MILP-Based Differential Cryptanalysis on Round-Reduced Midori64

Mixed integer linear programming (MILP) model was presented by Sun <italic>et al.</italic> at Asiacrypt 2014 to search for differential characteristics of block ciphers. Based on this model, it is easy to assess block ciphers against differential attack. In this paper, the MILP model is improved to search for differential trails of Midori64 which is a family of lightweight block ciphers provided by Banik <italic>et al.</italic> at Asiacrypt 2015. We find the best 5-round differential characteristics of Midori64 with MILP-based model, and the probabilities are <inline-formula> <tex-math notation="LaTeX">$2^{-52}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$2^{-58}$ </tex-math></inline-formula> respectively. Based on these distinguishers, we give key recovery attacks on the 11-round reduced Midori64 with data complexities of <inline-formula> <tex-math notation="LaTeX">$2^{55.6}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$2^{61.2}$ </tex-math></inline-formula>, and time complexities of <inline-formula> <tex-math notation="LaTeX">$2^{109.35}$ </tex-math></inline-formula> and <inline-formula> <tex-math notation="LaTeX">$2^{100.26}$ </tex-math></inline-formula>.


I. INTRODUCTION
In recent years, a great deal of lightweight block ciphers are widely used in Internet of things and wireless communication because of their uncomplicated structures and efficient execution in low-power and constrained environment. Many lightweight block ciphers have emerged, such as Midori [1], GIFT [3], LED [5], PRESENT [4], PRINCE [6] and SPECK [7].
Differential cryptanalysis is one of the principal attack methods on modern symmetric-key ciphers, which evaluates a chosen-plaintext(ciphertext) attack and studies the effect of a pair of plaintext(ciphertext) differences on the output differences of the subsequent rounds. MILP is a central method, used to solve optimal problems in business and economics because it can diminish the workloads significantly by its efficient optimal results. It has been found that many classical cryptanalysis methods, including differential cryptanalysis, impossible differential, related-key differential characteristics and linear attacks can be converted into mathematical optimal problems. Once the cryptanalytical problem is converted to an MILP problem, it can be solved with MILP The associate editor coordinating the review of this manuscript and approving it for publication was Kezhi Wang. solvers such as CPLEX, SAT and SMT. Mouha et al. first introduced the MILP model to count the number of active S-boxes of word-oriented block ciphers in 2011 [8]. In 2013, Sun et al. gave the minimal number of active S-boxes for fullround PRESENT-80 and a 12-round related-key differential characteristics [11]. Further, they presented a novel method based the MILP model to search for the differential trails with the maximal probability, instead of the minimal number of active S-boxes [12]. Meanwhile, they improved this model to automatic search for differential pathes and linear trails [9], whose chief idea is to obtain a number of linear inequalities through the H-Representation of the convex hull of all differential patterns of S-box at ASIACRYPT 2014. Xiang et al. applied a MILP method to search for integral distinguisher [16]. At EUROCRYPT 2017, Sasaki et al. gave a new tool to automatic search for impossible differential trails [10]. Zhu et al. showed a 12-round differential characteristics and proposed a 19-round key-recovery attack for GIFT-64 [17]. Abdelkhalek et al. presented a novel MILP model bit-oriented for 8-bit or larger S-boxes [18]. Their main idea is to divide the difference distribution table (DDT) into several tables on the basis of the probability and control the behavior of these tables through adding conditional constraints. In [19], Canteaut et al. presented an in-depth study into the differential characteristics and introduced the method to attack the block cipher RoadRunneR. The MILP model has been used in cube attacks [25] and [28]. Later, a new MILP model for searching better or even optimal choices of conditional cubes was proposed in [26]. Cui et al. search impossible differentials and zero-correlation linear approximations by a MILP model [27].
Midori [1] is a family of lightweight block ciphers which was presented at Asiacrypt 2015. However, numerous cryptographers have attacked it utilizing different cryptanalysis methods. In 2015, Lin et al. provided a 10/11/12-round attack on Midori64 based on a MITM distinguisher, with data complexity of 2 61.5 /2 53.5 /2 55.5 chosen plaintexts and computational complexity of 2 99.5 /2 122 /2 125.5 [13]. Dong et al. introduced an 11-round related-key differential distinguisher and attacked a 14-round on Midori64 with data complexity of 2 59 and computational complexity of 2 116 [14]. In 2016, Chen et al. presented a 6-round impossible differential distinguisher to attack 10-round of Midori64 [15], with data complexity of 2 62.4 and computational complexity of 2 80.81 . Gerault et al. showed an all round related-key differential attack on Midori64 block cipher with data complexity of 2 23.75 and computational complexity of 2 35.8 [22]. Guo et al. provided an invariant subspace attack on all round Midori64 [23] with 2 32 weak key setting in 2016.

A. OUR CONTRIBUTIONS
In this paper, we generalize an efficient MILP-based model inspired by Sun et al.'s model [9] and mainly concentrate on looking for the longest differential characteristics with the maximal probability. Utilizing this model, the attacker only gives the MILP instance with proper objective function and accurate description of S-box player and linear player by some inequalities. Then the left work can be done by an Optimizer such as CPLEX and Gurobi.
The model is constructed with an exact probability for each possible point in the DDT of S-box for Midori64 to search for the differential characteristics with the maximal differential probability by the optimal inequalities.
We present a 5-round differential characteristics with just two differential cells at the beginning and the maximal probability is no less than 2 −52 . Based on the difference path, we provide an 11-round difference attack on Midori64 with data complexity of 2 55.6 and computational complexity of 2 109.35 . Another 5-round differential characteristics is also shown with just one differential cell at the beginning and the maximal probability is no less than 2 −58 . Based on the difference path, an 11-round difference attack is provided with data complexity of 2 61.2 and computational complexity of 2 100. 26 .
The model focuses on the differential characteristics mainly caused by plaintext differences. Since Midori has the little arrangement of the round key, it is effortless to obtain the related-key differential model through increasing 128 key variables into the model above. A summary of the comparisons of our results with the preceding conclusion on Midori64 is presented in Table 1, where MITM, ID, RKD, IS and NLI represent meet-in-the middle, impossible difference, related-key difference, invariant subspace and non-linear invariant, respectively. We give the feasible and effective single key attack. However the previous invariant subspace attack and nonlinear invariant attack on Midori64 only verify whether the key is one of the weak keys. When the right key is not the weak key, these methods have little advantage. Moreover, the related-key attack is also weak because it supposes that some key bits can be adapted, which might not be easy to operate in the practical attack.

B. ORGANIZATION
This paper is organized as follows. The related work and our contribution are in Section I. The particular description of MILP model and Midori are listed in Section II. Applications to the block cipher Midori64 and the differential characteristics are showed in Section III. An 11-round differential attack on Midori64 is showed in Section IV. Finally, we draw our conclusions and summarize this paper. X r {i, j}: the i-th and j-th cells of the difference in X r . RK r : the r-th round key. ?: any difference in one cell. * , : any non-zero difference in one cell. ⊕: bit-wise exclusive or, that is, XOR.

B. DESCRIPTION OF MIDORI
Midori is a lightweight substitution-permutation network (SPN) block cipher. The major frame is shown VOLUME 8, 2020  in Figure 1. The intermediate state M is as follows: There are two versions namely Midori64 and Midori128 whose state sizes are 64 and 128 bits, the round number of 16 and 20, and the sizes of m i (0 ≤ i ≤ 15) being 4 and 8 bits, correspondingly. Each version has a key of 128 bit.

2) KEY SCHEDULE
The size of the master key (K )is 128 bits for two versions. For Midori64, K is composed of two 64-bit keys K 0 and K 1 ; that is, K = K 0 K 1 . Then, WK = K 0 ⊕ K 1 and RK r = K r mod 2 ⊕ α r , 0 ≤ r ≤ 14. For Midori128, WK = K and RK r = K ⊕β r , 0 ≤ r ≤ 18. α r and β r are the round constants which are discussed at length in [1].
In this paper we mainly study Midori64.

C. MILP MODEL
Mouha et al. [8] first presented the MILP model to calculate the minimal number of active S-boxes for word-oriented block ciphers. Sun et al. [9] constructed the MILP model for bit-oriented block ciphers based on the work of Mouha et al. at Asiacrypt 2014. Definition 1: For each input and output, we consider bit variable u i to denote whether the bit has a difference. Then, the differential vector u = (u 0 , u 1 , · · · , u n−1 ) is as follows: there is a nonzero difference in this bit, 0, otherwise. (1)

1) CONSTRAINTS DESCRIBING THE XOR OPERATION
Assume that the input difference for XOR is (u 1 , u 2 ) and the output difference is v, where u 1 , u 2 and v be a byte. The XOR operation is shown below: where d is a dummy variable. For bit-Oriented Block Ciphers, let the input difference be (u 1 , u 2 ) and the corresponding output difference be v. The XOR operation can be described with the following linear constraints:

2) CONSTRAINTS DESCRIBING THE S-BOX OPERATION
Let (x 0 , x 1 , · · · , x u−1 ) and (y 0 , y 1 , · · · , y v−1 ) denote the input and output differences of a u × v S-box. S denotes whether the S-box is active or not. S = 0 holds if and only if all x i are

3) THE MINIMAL NUMBER OF ACTIVE S-BOXES
The objective function f of the earlier model is min S i , i.e., the minimal number of active S-boxes. For Midori64, the DDT of S-box is seen in TABLE 3, and the numbers of zero points and non-zero points are 159 and 97. The next step is to distinguish these 97 points from the others. With the help of SageMath software, we can obtain 239 inequalities to distinguish these points, whose forms are as below.
Thanks to the SageMath software and the greedy algorithm, there are 26 inequalities left (Equation (6)), as shown at the bottom of the next page.

E. EXPERIMENTAL RESULTS FOR Midori64
The differential trails and probabilities are shown in TABLE 5, FIGURE 2 and FIGURE 3. The MILP

Algorithm 1 The Accurate Difference Probabilities Search Algorithm Based on MILP for Midori64
Require: the round number r, intermediate state variables x i , y i , z i , w i , S-box's distribution probability p j and the non-zero difference of the beginning in only one S-box. Ensure: the maximal probability of the differential trail 1: Establish an empty MILP model MM . 2: Set x, y, z as the input of the SC, SFC and MC layer, and y, z, w as the output of the SC, SFC and MC layer. 3: p denotes the probability of the DDT. 4: Update MM according to the differential propagation rule of the round function. 5: Set the objective function: min (2 · p 0 + 3 · p 1 ). 6: According to the conditional inequality obtained in step 4, solve model MM using the MILP optimizer. 7: A feasible solution is found in MM , and save it to a file. instances are run by the Cplex12.6 optimizer on a Lenovo Server(X3850 X6) with 64 GB RAM. A 5-round Midori64 model includes 1424 bit variables and 4640 conditional inequalities.
The model focuses on the differential characteristics mainly brought by plaintext differences. Since Midori has the little arrangement of the round key, it is effortless to obtain the related-key differential model through increasing 128 key variables into the model above.   Property 3: Consider four cells of SC with two any input differences and two non-zero differences, then we want to get two zero difference after MC operation. We can obtain
Then add 3 rounds in its beginning and at the end respectively to attack 11-round reduced Midori64, shown in Figure 3. The attack procedures are as below.
Thus, the total time complexity is 2 100.26 11-round encryptions.

D. COMPLEXITY ANALYSIS OF ANOTHER DIFFERENTIAL PATH WITH PROBABILITY OF 2 −52
Similarly, add 3 rounds in its beginning and at the end of the differential path with probability of 2 −52 to attack 11-round reduced Midori64. It is easy to get the probability of 2 −56.18 for the top 3 rounds. So we choose n = 55.6. For a random key, there are 2 2×55.6−1−56.18−64 ≈ 2 −10 pairs left. However, for the right key, there are 2 2×55.6−1−56.18−52 ≈ 4 pairs left as the probability of the 5-round differential Path is 2 −52 . So, the data complexity is 2 55.6 chosen plaintexts, and the time complexity is 2 109.35 11-round encryptions, Correspondingly.

V. CONCLUSION
In this paper, the MILP method model is improved to search for differential characteristics by considering the probability of differential propagation. Our results are more precise than that of counting the minimal number of active S-boxes.
(1) The model is constructed with an exact probability for each possible point in the DDT of S-box for Midori64 to search for the differential characteristics with the maximal differential probability by the optimal inequalities.
(2) We present a 5-round differential characteristics with just two differential cells at the beginning and the the maximum probability is no less than 2 −52 . Based on the difference path, we provide an 11-round difference attack on Midori64 with data complexity of 2 55.6 and computational complexity of 2 109.35 . Another 5-round differential characteristics is also shown with just one differential cell at the beginning and the maximum probability is no less than 2 −58 . Based on the difference path, an 11-round difference attack is provided with data complexity of 2 61.2 and computational complexity of 2 100.26 .
(3) The model considers only the differential characteristics caused by plaintext differences. However, the schedule of the round key is little arrangement, and it is easy to obtain the related-key differential model by adding 128 key variables into the above model.