Reﬁned Probability of Diﬀerential Characteristics Including Dependency Between Multiple Rounds

. The current paper studies the probability of diﬀerential characteristics for an unkeyed (or with a ﬁxed key) construction. Most notably, it focuses on the gap between two probabilities of diﬀerential characteristics: probability with independent S-box assumption, p ind , and exact probability, p exact . It turns out that p exact is larger than p ind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key diﬀerential characteristic is proposed against a lightweight block cipher RoadRunneR . For the 128-bit key version, p ind of 2 − 48 is improved to p exact of 2 − 43 . For the 80-bit key version, p ind of 2 − 68 is improved to p exact of 2 − 62 . The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: p ind of 2 − 128 is improved to p exact of 2 − 96 , which allows to extend the attack by two rounds.


Introduction
Differential cryptanalysis [BS90,BS93] is one of the most fundamental cryptanalytic approaches targeting symmetric-key primitives.While its basic concept in an idealized environment under several assumptions can easily be understood, predicting the actual behavior of concrete algorithms is quite complex and a lot of research has been done regarding this topic.
Most block ciphers are designed to iterate a small keyed permutation, called the round function, with many rounds being performed to build a conversion between the plaintext and ciphertext.The plaintext x 0 is updated by round function RF i in the ith round by processing x i+1 ← RF i (x i ) for i = 0, 1, 2, • • • .The most common approach for evaluating the effect of differential analysis consists in applying the Markov assumption to the cipher [LMM91] and evaluating the probability of differential propagation for each round.The probability of the differential characteristic over the entire cipher is then equal to the product of the probabilities of the differentials of all rounds.
Given a pair of differences (a i , a i+1 ), the corresponding probability p i Pr x∈P [RF i (x)⊕ RF i (x ⊕ a i ) = a i+1 ] is searched for each i, where P is the plaintext space, and Π i p i is the probability of the characteristic (a 0 , a 1 , . . ., a r ) for the entire r-round cipher.
The hidden argument in the above explanation is the treatment of a key k or subkeys k i .The Markov assumption can be established when the state x i is first xored with a subkey k i and all subkeys are chosen independently uniformly at random.Therefore, most analyses are based on bounds on the expected probability of a differential characteristic, i.e., the probability averaged over all keys.However, the implementation environment for symmetric-key primitives does not allow to store all independent subkeys, thus k i is usually expanded from k, and the Markov assumption collapses.Moreover, subkeys may not be xored in every round to all state bits, which can be seen in designs of lightweight cryptographic schemes such as Simon [BSS + 13], SKINNY [BJK + 16] and LED [GPPR11].Also some primitives, like hash functions or Even-Mansour schemes [DKS12, EM91,EM97], are based on an iterated permutation which does not involve any key at all.In such a case, the evaluation using the Markov assumption may still give some insight about the security against differential analysis, but never leads to the exact probability of the differential propagation for multiple rounds.
To conclude, evaluating the probability of differential propagations for multiple rounds precisely without the Markov assumption is a big challenge.

Related Work on Precise Evaluation of Differential Probability
Our work then focuses on the evaluation of the probability of a differential characteristic for a primitive with a fixed key, or for a keyless primitive.It is worth noticing that both contexts are similar in the sense that the absence of a key can equivalently be seen as the insertion of an all-zero key.Conversely, a structure with a fixed key is equivalent to an unkeyed one with different building blocks.For instance, using an S-box S with a fixed round-key k is equivalent to using S : x → S k (x) as an S-box without any key.Let E be a block cipher with a fixed key and let ∆P and ∆C be the plaintext and ciphertext differences, respectively.Suppose that the goal is to precisely evaluate the probability of Pr[E(x) ⊕ E(x ⊕ ∆P ) = ∆C], where the probability is taken over all plaintexts x.Besides the issue of subkeys for multiple rounds, there are several aspects to precisely evaluate this probability.
The first issue we would like to mention is the contrast between differential characteristics and differential effect.The differential characteristics specify not only (∆P, ∆C) but also differences in intermediate states, often the initial difference in each round, and evaluate the probability of each section and multiplies all the probabilities.On the contrary, the differential effect sums up the probabilities of all possible differential characteristics, thus gives a more precise probability.A lot of research has been done to evaluate the exact maximum expected differential probability (and the maximum expected linear potential) in particular for AES, e.g.[HLL + 00, KMT01, PSC + 02, PSLL03, DR06, KS07, CR15], and for Feistel or MISTY networks, e.g.[NK92,Mat96].Those researches are different from the current paper with respect to the point that all state bits are xored by subkeys which are assumed to be chosen independently and uniformly at random.
In contrary, our work focuses on determining the exact probability of a differential characteristic when the key is fixed.This fixed-key probability has been determined in a very few cases only.The most prominent example is the AES, for which the probabilities of 2-round characteristics have been determined, for all possible values of the key [DR07].
Alternative approaches can be used when such a theoretical analysis is out of reach.One approach is carrying out some experiment, which exhaustively chooses plaintexts P ∈ P and actually computes E K (x) ⊕ E K (x ⊕ ∆P ).The experiment is then iterated for several keys (see e.g.[BG10]).The experiment can include any complex event, however, the lack of theoretical analysis limits its versatility to be applied to other ciphers.Of course the approach can only be applied to ciphers with small block sizes, often 32-bit block sizes, such as Simon and KATAN [DDGS15,CDK09].Another approach introduced in [BBL13] consists in computing the maximal expected probability of a characteristic and deriving a bound on the probability of the existence of characteristics whose fixed-key probability exceeds a given value.This result can be used by designers to guarantee that characteristics with high probability are very unlikely.However, this bound exhibits a large gap between the fixed-key and the expected probabilities (see Table 1 in [BBL13]).It is then of little use to the cryptanalyst who needs to estimate the exact probability of some characteristic for a given key.

Our Contributions
In this paper, we evaluate the exact probabilities of the differential characteristics in some unkeyed constructions.In particular, we provide an in-depth study of the probabilities of the differential characteristics over three rounds of an unkeyed Feistel network.Most notably, when the inner function follows an SPN construction with an S-box having differential uniformity 4, the exact probability of a 3-round characteristic is either zero or a value which is greater than or equal to the usual estimate with independent S-box assumption, p ind .A more thorough analysis is then provided when the inner function consists of a single n-bit S-box with differential uniformity 4. We show that, in this case, the exact probability of any 3-round characteristic with only active Sboxes is either zero, or exceeds p ind by a factor of 2 where ≥ max(0, n − 6).
The above analysis is then applied to the lightweight 64-bit block cipher RoadRun-neR [BS15].It adopts a Feistel construction and its inner function starts and ends with the S-box application without applying any subkey, therefore the above generic analysis can be applied.Although no security is claimed against related-key attacks, the designers mentioned related-key differential characteristics with 24 active S-boxes on the full (12) rounds of RoadRunneR-128, whose probability is expected to be 2 −2•24 = 2 −48 .The designers also speculated that the number of active S-boxes could be reduced further with more careful analysis.In this paper, we first concretize the related-key characteristic with 24 active S-boxes and show that the exact probability is higher than the original expectation.The comparison of two probabilities is shown in Table 1.The attack is implemented up to 8 rounds and the improved factor is verified.We prove that the minimum number of active S-boxes is 24 by using a SAT solver, thus our characteristic is fairly tight.Finding related-key differential characteristics is much harder in RoadRunneR-80 due to its key schedule.We propose an 8-round characteristic with p ind = 2 −68 which are unlikely to be satisfied even with a full codebook, but the improvement with p exact increases it to 2 −62 .
We then extend the application of our observations to SPN-based structures with almost-MDS binary matrices.In particular, we analyze p exact of the differential characteristic in an authenticated encryption scheme Minalpher [STA + 14], which offers 128-bit security.The previous differential characteristic reaches 2 −128 for 6 (out of 17.5) rounds.We show that for this characteristic a refined estimate of the exact probability is 2 −96 .This significant increase enables us to extend the attack by two rounds.The comparison of the probabilities are given in Table 1.

Paper Outline
The paper is organized as follows.Section 2 provides theoretical analysis of p exact for 3-round Feistel structure.Section 3 applies the observation to RoadRunneR with 128-bit key.Section 4 extends the application to SPN with almost-MDS matrices in Minalpher.

Probabilities of 3-Round Characteristics in some Keyless Feistel Networks
In this section, we evaluate the exact probability of a differential characteristic over three rounds of an unkeyed Feistel network whose inner function is seen as a single S-box application.We then want to determine the probability over all possible inputs (x 0 , x 1 ) of the three-round characteristic depicted in Figure 1, where the difference at the output of the ith S-box is defined as b i = a i+1 ⊕ a i−1 .It is worth noticing that the differential probabilities for an unkeyed 3-round Feistel have been previously investigated in order to determine the smallest differential uniformity we can get for an S-box which follows this construction [LW14,CDL15].However, these papers focus on the maximum possible probability for a 3-round differential characteristic, while we want to obtain a formula which captures any given characteristic.Using that x 3 = S(x 2 )⊕x 1 , we get that the probability of the three-round characteristic defined by (a 0 , . . ., a 4 ) is equal to the following probability: We will show that this probability may differ from the usual estimate obtained when assuming that the inputs of the three S-boxes are independent, i.e. from The difference between the two probabilities mainly comes from some dependencies due to the fact that the input of the S-box in the third round is the sum of two elements, x 1 and S(x 2 ), where x 1 and x 2 respectively conform to the S-box differentials (a 1 , b 1 ) and (a 2 , b 2 ).Also, we show that the size of the S-box and, for a given size, the choice of the S-box may affect the factor between the exact probability and the usual estimate.
More precisely, we first show that, in many cases, including when S has an SPN structure based on an S-box with differential uniformity at most 4, the factor λ between these two probabilities is either zero or a power of 2 whose exponent corresponds to the dimension of a well-defined linear space.Most notably, if S corresponds to a single S-box with differential uniformity at most 4, then with λ ∈ {0, 2 , with max(0, n − 6) ≤ ≤ n − 2}, unless one of the three S-boxes in the differential path is inactive, which corresponds to p exact = p ind .

General result
The technique used in the proof is similar to the one used by Daemen and Rijmen for computing the fixed-key probabilities of the differentials over two rounds of the AES [DR07].
It mainly relies on the algebraic structure of the sets of inputs (resp. of outputs) of the S-box conforming to a given differential.These sets are defined as follows.
Definition 1.Let S be an n-bit to n-bit S-box.For any pair (a, b) of differences, we use the following notation: and Remark 1.In the following, we will use some relationships between the sets X S (a, b) and Then, we have Now, we focus on the following data transformation depicted in Figure 2: ) are affine subspaces, we get the following result.
Then, the multiset

denotes the linear space formed by all elements of the form v
Proof.We first observe that we do not need to restrict ourselves to the situation where the input differences of all S-boxes are nonzero.Indeed, if the input difference of one S-box is zero (i.e. a 1 = 0 or a 2 = 0 or a 1 = b 2 ), either the corresponding output difference is nonzero, which implies that p exact = 0 and the multiset we consider is empty, or the corresponding output difference is zero, and the associated set (i.e. satisfies the hypothesis since it equals the whole space F n 2 .Let us now define the following set (without multiplicity) We want to determine the size of the set Clearly, this set corresponds to the intersection between Z and X S (a 1 ⊕ b 2 , b 3 ), which are both affine subspaces of F n 2 .Since the intersection between two affine subspaces is either empty or a coset of the intersection between the corresponding linear subspaces, we deduce that, if S = ∅, then there exists some s such that Recall that, for any two linear subspaces U and V , (1) Since each element in Z and then in S corresponds to 2 r pairs ( Remark 2. For the sake of simplicity, the previous theorem considers a 3-round Feistel network with the same keyless S-box.However, since the result only relies on the structure of the three sets X S (a 1 , b 1 ), Y S (a 2 , b 2 ) and X S (a 1 ⊕b 2 , b 3 ), it clearly appears that Theorem 1 also holds for a Feistel network with three different S-boxes, S 1 , S 2 and S 3 , as soon as As a direct consequence of Theorem 1, we get the following corollary.
Corollary 1.Let S be a permutation of F n 2 , and let Proof.Let us focus on the case where p exact = 0. We deduce from Theorem 1 that , its dimension does not exceed n.On the other hand, when p ind = 0, V 1 (resp.V 2 ) contains at least two elements, 0 and a 1 (resp.0 and b 2 ).It follows that, if a 1 = b 2 , then V 1 + V 2 contains the linear space spanned by This lower bound also holds when a 1 = b 2 since this corresponds to The hypothesis required for applying by this result, i.e., the fact that the three sets An interesting observation deduced from the previous corollary is that, in all the previously mentioned situations, if the exact probability of a 3-round differential characteristic is non-zero, then it is greater than or equal to the usual estimate p ind .

When S is differentially 4-uniform
There is a specific case where the factor λ between the two probabilities can be easily lower-bounded: when S itself is a function with differential uniformity at most 4.
• if the three S-boxes are active, i.e. a 1 = 0 and a 2 = 0 or a 1 = b 2 , then either Moreover, if all three differentials (a 1 , b 1 ), (a 2 , b 2 ), and Proof.We know from Corollary 1 that p exact = 0 or , its dimension does not exceed n and is also smaller than the sum of the dimensions of the three subspaces.Since the S-box has differential uniformity at most 4, all V i have dimension at most 2 unless the corresponding S-box is inactive, which is equivalent to • Let us first assume that the input difference of one of the S-boxes is zero.If the corresponding output difference is nonzero, the transition is not valid.In this case, we have p exact = p ind = 0.If the corresponding output is zero, i.e. if the S-box is inactive, the associated linear space V i equals the whole space.It follows that • Let us now assume that all the three S-boxes are active.Then, dim Moreover, when all three subspaces V 1 , V 2 , and V 3 have dimension 1, then It follows that, in this case, In other words, Most notably, when n > 6, if the differential path contains three active S-boxes, then its exact probability can never be equal to the product of the probabilities of the three constituent transitions.
Proposition 1.Let S be a permutation of F n 2 with differential uniformity exactly 4. If there exist nonzero 2 such that p exact = 2 −2n+4 , then there exist x and y in F n 2 such that the second-order derivatives of S and S −1 satisfy where It is worth noticing that, if S is an involution, then there always exists a pair (a 1 , b 2 ) such that Condition (2) holds for some x and y in F n 2 .
Proof.By hypothesis, all the three S-boxes are active.Then, p ind ≤ 2 −3n+6 and we know from Theorem 2 that λ ≤ 2 n−2 .It follows that ) and all the three involved differentials have probability 2 −(n−2) .Since the differential (a 1 , b 1 ) has probability 2 −(n−2) , there exists We now use the fact that, for any permutation S, Y S (a, b) = X S −1 (b, a) (see Remark 1).From the same arguments as for v 1 , we deduce that It is well-known that there is no pair of nonzero distinct elements (a, b) such that D a D b S takes the value 0 if and only if S is APN (i.e., its differential uniformity equals 2) [Nyb94].In our case, S is not APN, implying that such a pair (a, b) exists.When S is an involution, is also satisfies D a D b S −1 (y) = 0 for some y.
Example 2 (RoadRunneR S-box).It is easy to check that, for the RoadRunneR [BS15] S-box, there is no pair of nonzero distinct elements (a 1 , b 2 ) such that both D a1 D b2 S and D a1 D b2 S −1 vanish at some points.We then deduce that any differential path with three active S-boxes satisfies p exact ≤ 2 −5 .By examining all second-order derivatives of this S-box which take the value 0, we have searched for all (a 1 , b 1 , a 2 , b 2 , b 3 ) such that all three differentials have probability 2 −2 and lead to a differential path with overall probability 2 −5 .We have found 136 such configurations.One example is . Among these patterns, the only one which satisfies a 2 = a 1 ⊕ b 2 and such that also the differentials (a 1 , b 2 ) and (a 1 , b 3 ) have probability 2 −2 is the one we will use in the next section: and the configuration obtained by inverting the roles of a 1 and a 2 .

Example 3 (Klein S-box). The Klein [GNL11] S-box is an involution over F 4
2 .Then, there exist some pairs of nonzero distinct elements (a 1 , b 2 ) such that both D a1 D b2 S and D a1 D b2 S −1 vanish at some points.For instance, a 1 = 0x1 and b 2 = 0x2 satisfy this property.For this S-box, the differential path defined by , and b 3 = 0xe has overall probability 2 −4 .In other words, any pair of elements (x 1 , x 2 ) satisfying the first two differentials also leads to some (S(x 2 ) ⊕ x 1 ) which satisfies the third one.
All previous results hold in the keyless setting, but are still valid when the three S-boxes are distinct permutations with differential uniformity 4.This enables us to cover the fixedkey scenario since using S with a fixed round-key k is equivalent to using S : x → S k (x).For instance, in the fixed-key scenario, Theorem 2 states that a differential path with three active S-boxes satisfies p exact = λp ind with λ ∈ {0, 2 , with max(0, n − 6) ≤ ≤ n − 2}.However, for a given differential path, the value of λ may vary with the key.For instance, the same differential path may have probability zero for some round-keys, and probability p exact > 0 for the other ones.

Description of RoadRunneR
RoadRunneR is a lightweight block cipher recently proposed by Baysal and Sahin [BS15].It has a Feistel network structure with a 64-bit block size and it supports both 80 and 128-bit keys.In the 80-bit version, the number of rounds is 10, whereas in the 128-bit version the number of rounds is 12. Whitening keys (W K 0 and W K 1 ) are applied to the left half of the block in the first and last round.The general structure of RoadRunneR is depicted in Figure 3.
Round Function.RoadRunneR's round function, named F , takes as input a 32-bit block L i , a 96-bit subkey K i , and a 32-bit constant C i .The constant C i for round i is the 32-bit value N r − i, where N r is the total number of rounds of the cipher as defined above.
The round function in RoadRunneR consists of three subsequent applications of SLK, which is composed of a substitution layer followed by a linear layer and a key addition layer.After three SLK layers a single substitution layer (S) is performed.In between the second and third SLK layer the constant C i is added (cf. Figure 3).

Key Schedule.
The key expansion of the 128-bit RoadRunneR version chops the key up in four 32-bit words.The round keys are permutations of these words.Similarly, in the 80-bit version the key is split into five 16-bit words, and the key schedule is a permutation of six words.Table 2 lists the exact permutations for the round and whitening keys.

Substitution Layer. The substitution layer S consists of a parallel composition of the 4 × 4-bit S-box of
This construction is known to be invertible in general for distinct rotation offsets [Riv11], and the designers of RoadRunneR argue that this particular set of rotation offsets has good diffusion properties.

Security Analysis by the Designers
The designers claim no security in the related-key setting, due to the fact that the key schedule uses the master key without any change in between rounds.The designers in fact mention in the paper that each F can be passed with only two active S-boxes in a related key attack, with total of 24 active S-boxes, and that this total number may be further reduced in a more detailed analysis.We stress that no information about concrete characteristics, such as plaintext and subkey difference is provided.
In the single-key setting, the designers show that the minimum number of active S-boxes in an active F is 10 along with concrete propagation patterns.The authors experimentally checked that the probability of characteristics and differentials is correct.In their experiments they report that, the differential probability does not significantly increase from the theoretically calculated characteristic probability.Based on this experiment, the authors assume that each active S-box multiplies the probability with 2 −2 and an active F has approximately a probability of 2 −20 .

Applications of our Observations
By comparing Figure 1 and Figure 3, it is easy to see that the analysis in Section 2 can directly be applied to RoadRunneR when the number of rounds is more than two.We

Round Number Key schedule
Round Number Key schedule Table 3: The RoadRunneR S-box.
x 0 1 2 3 4 5 6 7 8 9 A B C D E F S(x) 0 8 6 D 5 F 7 C 4 E 2 3 9 1 B A emphasize that the observations can be applied both in the single-key and related-key settings.We also notice that the observation does not contradict the experiments by the designers that verified the probability of differentials within one round.What we are showing is that even before calculating the effect of collecting multiple differences, the actual probability of characteristics p exact is higher than theoretically calculated one, p ind , under the independent S-box assumption when the number of rounds is more than two.
In the following sections, we demonstrate the power of our observations with applications to concrete attacks.

Attack on RoadRunneR-128
First, we concretize the characteristic having only two active S-boxes per round mentioned by the designers.Suppose that a 128-bit master key K is denoted by four 32-bit values and the difference of those values are denoted by ∆ 0 , ∆ 1 , ∆ 2 and ∆ 3 .By following the key schedule described in Table 2, the difference of the initial whitening key is ∆W K 0 = ∆ 0 .Then, subkey differences are (∆ 1 , ∆ 2 , ∆ 3 ) for the first round, (∆ 0 , ∆ 1 , ∆ 2 ) for the second round, (∆ 3 , ∆ 0 , ∆ 1 ) for the third round, and so on.Four rounds with those subkey differences are illustrated in Figure 4.
We then choose ∆ 0 , ∆ 1 , ∆ 2 and ∆ 3 .There are four S-layers in each round.Our strategy consists in canceling the difference from ∆ 1 with ∆ 2 after the S-layer, which makes the next S-layer inactive.Then canceling the difference from ∆ 3 with ∆ 0 after the S-layer, which makes the next S-layer inactive.By iterating this, non-active S-layers and active S-layers appear alternately, and we only have 2 active S-boxes per round.
As a result of our analysis, we construct a 4-round iterative characteristic by satisfying the following four conditions.
where δ 1 is a group of 4 bits in the 32-bit differences ∆ 1 and the 4 bits gather into a single active S-box after the bit-permutation around the S-layer.δ 3 can similarly be defined.
The difference γ 0 (resp.γ 2 ) corresponds to the corresponding nibble of L −1 (∆ 0 ) (resp. of where L denotes the whole linear layer.For example, when the active S-box position is fixed to the top in Figure 3, δ 1 = 0xf corresponds to ∆ 1 = 0x01010101.We note that by setting ∆ 0 = ∆ 2 = L(∆ 1 ⊕ ∆ 3 ), the first two conditions can always be satisfied when the last two conditions are satisfied.The characteristic is iterative after 4 rounds including subkey differences, and can be extended to 12 rounds easily.
It is important to notice that this probability is evaluated in the keyless scenario studied in the previous section because it is not affected by the values of the round-keys.Indeed, the round-key is inserted after applying the S-box and then does not affect X S (0xc, 0x1) and X S (0xd, 0x1).Moreover, the S-box involved in Y S (0xc, 0x1) corresponds to the last S-box-layer in the third round and is independent from the key.It follows that, in this situation, p exact takes the same value for any fixed-key.
Experiments.First of all, we experimentally proved that 24 active S-boxes in 12 rounds is minimal by using the SAT-solver based tool [MP13].Differently from the expectation by the designers, the number of active S-boxes will not be further reduced.
We then implemented the attack up to 8 rounds.We refer back to Table 1 for the results, which clearly indicates the gap between p ind and p exact in rounds 4, 6 and 8.

Attack on RoadRunneR-80
In this part, we present an 8-round attack against RoadRunneR-80.Differently from RoadRunneR-128, the key is divided into 16-bit values (A, B, C, D, E) and each of them can be both the top half or the bottom half of 32-bit subkeys.Hence, constructing systematic subkeys is harder than in RoadRunneR-128.
By applying the bit-permutation around S, a group of 4 bits for a single S-box will move to symmetric positions in the 32-bit state.To exploit this fact, we set ∆A = ∆B = ∆C = ∆D = ∆E to make all 32-bit subkey differences identical and symmetric.
We set subkey difference to the xor of two differences ∆X and ∆Z.∆X takes a role of input difference to the subsequent S-layer, and ∆Z cancels the difference from the previous S-layer.Namely, in every S-layer, cancellation and injection of differences are performed.The characteristic is illustrated in Figure 5, which is iterative after four rounds.
We then choose ∆ X and ∆ Z , where ∆ Z L(∆ Y ).We define δ X , δ Y similarly to the previous section, namely 4-bit difference in the 32-bit variable corresponding to an active S-box.Because subkey difference is symmetric, ∆ X and ∆ Y must be symmetric, which further limits δ X , δ Y to be symmetric (and non-zero).Therefore, δ X , δ Y ∈ {5, a, f}.According to the characteristic in Figure 5, we have the following two conditions; From DDT, there is only one choice, δ X = 5 (∆ X = 0x00010001) and δ Y = a, which satisfies Conditions (8) and (9) with probability 2 −2 and 2 −3 , respectively.
Evaluation of p ind and p exact .We first evaluate p ind .In every two rounds, there are seven active S-boxes with probability of 2 −2 and there is one active S-box with probability of 2 −3 .Thus p ind is 2 −17 in every 2 rounds and 2 −68 for 8 rounds, which are unlikely to be satisfied with 2 64 plaintexts of the full codebook.The mechanism of occurring the advantage of p exact is the same as in the attack against RoadRunneR-128, but we now have an active S-box at the beginning of the inner function in every round.Therefore, from the third round, p exact is higher than p ind by a factor of 2, which improves the probability of 8-rounds to 2 −8−9−8−7−7−8−8−7 = 2 −62 .In more details, p exact of the first S-layer in rounds with p ind = 2 −8 and p ind = 2 −9 are Pr x∈X S (0xf,0xa),y∈Y S (0x5,0xa) Pr Given that X S (0x5, 0xa) = {0x2, 0x3, 0x6, 0x7}, Y S (0x5, 0xa) = {0x6, 0x7, 0xc, 0xd} and X S (0xf, 0xa) = {0x0, 0xf}, p exact in eq. ( 11) is 2 −1 instead of 2 −2 and p exact in eq. ( 12) is 2 −2 instead of 2 −3 .
These results are summarized in Table 1.

Extension to Almost-MDS Matrix in Minalpher-P
In this section, we show that improving the probability by evaluating p exact can be extended to SPN with almost-MDS binary matrices.An example of such matrices is which is actually adopted by Minalpher

Overview
Let us consider a 1-column state consisting of four cells of size n bits, thus the state size is 4n bits.Suppose that the state is updated by an SPN, in which the S-layer applies an n-bit S-box to all of four cells and the P-layer applies the matrix in Eq. ( 13).With this structure, the number of active cells can be two per rounds owing to the following property: When two cells have an identical difference, the matrix multiplication does not change the number of active cells and the differential value.
Let us consider the 2-round characteristic shown in Figure 6, which assumes that Pr (2 −n+2 ) 3 in which the S-layer can be satisfied only with 2 −n+2 from the second round.The state of SPN ciphers usually have more columns, thus the improvement by a factor of 2 −n+2 can be amplified, which makes the improved factor significantly large.

Specification of Minalpher-P
The core part of Minalpher is the Even-Mansour construction in which a 256-bit plaintext is masked by a 256-bit secret value, and then a nibble-wise 256-bit permutation called Minalpher-P is computed.Finally, the output of Minalpher-P is masked by the 256-bit secret value.A 256-bit state is described as two 4 × 8 nibble-matrices denoted by A and B.
Let A i−1 and B i−1 be the inputs of the round function for round i.The states are updated to A i and B i with a round function, which consists of SubNibbles (SN ), ShuffleRows (SR), SwapMatrices (SM ), XorMatrix (XM ) and MixColumns (M C), where Let us evaluate the probability of the 6-round characteristic.Here we assume that the secret mask of the Even-Mansour construction prevents the attacker from choosing the plaintext or ciphertext to deterministically satisfy differential propagations through S-box in the first and the last rounds.The linear part is satisfied with probability 1, thus the probability only comes from the S-box, which is 2 −2 per S-box.Because 8 + 16 + 8 + 8 + 16 + 8 = 64 S-boxes are included in the characteristic, the probability is (2 −2 ) 64 = 2 −128 when all transitions through all S-boxes are assumed to be independent.Considering that the security of Minalpher is claimed up to 128 bits, extending the characteristic by a few more rounds is impossible.

Analysis of Exact Probability
Preliminaries.Recall that for any pair (a, b) of differences, we use the following notation: When S is involution as in Minalpher-P, X S (a, a) is equal to Y S (a, a) for any a.In particular, when a = 4 in the S-box of Minalpher-P, X S (4, 4) = Y S (4, 4) = {9, a, d, e}.This is represented by an affine space 3, 4 + 9, where x, y is a linear subspace.
Analysis of p exact .Here, we show that the probability of the 6-round characteristic is actually 2 −96 instead of 2 −128 , thus the number of attacked rounds can be extended.We Experimental Verification.The probability of the first three rounds already reach 2 64 , which is infeasible in our environment.The gap between p ind and p exact first appears in state A SB 1 of the SN operation in the second round, which is independent of the propagation in state B SB 1 .We thus implement the state update from B SB 0 to A SB 1 with the limitation that values of active bytes are sampled randomly from Y S (4, 4).
Extension to 8 Rounds.We append 1 round to both of the beginning and the end of the 6-round iterative characteristic in Figure 8. Remember that the probability of the first round in the 6-round characteristic is 2 −16 .Due to the iterative structure, with the same reason, the probability of the last extended round is 2 −16 .The extended round at the beginning has eight active S-boxes.Because the advantage of p exact cannot be exploited at the beginning, the probability is (2 −2 ) 8 = 2 −16 .
To conclude, the probability of the 8-round characteristic is 2 −96−16−16 = 2 −128 .Considering that the previous 6-round characteristic has the same probability, we improved the previous attack by 2 rounds.
Note that a path with probability 2 −128 cannot be a straightforward distinguisher with 2 128 queries.Here our main focus is improving the previous analysis, and using the path with probability 2 −128 is the same setting as the designers of Minalpher.Moreover, by combining with similar paths, the probability may be amplified to be greater than 2 −128 .

Concluding Remarks
This paper studied the interaction between the differential transitions occurring in the multiple rounds of a fixed-key or unkeyed primitive.We showed that assuming independent input values for each S-box does not correspond to the actual situation, and p exact can be much larger than p ind .Our general analysis on the Feistel network showed that the gap between p exact and p ind depends on the S-box size and the S-box choice.In addition, having non-zero gap is inevitable when the S-box has differential uniformity 4 and a size larger than six bits (unless one Sbox is inactive).
This observation actually impacts the security of practical algorithms.We applied it to the lightweight block cipher RoadRunneRand the authenticated encryption scheme Minalpher.The results showed that with p exact the number of attacked rounds could be improved compared to the evaluation with p ind .
Symmetric-key primitives with unkeyed functions or public permutations are getting more popular due to its lightweight property and can be seen in many contemporary structures such as the sponge and the Even-Mansour constructions.This paper alerts us that the resistance against differential cryptanalysis needs to be analyzed carefully.
are affine subspaces, is satisfied in many practical cases.Indeed, when an S-box σ has differential uniformity at most 4, i.e., when 4 is the maximal value in the difference distribution table of σ, all sets X σ (a, b) and Y σ (a, b) are affine subspaces (see e.g., Lemma 2 in[DR07]).Therefore, the hypothesis is satisfied when S has an SPN structure based on a smaller differentially 4-uniform S-box σ: in this case, X S (a, b) (resp.Y S (a, b)) corresponds to the Cartesian product of sets of the form X σ (a, b) (resp.Y σ (a, b)).

Figure 3 :
Figure 3: Overview of the RoadRunneR block cipher.Left: Feistel network with whitening keys xored in the first and last round.Top right: The round function F , taking in as input a 32-bit word, a 32-bit constant and a 96-bit round key.Bottom right: The core SLK function, which consists of an S-box layer followed by a linear diffusion layer and finally a key addition.

MCFigure 8
Figure8: 6-round iterative truncated differential of Minalpher-P.Filled and empty cells denote active and inactive nibbles, respectively.Note that we rotated the original 6-round iterative characteristic by one round to optimize it in our analysis.

Table 1 :
Improved probability of characteristics for RoadRunneR-128 and Minalpher.

Table 3 1
to every 4-bit nibble of the block.
[STA + 14].The rotated version of the above matrix is more popular, which can be seen in several designs e.g.PRINCE [BCG + 12], FIDES [BBK + 13], and Midori [BBI + 15].Section 4.1 provides an overview of our observation.Section 4.2 introduces the specification of Minalpher-P.Section 4.3 introduces the previous best differential characteristic evaluated by p ind .Section 4.4 improves the probability by evaluating p exact and extends the attack by two rounds.