential clusters significantly improve the probabilities of congruent differential clusters.
• To demonstrate the application of the proposed framework, we test the probabilities of semicongruent differential clusters for several typical block cipher instances, namely, SKINNY-64, Midori-64, and CRAFT-64, and the results are summarized in Table I.In most cases, we have achieved the best results so far.However, there are still some results that cannot surpass other methods.
And we attribute this to the fact that our clusters have more active S-boxes than theirs at the corresponding rounds.According to our approach, we also find a differential cluster of 15-round SKINNY-128.The probability of the cluster is about 2 −122.9 which has a gain of 2 9.1 compared to the security boundary by counting the number of active S-boxes.Organization: Section II introduces the basic notations and definitions.Section III and Section IV describe the basic idea and calculation of the probabilities of congruent differential clusters, respectively.Section V describes the development of semicongruent differential clusters and the corresponding probability calculation.Section VI describes the application of the proposed framework to several typical instances.Section VII presents the concluding remarks.

II. FUNDAMENTALS
The following symbols are used in this paper.n size of the S-box; m number of S-boxes in one layer of the SPN cipher; ), where M=(m i, j ); wt (α) hamming weight of α; #• cardinal number of the set •; GF(2 n ) finite field with 2 n elements.Differential cryptanalysis is a classical cryptanalysis technique introduced by Biham and Shamir [3], [4], which exploits the propagation of differences in the target cipher.This cryptanalysis starts from a carefully chosen differential pair (a, b) such that the probability of E(x) ⊕ E(x ⊕ a) = b is considerably higher than 2 −mn , where E denotes the target cipher.
The difference distribution table (DDT) of a single S-box is a 2 n ×2 n table, where the a ×b-th entry is the number of pairs that satisfy the difference (a S → b).Notably, in several studies, the a ×b-th entry of the DDT is defined as 2 n ×Pr(a S → b).For simplicity, in this paper, we omit the constant 2 n , and the a×bth entry of the DDT is defined as It is challenging to calculate the exact probability of the differential for large-scale mappings.Fortunately, the probability of a differential characteristic can be derived from difference propagation over several rounds of the cipher.Thus, the differential characteristic with a high probability is usually used to represent a differential.In other words, the probabilities of differential characteristics can quantify the resistance against differential cryptanalysis to some extent.
Lai et al. [18] introduced the Markov cipher E r , in such a cipher, the probability of an r -round characteristic of E r is the product of the probabilities of each round function, i.e., In general, the probability of a differential is the sum over all compatible characteristics, which can be calculated as Theoretically, there exist at most 2 mn×(r −1) possible differential characteristics compatible with such a differential.In this study, we explore the clustering effect for binary SPN ciphers by exploring a class of differential characteristics in which the active S-boxes remain in the same positions.Formally, we construct a subset ⊆ {0, 1} mn and then estimate the probability of If the cardinal number of is adequately large, the probability advantages associated with the best differential characteristic will likely be surpassed.First, we introduce several basic definitions.
Definition 1 [19]: Let SLayer be a nonlinear transformation on {0, 1} mn defined by m paralleled n-bit S-boxes, i.e., Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
the permutation layer P : {0, 1} mn → {0, 1} mn is a linear bijection, and the one-round SPN structure E is defined as where k denotes the subkey.
Accordingly, in an r -round SPN cipher E r , if P can be represented by an m × m binary matrix P, i.e., where P is a binary matrix over GF(2 n ), then E is termed the round function of a binary SPN cipher.Typical examples of this configuration are SKINNY [13], Midori [14] and CRAFT [15].
Definition 2 [19]: , 1} corresponds to the following mapping: Then, is said to be the pattern of Instead of searching a single characteristic with the highest probability, we search for a large number of differential characteristics having the same low-weight pattern.The final probability of our differential cluster is the sum of the probabilities of potential characteristics.This tradeoff is expected to facilitate the realization of our objective.

III. ARCHITECTURE OF THE CONGRUENT DIFFERENTIAL CLUSTER
Instead of minimizing the number of active S-boxes, our core idea is to increase the number of differential characteristics with the same number of active S-boxes.We focus on the differential behavior of the binary SPN cipher, and the process is initiated at the diffusion layer.First, we present several basic definitions.
Definition 3: Let P be an m×m binary matrix over GF(2 n ).Then, the m × m matrix B(P) over GF( 2) is defined by which is termed the basic matrix of P.
The partition mapping is defined as Inversely, we define the combined mapping Note that the diffusion layer P of the binary SPN diffuses the input by n-bitwise XOR.The process of the mn-bit diffusion can be divided into m copies of independent n-bit diffusions B(P).Specifically, Since B(P) = P in form, we use the symbol P to represent both B(P) and P.
For any equal extension vector α of a given pattern χ 0 (formally denoted as α = a × χ 0 ), we have P × α = a × (P × χ 0 ).Consequently, if the equal extension vector α is the input difference of the linear layer P, P×α is also an equal extension vector of P ×χ 0 , and each of the nonzero components remains unchanged.If this property can be inherited by the SLayer, we can combine these two properties to identify a number of differential characteristics (Fig. 1).
Lemma 1: Let P be the matrix representation of the Player in a binary SPN cipher's round function E and S be the S-box.Then, for any χ 0 ∈ {0, 1} m , we can find at least × {0, 1} mn with any a, b such that DDT S (a, b) > 0, we construct two differences α and α ′ by setting In this case, the difference α SLayer → α ′ is one of the possible differentials of the SLayer.Thus, we conclude that we find Since P is a binary matrix, any nonzero β • equals to b, and θ Given an input pattern χ 0 , we can obtain a sequence of r -round patterns Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
χ i = P × χ i−1 , or equivalently, we can obtain the pattern by computing a linear systematic code The core idea is to collect the differential characteristics following such a pattern, i.e., we search for some χ 0 ∝ δ 0 such that for the active S-boxes, empirically, the value of More formally, we introduce the definition belows.
Definition 5: Let χ i (0 ≤ i ≤ r − 1) be the input pattern of the (i + 1)-th round of a binary SPN cipher, where Accordingly, if the input differences of the active S-boxes remain the same, we may assume that all the output differences of the active S-boxes are equal, and In this case, we may collect at most t r differential characteristics compatible with such given r -round pattern.In any characteristic of such a differential cluster, the differences of all the S-boxes remain the same.

IV. PROBABILITY OF A CONGRUENT DIFFERENTIAL CLUSTER
Next, we examine the probability of our congruent differential cluster.Historically, the probability of a differential characteristic has been used in evaluating the resistance of a cipher against differential cryptanalysis.In [6], Nyberg and Knudsen studied the provable security against differential cryptanalysis for DES-like ciphers, e.g.Serpent [20].Later, the wide-trail strategy was proposed [8].According to the wide-trail strategy, the branch number of the linear layer and maximum differential probability of the S-box layer can be used to bound the probability.
The same logic applies to our differential cluster.The following text describes the factors that influence the probability of our differential cluster Pr(δ 0 E r ⇝ δ r ).Theorem 1: Let P be the matrix representation of the Player in an r -round binary SPN cipher E r , and DDT be the difference distribution table of the S-box.Then, the value of Pr(δ 0 E r ⇝ δ r ) equals the ρ 0 × ρ r -th entry of the matrix r i=1 DDT <wt (P i−1 ×χ 0 )> , where χ 0 = χ (δ 0 ), ρ 0 and ρ r are the nonzero entries of , respectively.Proof: By definition, we assume that χ (δ 0 ) = χ 0 , and for 1 ≤ i ≤ r , we set χ i = P × χ i−1 .By definition, the probability of the differential cluster is .
Next, we prove that DDT <wt (P i−1 ×χ 0 )> ) ρ 0 ,ρ r by performing mathematical induction on round r .For r = 2, we may verify that Assuming that the equation holds for less than the (r − 1)round, we check the case of the r -round cascade.
According to this theorem, we can promptly calculate the exact probability of the differential cluster for a given binary SPN cipher.The main cost of the computation is the multiplication of r of 2 n × 2 n matrices, where n is the size of the S-box (typically 4 or 8).Thus, the computational complexity of a practical binary SPN cipher is negligible.In addition, the largest entry of the matrix r i=1 DDT <wt (P i−1 ×χ 0 )> indicates the probability of the best congruent differential cluster.
An interesting question follows: Given an r -round binary SPN cipher E r , can we find a new r -round binary SPN Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
cipher E ′r that keeps the best probability of r -round congruent differential clusters unchanged?
Let P 1 and P 2 be two distinct n × n binary diffusion layers.If for any input pattern χ 1 of P 1 , there exists input pattern χ 2 of P 2 such that and the multiple set {wt (χ 1 ), wt (P Then, if we adopt P 1 and P 2 in two binary SPN ciphers and keep the S-box unchanged, the probabilities of the best r -round congruent differential clusters of these two ciphers are identical.
Empirically, it seems that if we replace the current S-box with a new one, the probability of the best r -round congruent differential clusters of the binary SPN cipher is uncontrollable.However, this probability remains unchanged if we replace the S-box with certain affine equivalent S-boxes.
Definition 6 [21]: Let S ′ and S be two n-bit S-boxes.If there exist two affine mappings A 0 and A 1 , such that then S and S ′ are termed affine-equivalent (AE).
Within the AE assumption, most of the basic properties of S-boxes, such as the maximum differential probability, linear correlation properties, and algebraic degree, remain invariant.We may verify the properties between DDT S and DDT S ′ as follows.
Lemma 2: Let M 0 , M 1 be two invertible n × n matrices.If S and S ′ are two AE S-boxes and where c 0 and c 1 are two constants.Theorem 2: Let E r and E ′r be two r -round binary SPN ciphers that employ the unified P-layer.S and S ′ are the S-boxes of E and E ′ , respectively.If S ′ (x) := [M • S • M −1 (x ⊕c 0 )]⊕c 1 , then the probabilities of the best congruent differential clusters in these two cipher are equal, where constants c 0 , c 1 ∈ {0, 1} n and M denote an invertible n × n matrix.
Proof: This argument follows the notation used in Theorem 1.We assume that the best congruent differential Applying Lemma 2, we obtain it follows where χ (δ 0 ) ∝ α 0 and χ (δ r ) ∝ α r ; and the nonzero components of α 0 and α r are µ 0 and µ r , respectively.Thus, we conclude that the best r -round congruent differential cluster of E is not greater than that of E ′ and vice versa.

Q.E.D.
In the design of the SPN cipher, one of the key concerns regarding the S-box is to maintain the efficiency of the decryption.One possible approach is to employ an involutory core function S (for example, the inverse function of the finite field S(x) := x −1 ) and an affine mapping A. In this case we can construct a new involute S-box by The result of Theorem 2 indicates that such a modification will not change the probability of the congruent differential cluster.

V. EXTENSION OF THE CONGRUENT DIFFERENTIAL CLUSTER TO BINARY AES-LIKE CIPHER
Given any pattern χ 0 ∈ {0, 1} m \ {0} and χ 0 ∝ δ 0 for a binary SPN cipher, we can efficiently calculate the congruent differential cluster δ 0 E r ⇝ δ r .Note that the diffusion layer is considered to be a binary matrix without distinction.Therefore, we can harvest more differential characteristics for the cluster if more details of the cipher are considered.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.A series of recently proposed block ciphers adopt the AESlike SPN structure, and their diffusion layers satisfy certain typical constructions, i.e., a word-width shuffle followed by several independent copies of a binary P-layer.In this case, we may add more differential characteristics to the congruent differential cluster.
Paralleled binary permutation: Let C = diag(M, M, • • • , M) be a diagonal matrix, and M be a binary submatrix over GF(2 n ).Then, C is called a paralleled binary permutation.Shuffle matrix: Let L be an m × m binary submatrix over GF(2 n ) and f be a bijection over {0, Then, L is called a shuffle matrix.Let A r be an r -round binary SPN cipher.If its diffusion layer consists of a shuffle matrix and paralleled binary permutation, i.e.,

P(x) = C • L(x),
then A r is an r -round binary AES-like cipher.
Next, we will demonstrate the basic idea of our improvement.For simplicity, in the rest of this section we assume that m is a square number.
In the example above, the nonzero entries of each 4-tuple of γ are identical, at the same time, the submatrix M is a 4 × 4 binary matrix.As a consequence, the semicongruent property is inherited by the C-layer.
).Then, the output difference of C can be calculated as and M is a binary matrix, it follows from the discussion in Section III that ), and then, As a result, given an input difference α, if the shuffle matrix L makes the output difference of the SLayer (also the input difference of the C-layer) a semicongruent vector, i.e., L • SLayer (α) ∈ G L(χ(α)) , then we predict that: 1) The semicongruent property will hold for the output difference of a single round.
2) The output pattern of the round function can be obtained by applying the linear layer to the input pattern, which is the same as that of the congruent differential cluster.Therefore, we only take consider of the differential characteristics that ensure the input difference of C to be a semicongruent vector in each round, we name such characteristics as semicongruent differential characteristics.In particular, the congruent differential characteristics are special cases of semicongruent differential characteristics.So if we are able to add more semicongruent differential characteristics into to our congruent differential clusters (Fig. 4: the same color indicates the same difference value or zero difference), the probability of differential cluster could be certainly increased.Definition 8: Let χ i (0 ≤ i ≤ r − 1) be the input pattern of the (i + 1)-th round of a binary AES-like cipher, where We use SC to denote the set of all the differential characteristics of the semicongruent differential cluster, i.e.,

Then we have
so we can calculate the probability of the semicongruent differential cluster round by round.We introduce Algorithm 1 to calculate to probability of the semicongruent differential cluster for a given input and output differences.Let δ i (0 ≤ i ≤ r −1) be the input differences of the (i +1)th round and σ i (0 ≤ i ≤ r − 1) be the input differences of paralleled binary permutation in the (i + 1)-th round.Let χ i (0 ≤ i ≤ r − 1) be the input pattern of the (i + 1)-th round.For a semicongruent differential cluster, we have χ i = P(χ i−1 ) and σ i ∈ G L(χ i ) .To calculate the probabilities of the semicongruent differential clusters δ 0 A i+1 ⇛ δ i+1 , we traverse δ i and sum up the probabilities Pr(δ 0 where Algorithm 1 Calculating the Probability of r -Round Semicongruent Differential Clusters Input: input difference δ 0 = (δ 0 0 , .., δ 0 m−1 ), number of encryption rounds r , round function E = C • L • SLayer; Output: (δ r , Pr δ r ); 1 Let χ i be the input pattern and δ i = (δ i 0 , . . ., δ i m−1 ) be the input differences of round i + 1.Let σ i = (σ i 0 , . . ., σ i m−1 ) be the input differences of the paralleled binary permutation in the (i + 1)-th round, then δ i+1 = C(σ i ).Denote Pr δ i the probabilities of the semicongruent differential clusters We calculate round by round like this until obtain the probability of δ r .From Definition 8, we can deduce that there are theoretically 2 l i ×n output differences for the i-th round, where l i is numbers of the partitions with active S-boxes and n is the size of S-box.The calculation of Pr(δ i SLayer −−−−→ L −1 (σ i )) can be attributed to looking up DDT for t i times, where t i is the numbers of active S-boxes in the i-th round.Thus, the computational complexity of the i-th round is t i × 2 l i−1 ×n × 2 l i ×n times DDT look-up, theoretically.In programming implementation, we do not simply traverse each (δ i , σ i ) and then calculate Pr(δ i SLayer −−−−→ L −1 (σ i )) by looking up t i times DDT.And we introduce Algorithm 2 to improve the efficiency.Firstly, only the δ i with nonzero probabilities will be recorded.It means that the input differences of active S-boxes in the (i + 1)-th round may not take all the 2 n values.Then we iterate through the input differences of the active S-boxes one by one.For example, assuming there are two active S-boxes S1 and S2 in the current partition, and their input differences are a and b, respectively.To meet the conditions of semicongruent vectors, the input differences a and b must have the same output differences after S-box.If the current input differences a and b cannot lead to a same output difference c, then we do not consider other active S-boxes and can abandon a series of δ i .An array is needed to record the output differences and their probabilities of the current round.For the i-th round, the array has at most 2 l i ×n entries, where l i is numbers of the partitions with active S-boxes and n is the size of S-box.Thus, the storage complexity is O(2 max(l i )×n ), where 0 ≤ i ≤ r −1.If there exists i that meets l i = √ m, then the storage complexity reaches its maximum value O(2 √ m×n ).
In addition, we can set a probability threshold and retain δ i Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE II INPUT PATTERNS AND CORRESPONDING NUMBERS OF ACTIVE S-BOXES
when Pr δ i exceeds this threshold.This can further improve the efficiency.

A. Decide the Input Patterns and Input Differences
First, we traverse all input patterns χ 0 of Midori, SKINNY, and CRAFT and calculate χ 1 , . . ., χ r −1 by P(χ 0 ), . . ., P(χ r −2 ).As mentioned in Section III, wt (χ i ) is the number of active S-boxes in round i + 1.We focus on the input patterns that minimize the total number of active S-boxes after encrypting a certain number of rounds.Table II shows the input patterns we choose and the corresponding numbers of active S-boxes.
Next, it comes to choose the input differences for the active S-boxes of the first round.We empirically believe that clusters containing single characteristic with high probability may have better performance.Therefore, we choose the input differences with the maximum differential transition probabilities for active S-boxes.For example, when 0 × 2 and 0xa be the input differences of Midori-64's S-box, the probabilities of the possible output differences are the maximum value 0.25.Thus, we choose 0x2 and 0xa to be the input differences for the active S-boxes of the first round.To the best of our knowledge, the probabilities of these three clusters are higher than those of the clusters with the same number of rounds.
In the design report, the total number of active S-boxes for 15-round SKINNY-128 is at least 66.The maximum differential transition probability for SKINNY-128's S-box is 2 −2 , so there is no differential characteristic with a probability greater than 2 −132 .In our cluster, the total number of active S-boxes is 74 which means the maximum probability of the differential characteristic is 2 −148 .However, when considering the cluster effect, we have a gain about 2 9.1 compared with the current theoretically optimal differential characteristic.
In addition, we apply this method to variants of Midori-64 and SKINNY-64 in [1].Todo and Sasaki noted the presence of chains of differences 1 → 2 → 3 → • • • over the S-boxes of Midori-64 and SKINNY-64, in which each transition occurs with a high probability of 2 −2 .To enhance the resistance of Midori-64 and SKINNY-64 against differential cryptanalysis, Todo and Sasaki designed new S-boxes ensuring that the high-probability chain length is at most 2. Employing the improved S-box, the maximum differential characteristic probability of 6-round Midori-64 decreases from 2 −60 to 2 −68 , and the maximum differential characteristic probability of 8-round SKINNY-64 decreases from 2 −72 to 2 −76 .Similar to the method reported in [10], Ankele and Kölbl constructed a 6-round differential cluster of Midori-64 using the new S-box with a probability of 2 −61 .Using Algorithm 1, we construct semicongruent differential clusters of 6-round Midori-64 and 8-round SKINNY-64 using the new S-box, with probabilities of 2 −58.58 and 2 −60.74 , respectively.
Finally, we investigate the probability gap between differential clusters and characteristics.The results are summarized in Table III.A large distance can be observed between the differential characteristics and clusters.If only the number of active S-boxes is used as the criterion for evaluating the resistance of the cipher against differential attacks, we may receive a marginal security bound.Therefore, it is necessary to consider the clustering efficiency for the target block ciphers.

C. Gap Between Our Clusters and Real Differentials
In order to enhance the persuasiveness of our work, we verified the differential clusters obtained using our method.Due to limitations in computing resources, it is difficult to verify differential clusters with a large number of rounds.So we used the same method to construct some differential clusters with probabilities around 2 −25 for verification.
We constructed a 6-round cluster with a probability 2 −24.41 for CRAFT-64, a 4-round cluster with a probability 2 −23.58  for Midori-64 and a 5-round cluster with a probability 2 −22.9 for SKINNY-64.The details are as follows: We randomly generated 200 keys, and for each key 2 31 random plaintext pairs with the given input difference were encrypted.A counter was needed to record the number of ciphertext pairs with the corresponding output difference after encryption for each key.Then we calculated the experimental probability for each cluster according to the average value of the counter.The experimental probabilties are 2 −23.71 for 6-round CRAFT-64's cluster, 2 −26.13 for 4-round Midori-64's cluster and 2 −21.51 for 5-round SKINNY-64's cluster.It can be found that the experimental results are in general agreement with the theory.

VII. DISCUSSION AND CONCLUSION
Although differential cryptanalysis was proposed more than 30 years ago, it still plays an important role in modern cryptanalysis.In recent decades, counting the number of active S-boxes has become the mainstream strategy for evaluating the resistance against such attacks.However, for certain constructions, the use of differential characteristics instead of differentials involves several challenges.Thus, it is of significance to investigate the differential probability for new block cipher design.In particular, an increasing number of cryptographic schemes have been designed based on roundreduced block ciphers, e.g., AEGIS [22], SNOW-V [23], and Rocca [24].A better understanding of the security of roundreduced block ciphers can provide valuable guidance for future block cipher designers.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

TABLE III PROBABILITY GAP BETWEEN DIFFERENTIAL CLUSTERS AND CHARACTERISTICS
This paper proposes a novel technique to estimate the resistance against differential cryptanalysis for binary SPN ciphers by introducing the congruent differential cluster.For a binary AES-like cipher, which is the most popular instance of binary SPN ciphers, we introduce the semicongruent differential cluster and add more characteristics into this cluster.For congruent differential clusters, the probability calculation involves the multiplication of several 2 n × 2 n matrices, where n indicates the size of the S-box.Moreover, we present an efficient algorithm (the source code is available at https://github.com/hahahai123/cluster.git) to calculate the probability of a semicongruent differential cluster.Compared to automatic methods, our approach requires fewer computational resources and often yields results in a shorter period of time.And our approach has better generalization with the help of limited computational resources compared to the theoretical derivation methods.Our method has provided the optimal results for the target ciphers in some rounds.And from both theoretical and experimental viewpoints, our methods are insensitive to the size of the S-boxes and the number of the rounds and can thus serve as an efficient tool for estimating the differential security of the target block ciphers.
We believe that congruent and semicongruent clusters can quickly evaluate the resistance to differential cryptanalysis of binary SPN ciphers and binary AES-like ciphers.Thus, it is interesting to extend these two kinds of clusters to SPN ciphers with bit-level linear layers.The difficulty of this extension lies in how to describe the development of patterns for such ciphers.We consider it as an open problem for our future research.

APPENDIX A INTRODUCTION TO MI D O R I-64
Midori is a family of AES-like ciphers, published at ASIACRYPT 2015 [14].This cipher has been advertised as where the size of each cell is 4 bits for Midori-64.A 64-bit plaintext P is loaded into the state.
The round function of Midori consists of an S-layer SubCell, P-layers ShuffleCell and MixColumn, and a key-addition layer KeyAdd.Each layer updates the 64-bit state as follows.
SubCell: A 4-bit S-box is applied to every 4-bit cell of State in parallel.The 4-bit S-box of Midori-64 is presented in Table IV.
MixColumn: M is applied to every 32-bit column of the state, i.e., for i = 0, 4, 8, 12 where the binary matrix M is defined as KeyAdd(R K i , State): The round key R K i is XORed to State.
Clearly, Midori-64 is a binary SPN cipher that operates on a 4-bit word.

APPENDIX B INTRODUCTION TO SKINNY-64
SKINNY is a family of AES-like ciphers, published at CRYPTO 2016 [13].As a tweakable block cipher, SKINNY has excellent hardware/software implementation performance.
The round function of SKINNY-64 consists of SubCells, AddConstants, Add-RoundTweakey, ShiftRows, and MixColumns.We use the following 4×4 array named "state" as a data expression.where the size of each cell is 4 bits for SKINNY-64.A 64bit plaintext P is loaded into the state.Each layer updates the 128-bit state as follows.
SubCell: A 4-bit S-box is applied to every 4-bit cell of the state in parallel.The 4-bit S-box of SKINNY-64 is presented in Table V.
ShiftRows: Each cell of the state is rotated to the right.Specifically, the first, second, third, and fourth cell rows are rotated by 0, 1, 2, and 3 positions to the right, respectively.
MixColumn: Each column of the cipher internal state array is multiplied by the following binary matrix M:

APPENDIX C INTRODUCTION TO CRAFT-64
CRAFT is a family of AES-like ciphers, published at ToSC 2019 [15].The efficient protection of CRAFT-64 implementations against differential fault analysis (DFA) attacks was one of the main design criteria.
The round function of CRAFT-64 consists of MixColumns, AddConstants, Add-RoundTweakey, PermuteNibbles, and SubCells.We use the following 4 × 4 array named "state" as a data expression.where the size of each cell is 4 bits for SKINNY-64.A 64bit plaintext P is loaded into the state.Each layer updates the 128-bit state as follows.
SubCell: A 4-bit S-box is applied to every 4-bit cell of the state in parallel.The 4-bit S-box of CRAFT-64 is the same as that of Midori-64.

Fig. 1 .
Fig. 1.Differential bypass for one round of a binary SPN.

Fig. 2 .
Fig. 2. Differential behavior of S and S ′ in a congruent differential cluster.

Fig. 3 .
Fig. 3. Development of the difference and the pattern.

Proposition 1 :
Let A be the round function of a binary AES-like cipher, i.e., A = P • SLayer = C • L • SLayer and α ∈ {0, 1} mn be the input difference of A. If L • SLayer (α) ∈ G L(χ 0 ) , then χ (A(α)) = P(χ (α)), where SLayer (α) denotes the output difference of α bypass the SLayer.Proof: Since SLayer does not change the development of patterns, then χ (SLayer (α)) = χ (α).The shuffle matrix L before the C layer can be treated as a word-level permutation.Thus, χ (L × SLayer (α)) = L × χ (SLayer (α)).According to the definition of paralleled binary permutation, the mapping C can be treated as √ m binary P-layers M √ m× √ m (over GF(2 n )) in parallel.Therefore, the input difference of C can be divided into √ m independent parts, i.e., L × SLayer

Fig. 4 .
Fig. 4. Differentials compatible with the congruent differential cluster of AES-like construction.

TABLE I SUMMARY
OF DIFFERENTIAL DISTINGUISHERS FOR SKINNY, MI D O R I AND CRAFT IN THE SINGLE-TWEAK MODEL

TABLE IV S
-BOX OF MI D O R I-64 one of the first lightweight ciphers optimized in terms of the energy consumed by the circuit per bit in encryption or decryption operations.The round function of Midori-64 consists of the S-layer and P-layer and uses the following 4 × 4 array named "state" as a data expression.s 0 s 4 s 8 s 12 s 1 s 5 s 9 s 13 s 2 s 6 s 10 s 14 s 3 s 7 s 11 s 15

TABLE V S
-BOX OF SKINNY-64 s 0 s 1 s 2 s 3 s 4 s 5 s 6 s 7 s 8 s 9 s 10 s 11 s 12 s 13 s 14 s 15