Unveiling the Neutral Difference and Its Automated Search

the


Introduction
Differential cryptanalysis, proposed by Biham and Shamir [1], is one of the most powerful cryptanalysis techniques nowadays.As cryptanalysis progresses, an intriguing phenomenon related to differentials has captured the attention of researchers.For a differential Δ → Δ 0 , when flipping a single bit or a set of bits simultaneously for an input x, the resulted input x ⊕ r makes the differential Δ → Δ 0 established if and only if x makes it satisfied.In this paper, r is referred to as a neutral difference.Previous literatures [2,3] referred to it as a neutral bit when the Hamming weight of r is 1 and a neutral set otherwise.The neutral difference technique holds significant prominence today, having contributed to the advancement of numerous cryptanalysis records [3][4][5][6][7][8].
However, the search for neutral differences of a differential lacks elegant methods except for exhaustion with experiments based on its definition [3-5, 9, 10].This has led to the difficulty in finding more neutral differences.Therefore, there is an urgent need to develop automatic tools for searching neutral differences.We aim to dedicate ourselves to this problem and related cryptanalysis.The neutral probability of a neutral difference r for a differential Δ → Δ 0 is defined as follows: where # represents the size of the set and S is a substitution.
1.1.Contribution.We establish links between neutral differences and boomerang cryptanalysis, thereby providing a theoretical foundation for the search of neutral differences.
Based on this, we introduce an automatic search method for linearly independent neutral differences.As for applications, we present the neutral spaces for two differentials of SPECK32, which are spanned by all neutral differences with non-zero neutral probabilities.Experimental results confirm the validity of our method.Furthermore, we present improved differential-linear distinguishers for 11-round SPECK32 and 17-round LEA (illustrated in Table 1), as well as the 18-round attacks on LEA192 and LEA256 with the lowest time complexity (outlined in Table 2) up to date.
1.2.Organization.The remainder of this paper is organized as follows: Section 2 introduces the notations and concepts that will be used throughout the paper.Section 3 establishes the links between boomerang cryptanalysis and neutral differences and presents an automatic method for discovering neutral differences.Sections 4 and 5 apply the automatic search method to the SPECK32 and LEA ciphers.Finally, Section 6 concludes this paper.

Notations and Preliminaries
The notations we use in this paper are summarized in Table 3.

Preliminaries
Definition 1 (Differential Probability [1]).The probability of a differential Δ → Δ 0 for function S : F n 2 → F n 2 is defined by the following:   The ith bit of x, written as x i for simplicity.x n−1 (resp.x 0 ) is the most (resp.least) significant bit of x x ⋘ t Rotation of x by t-bit to the left, written as x for simplicity x ⋙ t Rotation of x by t-bit to the right, written as x ! for simplicity

⋅
The inner product of two vectors #X or jXj: The size of a set X Pr½x ¼ 0: Probability that x equals 0 Cor½x: The correlation of x, i.e., Cor½x: x n−1 is the most significant bit of the new binary vector 2 IET Information Security Definition 2 (DDT).Let S be a substitution.The value of differential distribution table (DDT) at ðΔ; Δ 0 Þ: is defined as follows: Definition 3 (NDT).Let S be a substitution.The value of neutral difference table (NDT) at ðΔ; Δ 0 ; rÞ: is defined as follows: Here, r is called a neutral difference throughout this paper.
Definition 4 (Neutral Probability).Let S be a substitution.For a differential of S, denoted by Δ → Δ 0 , r is called a neutral difference for this differential, and the corresponding neutral probability is defined as follows: In general, the higher the neutral probability p becomes, the more useful a neutral difference r is for an attack.Bao et al. [3] have further suggested a way to amplify the neutral probability by introducing conditional neutral differences, which necessitate specific conditions to be met by input pairs.These proposed conditions are evaluated through experiments in [3].
Definition 5 (Plaintext Pair Structure).Denote m linearly independent neutral differences of a differential ðΔ in ; Δ out Þ: by M 1 ; M 2 ; …; M m .Let Ω be the linear subspace spanned by M 1 ; M 2 ; …; M m .Given a plaintext x, we define the plaintext pair structure P x;Ω;Δ in as the set fðx ⊕ y; x ⊕ y ⊕ Δ in Þjy 2 Ωg: .Definition 6 (BCT [17]).Let S be a substitution and S −1 be its inverse.The value of boomerang connectivity table (BCT) at ðΔ; rÞ: is defined as follows: Definition 7 (UBCT/LBCT/EBCT [18]).Let S be a substitution and S −1 be its inverse.The values of three variants of BCT, namely upper BCT, lower BCT, and extended BCT, are defined, respectively, as follows: If the substitution S can be known from the context, the symbol S will be omitted.For example, DDT S will be abbreviated as DDT.

Links to Boomerang Cryptanalysis and the Automated Search for Neutral Differences
In this section, we prove that the NDT is the LBCT in Boomerang cryptanalysis, which provides a foundation for automated search of neutral differences.Furthermore, we introduce an automatic search method for linearly independent neutral differences.

Links between Boomerang Cryptanalysis and Neural
Difference.In this section, we present the links between neutral difference and boomerang cryptanalysis in Theorem 1 and how to calculate the neutral probability of neutral differences through LBCT in Corollary 1.
Theorem 1.Let S be a substitution.There holds IET Information Security Proof.It is obvious that SðxÞ: ⊕ Sðx ⊕ ΔÞ: ¼ Δ 0 if and only if S −1 ðSðxÞ ⊕ Δ 0 Þ: ¼ x ⊕ Δ.If x satisfies that SðxÞ: ⊕ Sðx ⊕ ΔÞ: ¼ Δ 0 , then we have the following: Therefore, there holds NDT S ðΔ; Δ 0 ; rÞ: ¼ LBCT S ðr; Δ; Δ 0 Þ: .□ Theorem 2. Let S be a substitution and S −1 be its inverse.There holds Proof.We have According to Theorem 1, we have NDT S ðΔ; Δ 0 ; rÞ: ¼ UBCT S −1 ðΔ 0 ; Δ; rÞ: .□ Theorem 1 demonstrates that the NDT entries of a substitution S are the entries of LBCT.A similar result connecting the NDT with the UBCT is provided in Theorem 2. For notational simplicity, we shall primarily focus on LBCT in our subsequent theoretical developments.Consequently, one can identify neutral differences with a high neutral probability by concurrently constructing models/programs for LBCT and DDT, as presented in Section 3.2, where an automated method of searching for neutral differences is introduced.
Corollary 1.For a differential Δ → Δ 0 of a substitution S, the neutral probability of a neutral difference r can be calculated as follows: Lemma 1.Let S : F n 2 → F n 2 be a bijection.For a neutral difference r of a differential ðΔ; Δ 0 Þ: with a non-zero probability, if BCT S ðr; Δ 0 Þ: ¼ 2 n or DDT S ðΔ; Δ 0 Þ: ¼ 2 n , then the corresponding neutral probability p is 1.

□
By constraining the input variable x to a small set X instead of x 2 F n 2 , we can increase the neutral probability p.In this case, the neutral difference r is referred to as a conditional neutral difference, which was first proposed in [3].Lemma 2 provides sufficient conditions, under which the neutral probability is 1, by imposing restrictions on the input variable x.Lemma 2. Let S : F n 2 → F n 2 be a bijection.For a non-zero probability differential ðΔ; Δ 0 Þ: , the neutral probability of a conditional neutral difference r, which requires the input of S limited to a set X, will be 1 if BCT S ðr; Δ 0 Þ: ¼ jXj: or DDT S ðΔ; Δ 0 Þ: ¼ jXj: .Proof.The proof process is similar to that of Lemma 1. □ 3.2.Basic Framework for Automated Search of Neutral Differences.In this section, we aim to merge the automated search for differentials and EBCT characteristics in order to effectively find neutral differences with a higher probability for a given differential Δ → Δ 0 .Experimental results in Section 4 confirm the validity of our method, with the predicted neural probabilities being close to the experimental ones.
First, we introduce the notations that will be used in this discussion.Let the cipher S be a composition of S 0 ; S 1 ; …; S l−1 .Throughout this paper, the term "characteristic" refers 4 IET Information Security to a differential/boomerang path, which not only specifies the input and output differences but also specifies the intermediate differences.For clarity, we will use Δ 0 , Δ l , and r 0 to refer to Δ, Δ 0 , and r, respectively.Assuming that the cipher is a Markov cipher and the characteristic with the largest probability for a differential Δ 0 → Δ l determines the differential probability, it is wellknown [19] that: Delaune et al. [18] used Equation ( 16) to estimate LBCT S ðr 0 ; In other words, LBCT characteristics can be approximated by a cluster of EBCT characteristics.According to Definitions 1 and 2, there holds . Based on Equations ( 15) and ( 16), the neutral probability of the neutral difference r 0 for a differential Δ 0 → Δ l can be calculated by the following: Here, Δ 0 → Δ 1 → ⋯ → Δ l refers to the differential characteristic that dominantly determines the probability of the differential Δ 0 → Δ l , and also partially determines the EBCT characteristics.
The objective of the automated search is to identify a set of differences that maximizes the neutral probability, as defined by Equation (17).This neutral probability serves as the objective function for this automated search problem.By leveraging Equation (17), we can integrate the automated search for differential characteristics and extended boomerang characteristics to uncover a neural difference r.The problem of automatically finding differential characteristics Δ 0 → Δ l has been effectively addressed in previous works such as [11,[19][20][21][22][23].Similarly, the automatic search for boomerang characteristics has been successfully tackled in [14,17,18].Since this paper does not focus on facilitating the automatic search for boomerang or differential cryptanalysis, we will omit the specific details related to these methods.
Step 2: Introduce constraints to prevent r 0 from being selected in Ω.This ensures that the newly discovered neutral difference will be linearly independent of α 0 ; α 1 ; …; α m−1 .An efficient approach for achieving this is presented in Section 3.3.
Upon completion of the above process, a new neutral difference for the differential Δ 0 → Δ l , denoted by α m , will be obtained.The neutral probability is estimated through an EBCT trail, and Equation (17) suggests that intermediate differences should be enumerated.Consequently, to obtain a more precise estimation of the neutral probability, one can iterate the aforementioned process to discover additional EBCT trails.In such cases, Step 2 is modified as follows: Step 2: Set r 0 ¼ α m and introduce constraints to exclude the previously found EBCT trails.
We constructed an automatic search model based on the Boolean satisfiability problem (SAT), and the source code of this paper is publicly available at https://github.com/PigInTheSky1234/Unveiling-the-Neutral-Difference-and-Its-A utomated-Search.Remark 1.It is possible to calculate the probability of LBCT by directly connecting a single LBCT trail for one round with a differential trail for the remaining rounds.However, at FSE 2022, Kidmose and Tiessen [24] pointed out a crucial issue with this approach: when calculating boomerang probabilities, directly connecting differential trails may result in trails with a zero probability.To address this, they introduced the concept of 3-difference trails.Notably, a 3-difference trail can be viewed as a manifestation of an EBCT trail.Therefore, to achieve a more precise probability estimation, we use EBCT trails to calculate the probabilities of LBCT trails.
IET Information Security 3.3.The Method of Excluding a Linear Space from F n 2 .As far as we know, in differential-linear/neural cryptanalysis, it is common to use multiple neutral differences simultaneously, which forms a neutral space spanned by these differences.If one wants to exclude all 2 m neutral differences point by point with 2 m constraints to find a neutral difference, the computational burden of the solver would be greatly increased.Next, we will give a solution to this problem with only one constraint.Let m linearly independent neutral differences be α 0 ; α 1 ; …; α m−1 .Denote the neutral space spanned by these neutral differences as Ω and the remaining space as F n 2 =Ω.In this section, we will demonstrate how to identify neutral differences for a given differential Δ 0 → Δ l within F n 2 =Ω using existing solvers.Theorem 3. Let e i ¼ 1 ≪ i and Ω ¼ Spanfe 0 ; e 1 ; …; e m−1 g: .There holds that Proof.The necessary and sufficient condition for 2 be a linear bijection and φðα i Þ: ¼ e i for 0 ≤ i<m.There holds that Proof.Let V ¼ Spanfe 0 ; e 1 ; …; e m−1 g: .Since φ is a linear bijection, it holds that x 2 Ω ⇔ φðxÞ: 2 φðΩÞ: ¼ V.By Theorem 3, this theorem holds.

□
The following is a construction method for the linear bijection φ : Ensuring the matrix B is invertible means that the linear bijection φðxÞ : ¼ B −1 x is obtained, which is easy by the linear algebra techniques.
Once another neutral difference α m is obtaining, the ðm þ 1Þ: -th column of B is replaced by α m .Once again, ensuring the matrix B to be invertible will lead to an updated linear bijection φðxÞ: ¼ B −1 x.The number of constraints excluding Ω spanned by m neutral differences is reduced from the original 2 m to 1, as stated in Theorem 4.

Application to SPECK
First, we apply the automatic search technique of neutral difference to SPECK32 and experimentally validate its effectiveness.Second, we enhance the differential-linear distinguishers for 11-round SPECK32 by incorporating neutral differences, resulting in increased absolute values of correlations.
4.1.SPECK.SPECK is a lightweight block cipher designed by the US National Security Agency, whose round function is depicted in Figure 1.For word size n 2 f16; 24; 32; 48; 64g: , each variant is identified by SPECK2n=mn, where 2n is its block size and mn is the key size.The rotation constants are α ¼ 7 and β ¼ 2 for SPECK32 with 64-bit key, while α ¼ 8 and β ¼ 3 for the others.Since we do not facilitate properties of the key schedules, their details are omitted.

The Neutral Subspaces for Two 2-Round Differentials.
For SPECK32, there is a 2-round differential characteristic 0x0209 0604 → 0x1800 0010 → 0x0040 0000 with a probability of 2 −8 .Table 4 shows the neutral space for this differential, which is spanned by the linearly independent neutral differences.
The following is an example to illustrate the search process introduced in Section 3.2.To search for a neutral difference for this differential trail, we specify the differences used in the EBCT trail in the search model, namely ðr 0 ; Δ 0 Þ: ; ðr 1 ; Δ 1 Þ: ; ðr 2 ; Δ 2 Þ: .To ensure that the differences propagate as expected, we set Δ 0 ¼ 0x0209 0604, Δ 1 ¼ 0x1800 0010, and Δ 2 ¼ 0x0040 0000 in the search model.Suppose that the neutral difference 0x0219 0604 is known, one can find a linear bijection φ where φð0x0209 0604Þ: ¼ 1 and φð0x0219 0604Þ: ¼ 2. According to Theorem 4, one can introduce the following constraint to prevent r 0 from being chosen from the linear space spanned by 0x0209 0604 and 0x0219 0604.
Furthermore, one needs to characterize the relationships between differences in EBCT trails and differential trails.Using this search model, the solvers will yield a solution of ðr 0 ; Δ 0 Þ: ; ðr 1 ; Δ 1 Þ: ; ðr 2 ; Δ 2 Þ: with the maximum neutral probability.Here, r 0 represents the newly discovered neutral difference.Suppose that 0x0040 0000 is the newly discovered neutral difference.By employing an EBCT trail, the neutral probability is estimated as b Pr¼ 2 −1 .By setting r 0 ¼ 0x0040 0000 and repeating the aforementioned process, we discovered a total of 8 EBCT trails.By using these EBCT for SPECK 32; others.

6
IET Information Security trails, the theoretical estimation of neutral probability is 1, and the experimental result is 1 as well.Additionally, Table 5 presents the corresponding conditions that improve the neutral probabilities.Similar results for another 2-round differential 0x2a10 0004 → 0x2050 2040 → 0x8000 0100 with a probability of 2 −6 are shown in Tables 6 and 7.
The input difference is definitely a neutral difference with a probability of 1.However, it is generally not useful for further cryptanalysis as exchanging two plaintexts in a pair of plaintext holds little value.It is crucial to note that not only should we avoid using the input difference as a neutral difference but also include it in the neutral space used, which is inappropriate.

Enhanced Differential-Linear Distinguishers by Neutral
Differences.This section reviews how to construct a more effective distinguisher by a simple DL approximation when enough neutral differences are given.Furthermore, we present the improved distinguishers for 11-round SPECK32.
The correlation [25] of a differential-linear approximation ðΔ; ΓÞ: for a vectorial Boolean function E : F n 2 → F m 2 is defined as follows: where Δ 2 F n 2 and Γ 2 F m 2 .Assuming that a DL trail ðΔ in ; ΓÞ: has a correlation pq, we aim to enhance the correlation by incorporating m neutral differences of the prepended short-round differential ðΔ in ; Δ out Þ: with a probability of p.Under the condition that 2 m ≥ q −2 , Beierle et al. [5] pointed out that the DL distinguisher ðΔ in ; ΓÞ: would work as follows: Step 1: Randomly generate a plaintext x, and then use m neutral differences to generate the corresponding plaintext pair structure P x;Ω;Δ in ¼ fðx ⊕ y; x ⊕ y ⊕ Δ in Þjy 2 Ωg: , where Ω is the space spanned by these m neutral differences.Pr represents the theoretical estimation of the neutral probability obtained from a single EBCT trial. 2 Pr = neutral probability.EST is a theoretical estimation of the neutral probability using N EBCT trails.The search program is set to find 256 single trails, while N <256 indicates that there are only N EBCT trails found. 3EXP represents the empirical results of the neutral probabilities for these neutral differences.The neutral probability is verified using 2 15 plaintext pairs that satisfy the expected differential characteristic. 4EXP represents the empirical results of the neutral probabilities for these neutral differences under the conditions specified in Table 5.These conditions are common for all 32 neutral differences. 5The input difference is definitely a neutral difference with a probability of 1, but it is generally of no value for further cryptanalysis.Consequently, the input difference should be excluded out of the neutral space used for subsequent cryptanalysis. 6No represents the neutral probability is 0. These 32 differences form a basis for the vector space F 32 2 .

IET Information Security
Step 2: The corresponding cipher pair structure of P x;Ω;Δ in is denoted by fðc Step 3: If the correlation observed using 2 m pairs is approximately q, the distinguisher succeeds.Otherwise, go to Step 1.
The essential requirement for this distinguisher to be effective is to identify sufficient neutral differences so that 2 m ≥ 1 q 2 .With probability p, the plaintext pair structure P x;Ω;Δ in makes the short-round differential satisfied.Denote the product of the neutral probabilities of the neutral differences utilized by p.With probability pp, the distinguisher succeeds in Step 3. Thus, the data complexity of ðΔ in ; ΓÞ: Þ: .Note that the statistical value Cor is derived from 2 m ciphertext pairs.When comparing with the DL distinguishers without using the neutral difference technique, we regard the (equivalent) correlations of DL (ND) as p 1 2 p1 2 q, since the data complexity required is Oðp −1 p−1 q −2 Þ: .Table 8 summarizes the differential-linear distinguishers for 11-round SPECK32.

Application to LEA
5.1.LEA.The LEA family of block ciphers not only serves as the national standard of the Republic of Korea but also is included in the ISO/IEC 29192-2:2019 standard.The LEA family has a block size of 128 bits and consists of three different key sizes: 128, 192, and 256 bits, denoted by LEA128, LEA192, and LEA256, respectively.Figure 2(a) provides a schematic view of the round function of LEA.The inputs/outputs of each round of LEA consist of four 32-bit words.

Enhanced Differential-Linear Distinguishers by Neutral
Differences.For LEA, there is a 4-round differential characteristic shown in Table 9, with a probability of 2 −33 .Table 10 of Appendix A outlines 61 linearly independent neutral differences for this differential.Since not all of the neutral probabilities are 1, it is significant to know the probability of obtaining a plaintext structure consisting of 2 61 right pairs from a right pair.In this case, the statistical variable will clearly demonstrate advantages when the key is guessed correctly.Though it is computationally infeasible to verify it directly, we randomly select subspaces spanned by five neutral differences and verify the probability of obtaining 2 5  right pairs from a right pair.Denote the product of the five individual neutral probabilities by p, and let the empirical probability of obtaining 2 5 right pairs be b p.We utilized 2 12  right pairs to repeat the above experiments 100 times and The notations are the same as Table 4.   p = theoretical probability of the prepended short-round differential.q is the experimental correlation of the bottom DL trail.3 The number of (conditional) neutral differences for the above A-round differential presented in the original paper is denoted by M. m=p denotes the current DL distinguisher utilizing m (conditional) neutral differences simultaneously, where the product of the probabilities of these neutral differences is p.
To evaluate the DL (ND) using the same criteria, we set m as the smallest integer such that 2 m >q −2 .4 Denote the overall correlation of the differential-linear trails by pq.Here, we regard the (equivalent) correlations of DL (ND) as p . } represents the input difference listed in Table 9.
IET Information Security found 0:398 ≤ b p=p ≤ 3:061, and the average of b p=p is 1.033.In summary, this experiment indicates that the probability of obtaining 2 m right pairs using m neutral differences can be approximated by the product of the individual neutral probability experimental values of these neutral differences, which has been verified in [6].Consequently, the theoretical probability of obtaining 2 61 right pairs from a right pair using these 61 neutral differences is 2 −29:96 .The differential-linear distinguisher that employs the neutral difference technique is presented in Table 8.

The 18-Round Key
Recovery Attack on LEA.To attack the 18-round LEA with key sizes of 192 and 256 bits, we employ the 17-round DL (ND) distinguisher described in Table 8 by adding an additional round.The attack program is outlined in Algorithm 1, which recovers 60 bits of subkey in the last round.

Conclusion
In this paper, we have investigated the link between neutral difference and boomerang cryptanalysis.Based on it, we introduce an automated approach for identifying linearly independent neutral differences.Consequently, we present the improved differential-linear distinguishers for SPECK32 and LEA, along with the 18-round attacks on LEA192 and LEA256 with the lowest time complexity up to date.The 2nd to 35th neutral differences were proposed in [6].The empirical results of the neutral probabilities are obtained from 2 18 right pairs.
IET Information Security

B. Conditional Linear Approximations for Additions
This section introduces the conditional linear approximation technique, which is also known as the partitioning technique proposed by Biham and Carmeli [26].This technique has the ability to amplify the bias of linear approximations of additions.Furthermore, it has been applied to the differential-linear attack on ARX ciphers [5,6,27].The core of the conditional linear approximation technique is shown in Lemma B.1.

− 2 −
indicates a DL (ND) that combines an A-round differential and a B-round DL trail, where the A-round differential starts from input diff.and ends at intermediate diff.2

AppendixA.
Neural Differences for 4-Round Differential on LEA

TABLE 1 :
Comparison of our distinguishers with previous ones.

TABLE 2 :
Key recovery attacks on round-reduced LEA.

TABLE 5 :
The

TABLE 6 :
The subspace for 2-round differential 0x2a10 0004 → 2 −6 0x8000 0100 of SPECK32, which is spanned by the first 29 linearly independent neutral differences with non-zero neutral probabilities.

TABLE 7 :
The conditional neutral differences and corresponding conditions for 2-round differential 0x2a10 0004 →

TABLE 8 :
DL distinguishers combined with the neutral difference technique, denoted by DL (ND).
where i indicates the current ciphertext comes from the ith ciphertext pair.If i is obvious in the context, i will be omitted.

TABLE 9 :
½ ⊕ z i A 4-round differential characteristic for LEA.
Input: m neutral differences M 1 ; …; M m and corresponding subspace Ω ← SpanfM 1 ; …; M m g: , number of replications R, plaintext structures P x j ;Ω;Δ in ¼ fðx j ⊕ y; x ⊕ y ⊕ Δ in Þjy 2 Ωg: for 0 ≤ j<R, threshold Θ. Output: List of key candidates, denoted by K.1 K ← ; 2 for 1 ≤ j ≤ R do 3Choose the jth plaintext structure P x j ;Ω;Δ in / * Denote the ciphertext pairs, encrypted from P x j ;Ω;Δ in , by fðc 0 ; c 0 Dec k represents one round decryption with k.Γ represents the output mask, and N is the number of ciphertext pairs to calculate this correlation.

TABLE 10 :
The neutral differences for 4-round differential, as shown in Table9.