MILP/MIQCP-Based Fully Automatic Method of Searching for Differential-Linear Distinguishers for SIMON-Like Ciphers

,


Introduction
In 1994, Langford and Hellman [1] proposed differentiallinear (DL) cryptanalysis based on differential cryptanalysis introduced by Biham and Shamir [2] and linear cryptanalysis introduced by Matsui [3].An entire cipher E can be decomposed as a cascade E ¼ E 2 ∘ E 1 , a differential distinguisher and a linear distinguisher are applied to sub ciphers E 1 and E 2 , respectively.Assume that the differential Δ in → E 1 Δ m holds with probability p, the linear approximation Γ m → E 2 Γ out is satisfied with correlation q.Under the assumption that E 1 and E 2 are independent, the correlation of the DL distinguisher is pq 2 .Figure 1 shows the overview of the DL distinguisher.DL cryptanalysis has attracted a lot of researches since its introduction.
In 2017, Blondeau et al. [4] developed a concise theory of DL cryptanalysis and gave a close estimate of the bias under the sole assumption that the two parts of the cipher are independent.They also revisited the previous methods of estimating DL bias proposed by Biham et al. [5].
At EUROCRYPT 2019, Bar-On et al. [6] took the effects of dependency between the two sub ciphers E 1 and E 2 into account, then proposed the differential-linear connectivity table (DLCT).
Here, the cipher E can be divided into three subciphers E 1 , E m , and E 2 , namely, E ¼ E 2 ∘ E m ∘ E 1 , where the correlation r of E m is experimentally evaluated.Thus, the correlation of the DL distinguisher can be estimated as prq 2 .The overall framework of the DL distinguisher is depicted in Figure 2.
At EUROCRYPT 2021, Liu et al. [7] generalized the technique proposed by Morawiecki et al. [8] and proposed a practical method for estimating the bias of (rotational) DL distinguishers for Addition-Rotation-XOR (ARX) ciphers in the special case where the output linear mask is a unit vector.Subsequently, at CRYPTO 2022, Niu et al. [9] computed the (rotational) DL correlation of modulo additions for arbitrary output linear masks, based on which a technique for evaluating the (rotational) DL correlation of ARX ciphers was derived.
At CRYPTO 2021, Liu et al. [10] re-investigated the basic principles and methods of DL cryptanalysis from an algebraic perspective and proposed the algebraic transitional forms (ATF) technique to estimate the DL bias of non-ARX ciphers.
Note that it does not require any assumptions in theory for the estimation of bias from the algebraic perspective.For more researches and applications of DL cryptanalysis, see [11][12][13][14].
However, there is no effective method that can automatically search for good DL distinguishers in the above researches on DL cryptanalysis.At CT-RSA 2023, Bellini et al. [15] presented a fully automatic method of searching for DL distinguishers for ARX ciphers by using Mixed-Integer Linear Programing (MILP) and Mixed-Integer Quadratic Constraint Programing (MIQCP) techniques.They improved the correlations of the best 9 and 10-round DL distinguishers on Speck32/64.Also, it is the first time a DL distinguisher reached 11 rounds for Speck32/64.
In this paper, we will explore how to fully automatically search for DL distinguishers for SIMON-like ciphers by using MILP and MIQCP techniques.

Related Works.
There are various papers published on the cryptanalysis of SIMON-like ciphers [16][17][18][19][20][21][22][23][24].Especially, there are many different techniques and automatic tools in the literature for finding differential, linear distinguishers on SIMON-like ciphers.In 2015, Sun et al. [18] constructed mixed-integer programing models whose feasible region is exactly the set of all valid differential characteristics of SIMON.In 2015, Abed et al. [16] stated an algorithm for the calculation of the differential probabilities but without further explanation.Kölbl et al. [20] derived efficiently computable and easily implementable expressions for the exact differential and linear behavior of SIMON-like round functions.Moreover, they used those expressions for a computer-aided approach based on Boolean satisfiability problem or satisfiability modulo theories (SAT/SMT) solvers to find both optimal differential and linear characteristics for SIMON.In 2021, Sun et al. [22] put forward a new encoding method to convert Matsui's bounding conditions into Boolean formulas and integrated the bounding conditions into the SAT method, which accelerated the search for differential and linear characteristics for SIMON-like ciphers.
For finding DL distinguishers for SIMON-like ciphers, in 2018, Chen et al. [23] constructed a 13-round DL distinguisher with bias 2 −30:36 and presented key recovery attacks on 17-round and 18-round SIMON32, respectively.However, Hu et al. [24] pointed there are some problems in the calculation process of this method.In 2022, Hu et al. [24] constructed 13-round DL distinguishers for SIMON32 and SIMON48, respectively, and showed 16-round key recovery attacks on SIMON32 and SIMON48, respectively.
Note that there are no relevant researches on searching for DL distinguishers of SIMECK and larger instances of SIMON (SIMON64, SIMON96, SIMON128), and there is no effective method that can automatically search for good DL distinguishers for SIMON-like ciphers.This paper will intend to fill this vacancy.
1.2.Our Contribution.The new MILP/MIQCP model to find DL distinguishers for ARX ciphers was given by Bellini et al. [15], but the MILP/MIQCP techniques could not be applied to SIMON-like ciphers.Inspired by this, we propose continuous difference propagation of AND operation for the first time.Therefore, we construct an MILP/MIQCP model to fully automatically search for DL distinguishers for SIMON-like ciphers.Recall that we have three parts in the DL distinguisher with improved structure, including the differential part (top part), the DL part (middle part), and the linear part (bottom part), so we need to consider the models of these three parts, separately.
Firstly, according to efficient computation for the exact differential behavior of SIMON-like round functions [20], we construct the differential model of SIMON-like ciphers by using MILP techniques.For the linear part, we consider the AND operation in the round function as independent Sboxes, then exploit the model-generating method for S-boxes to complete the formation of the linear MILP model.
Secondly, we propose continuous difference propagation of the AND operation, then model the DL part (middle part) of SIMON-like ciphers.So, we obtain the MILP/MIQCP- Finally, to illustrate the effectiveness of our fully automatic model, we apply it to search for DL distinguishers of all versions of SIMON and SIMECK and verify experimentally the correlations of our DL distinguishers.To the best of our knowledge, it is the first time that DL distinguishers of all versions of SIMON and SIMECK have been found.Compared to previous DL distinguishers, for SIMON32 and SIMON48, our distinguishers have increased by 1 and 4 rounds, respectively.For SIMON64, SIMON96, SIMON128, and all versions of SIMECK, it is the first time that the DL distinguishers have been found.As far as we know, our DL distinguishers are currently the best for SIMON and SIMECK.Our results are given in Table 1.
1.3.Outline.The rest of this paper is organized as follows: In Section 2, we introduce notations and preliminaries used in this paper.In Section 3, we propose a fully automatic model to find DL distinguishers for SIMON-like ciphers.In Section 4, the fully automatic model is applied to all versions of SIMON and SIMECK, and all improved results are experimentally verified.We conclude this paper with some open problems in Section 5.

Notations and Preliminaries
In this paper, we will use the following notations.Let we denote by x i the i-th bit of x.The bitwise XOR operation of x and y is denoted as x ⊕ y.The bitwise AND operation of x and y is denoted as x ⊙ y. x ⋘ t denotes rotation of x by t bits to the left.B denotes the set of real numbers between 1 and − 1, namely, − 1 ≤ B ≤ 1. R denotes the real number domain.X i L and X i R denote left half and right half of the i-th round input, respectively.MILP is a kind of programing problem of optimizing (minimizing or maximizing) a linear objective function f x 1 ; ð x 2 ; …; x n Þ.The objective function and constraints are linear, and all or some of the decision variables x i ; 1 ≤ i ≤ n in the problem are restricted to be integers.For example, an MILP model is as follows, consisting of three parts: objective function, constraints, and variables.maximize MIQCP is a class of programing problems that optimize an objective function (quadratic or linear) given a set of quadratic constraints.The constraints can be inequalities or equations.When we want to invoke the Gurobi optimizer to solve a question, we need to translate the question into the form of MILP/MIQP problem.Lemma 1. [3] (Piling-up Lemma).Let Z 0 ; …; Z m−1 be m independent binary random variables with Pr Z i ¼ ½ 0 ¼ p i .Then we have that Let a; b; a 0 , and b 0 be n-bit strings with Pr a According to Proposition 1, it's easy to obtain Corollary 1.
Corollary 1.Let x; y; x 0 , and y 0 2 Let the input of i-th round be X i L ; ð X i R Þ, so the i-th round function is described in the following: where The key scheduling of SIMON depends on the size of the master key.For a detailed description of SIMON, please refer to the study of Beaulieu et al. [25].
SIMECK is a new family of lightweight block ciphers that combines the good design components from both SIMON and SPECK.There are three versions of SIMECK, namely SIMECK32/64, SIMECK48/96, and SIMECK64/128.The round function of SIMECK is similar to SIMON, but the rotation constants are different, namely, a ¼ 0, b ¼ 5, and c ¼ 1.For a detailed description of SIMECK, please refer to the study of Yang et al. [26].
2.2.Continuous Difference Propagation.Coutinho et al. [27] proposed a new technique called Continuous Diffusion Analysis (CDA), which allows them to generalize cryptographic algorithms by transforming bits into probabilities or correlations.They presented continuous generalizations of some cryptographic operations (such as the XOR, addition modulo, S-box, etc.) and expressed bits as probabilities or correlations.For example, for the XOR operation a Expressing p 1 , p 2 , and p 3 as functions of their correlations Inspired by Coutinho's idea, Bellini et al. [15] constructed continuous functions for the difference propagation of ARX operations.For instance, assume a; ð bÞ and a 0 ; Expressing p, q as functions of their correlations ϵ p , ϵ q , they defined the continuous difference propagation for ⊕ as − ϵ p ϵ q .Also, they defined more formally continuous difference propagation in Definition 1.
ð x 2 ; …; x n Þ be a function with input variables belonging to F n 2 , and with output in F m 2 , the continuous difference propagation of f , denoted as f CΔ α 1 ; ð α 2 ; …; α n Þ, is a function that maps input variables from B n to B m , and describes the correlation between an input difference for f and each bit of its output difference.The exact form of the function f CΔ α 1 ; ð α 2 ; …; α n Þ will depend on the specific properties of the function f .According to this definition, they obtained some propositions describing continuous difference propagations for and r 2 Z such that 0 ≤ r ≤ n − 1, then the continuous difference propagation of the rotation to the left, and to the right, by r, respectively, is given by the following:

Fully Automatic Model of Finding DL Distinguishers with MILP/MIQCP
We use MILP/MIQCP techniques to model the entire DL distinguishers.Recall that the DL distinguisher with improved structure consists of three parts, namely, the differential part (top part), the DL part (middle part), and the linear part (bottom part).Therefore, we need to model these three parts, respectively.
3.1.Differential MILP Model of SIMON-Like Ciphers.Kölbl et al. [20] derived efficiently computable and easily implementable expressions for the exact differential of SIMONlike round functions, see Theorem 1.
, and α and β be an input and an output difference, where gcd n; ð a − bÞ ¼ 1, n even, and a>b.Then with we have that the probability that difference α goes to difference β is as follows: According to Theorem 1, Kölbl et al. [20] used those expressions for a computer-aided approach based on SAT/SMT solvers.Instead, we construct the differential MILP model of SIMON-like round function based on Theorem 1.
Differential Model (SIMON-Like Round Function).For the n-bit SIMON-like round function, we denote α and β as the input and output differences, respectively.Additionally, three n-bit variables varibits, doublebits, and z are incorporated so that we can evaluate the differential probability.If α is not an all-ones vector, the differential is valid if and only if the values of α, β, varibits, doublebits, and z validate all the constraints listed below: The weight of the possible differential is  [20] perfectly handled the dependency and derived efficient computation for the exact linear behavior of SIMON-like round functions.However, because of the difficulty of encoding this model with Boolean equations, Sun et al. [22] regarded the AND operations in the round function as independent S-boxes and exploited the modelgenerating method for S-boxes to complete the linear SAT model.Similarly, we regard the AND operations as independent S-boxes.After computing its linear approximation table (LAT), we obtain the linear MILP model.

IET Information Security
Linear Model (SIMON-Like Round Function).For the nbit SIMON-like round function, we denote the input and output linear masks as α and β, respectively.Two auxiliary n-bit variables γ 0 and γ 1 are employed to record the two input masks of the AND operation.After one round of encryption, we denote the right half of the output linear mask as γ 2 .To estimate the linear correlation, we also import an n-bit variable z.The correlation of the linear approximation is nonzero if the values of α, β, γ 0 , γ 1 , and γ 2 validate all the constraints listed in the following: where MILP model of the equation The value of ∑ n−1 i¼0 z i equals the opposite number of the binary logarithm of the absolute value of the correlation.
Replacing the probabilities with their expressions involving their respective correlations x; y 2 B, we

□
In the following, we regard a × b as the multiplication of a and b in B. According to Proposition 4, we model constraints of AND operation using the MILP/MIQCP syntax over B.
Constraints of AND Operation.For every AND operation with input a 2 B n and b 2 B n and output c 2 B n , we have n constraints: SIMON-like ciphers also include XOR operation and left rotation operation.Bellini et al. [15] showed the constraints of them.
Constraints of XOR Operation [15].For every XOR operation with input a 2 B n and b 2 B n and output c 2 B n , we have n constraints: Constraints of Left Rotation Operation [15].For every left rotation operation with input a 2 B n and output c 2 B n , we have n constraints: Constraints of R-Round SIMON-Like Cipher.For all rounds, we need 2n R þ ð 1Þ variables belonging to B to represent the states of SIMON.The count of the number of equations is as follows: nR equalities to model the XOR operation.nR equalities to model the AND operation.Summing up, we have a total of 2nR constraints to model the continuous difference propagation framework for SIMONlike ciphers.

IET Information Security
Objective Function of the Middle Part Model.For the objective function of the middle part, given the correlation r, we need to minimize the function − log 2 r j j.Beaulieu et al. [25] found a linear function g r ð Þ to approximate − log 2 r j j such that g r ð Þ ≤ − log 2 r j j.
In addition, to connect the top part with the middle part, we use the method in the study of Bellini et al. [15] to translate the differential output bits into real numbers belonging to B. Specifically, the value 1 in a specific position in the output of the differential part indicates that there is a difference in that position, so the probability is 1:0, which results in a correlation 1:0.In contrast, the value 0 means that there is no difference in that position, so the probability is 0:0, and the correlation is −1:0.In other words, the correlation in that certain position with output bit 1 is 1:0, and the correlation in that certain position with output bit 0 is −1:0. Assume is the output difference of the differential part, and m input 0 is the input difference of the middle part.There are the constraints m input j 2 is the input mask of the linear part, and m output 0 can not be 0, there is the constraint r >0:0.
Objective Function of the Entire Model.We denote x and y as the exponents of the differential and linear parts, respectively.By applying Lemma 1 (piling-up lemma), we need to minimize the exponents of the three parts, namely, x þ g r ð Þ þ 2y.Thus, we construct the fully automatic model to find DL distinguishers of SIMON-like ciphers.Note that as the number of rounds increases, it becomes increasingly difficult to find a good DL trail for larger instances of SIMON-like ciphers.Therefore, we apply one strategy to obtain good DL distinguishers for larger instances of SIMON-like ciphers.
One Strategy to Obtain Good DL Distinguishers.First, we obtain the optimal differential trail for a certain number of rounds by using the SAT method presented in the study of Sun et al. [22].Second, we extend the optimal differential trail by a DL trail (the middle part) and a linear trail (the bottom part) by using our fully automatic model.

Applications to SIMON-Like Ciphers
In this section, we apply the fully automatic model to search for DL distinguishers for SIMON-like ciphers.For clarity and convenience, if a DL distinguisher has the x-round top part, the y-round middle part, and the z-round bottom part, we say that the DL distinguisher uses configuration x þ ð y þ zÞ.Our MILP/MIQCP models have been implemented using MiniZinc and solved with Gurobi.
4.1.Applications to SIMON.We apply the fully automatic model to all versions of SIMON.Our DL distinguishers are shown in Table 2.
For SIMON32, we found two DL distinguishers for 13 and 14 rounds.To obtain the 13-round distinguisher, we try all configurations regarding the number of rounds for the top, middle, and bottom parts.In this case, for the 13-round DL distinguisher, the best theoretical correlation is found by using configuration 5; ð 5; 3Þ.For the 14-round DL distinguisher, in the same way, we try all configurations.In this case, the best theoretical correlation is found by using configuration 5; ð 5; 4Þ.The details of the two distinguishers are covered in Tables 4 and 5.
For SIMON48, we found three DL distinguishers for 15, 16, and 17 rounds.Similarly, we try all configurations regarding the number of rounds for the top, middle, and bottom parts.In these cases, the best theoretical correlation for the 15-round DL distinguisher is found by using configuration 7; ð 4; 4Þ, the best theoretical correlation for the 16-round DL distinguisher is found by using configuration 7; ð 5; 4Þ, and the best theoretical correlation for the 17-round DL distinguisher is found by using configuration 7; ð 6; 4Þ.The details of these distinguishers can be found in Tables 6-8.
For SIMON64, we obtain a DL distinguisher for 20 rounds by using the strategy in Section 3.3.Likewise, we try all configurations regarding the number of rounds for the top, middle, and bottom parts, and the DL distinguisher by using configuration 7; ð 7; 6Þ is found.The details of the distinguisher are shown in Table 9.
For SIMON96, we obtain two DL distinguishers for 25 and 26 rounds by using the strategy in Section 3.3.In the same way, the 25-round DL distinguisher by using configuration 10; ð 6; 9Þ and 26-round DL distinguishers by using configuration 11; ð 6; 9Þ are found.The details of the two distinguishers are provided in Tables 10 and 11.
For SIMON128, we obtain two DL distinguishers for 31 and 32 rounds by using the strategy in Section 3.3.In the same way, the 31-round DL distinguisher by using configuration 10; ð 9; 12Þ and the 32-round DL distinguishers by using configuration 11; ð 9; 12Þ are found.Please check Tables 12 and 13 for the details of the two distinguishers.

Applications to SIMECK.
In this section, we apply the fully automatic model to search for DL distinguishers for SIMECK.It is the first time that DL distinguishers for SIMECK have been obtained.These DL distinguishers are shown in Table 3.
For SIMECK32, we find a DL distinguisher for 14 rounds.To obtain the 14-round distinguisher, we try all configurations IET Information Security regarding the number of rounds for the top, middle, and bottom parts.In this case, the best theoretical correlation is found by using configuration 5 þ ð 5 þ 4Þ.The details of the distinguisher can be found in Table 14.
For SIMECK48, we find two DL distinguishers for 17 and 18 rounds.Similarly, we try all configurations regarding the number of rounds for the top, middle, and bottom parts.In these cases, the best theoretical correlation for the 17-round DL distinguisher is found by using configuration 6; ð 6; 5Þ, the best theoretical correlation for the 18round DL distinguishers by using configuration 6; ð 6; 6Þ is found.The details of the two distinguishers are shown in Tables 15 and 16.

Conclusion and Open Problems
In   regarding AND operation as independent S-boxes.After that, we apply the MILP/MIQCP model to SIMON and SIMECK.It is the first time that the DL distinguishers for full versions of SIMON and SIMECK have been obtained.To the best of our knowledge, our fully automatic model finds the best DL distinguishers for SIMON and SIMECK at present.We believe that the fully automatic model can be applied to SPN ciphers.Of course, the primary problem to be solved is how to characterize the continuous difference propagation of S-boxes, which is also our future work.

Appendix Details of the DL Distinguishers
In the Tables 4-20, the first column shows the number of rounds.The second column shows the differential, DL, or linear trails of the DL distinguishers presented in Section 4.
In the DL part, we have rows and subrows.Each row represents a state of the DL trail, and each subrow represents correlation of every bit of that state.IET Information Security  Note: The experimental correlation of the first 10 (5 þ 5) rounds is 2 −5:49 under 2 23 sample sizes and 100 random keys, the experimental correlation of the 4 rounds at the bottom is 2 −4:67 under 2 15 sample sizes and 100 random keys.According to piling-up lemma, the experimental correlation is 2

10
IET Information Security  Note: The experimental correlation of the first 11 (7 þ 4) rounds is 2 −10:43 under 2 32 sample sizes and 100 random keys, the experimental correlation of the 4 rounds at the bottom is 2 −2:99 under 2 15 sample sizes and 100 random keys.According to piling-up lemma, the experimental correlation is 2 IET Information Security TABLE 7: Sixteen-round DL distinguisher for SIMON48 with theoretical correlation 2 −22:66 and experimental correlation 2 −18:33 , where the theoretical probability of the differential part, the theoretical correlation of the DL part, and the theoretical correlation of the linear part are −14 ; 0:63 ¼ ð 2 −0:66 Þ, and 2 −4 , respectively.
Differential part (optimal differential trail) 0 0000000000100000000000000000000000000000100010001000000000000000 7 0000000000001000100000000000000000000000000000100000000000000000  Note: The experimental correlation of the first 14 (7 þ 7) rounds is 2 −10:52 under 2 32 sample sizes and 100 random keys, the experimental correlation of the 6 rounds at the bottom is 2 −9:06 under 2 25 sample sizes and 100 random keys.According to piling-up lemma, the experimental correlation is 2 IET Information Security 15  Note: The experimental correlation of the first 10 rounds is 2 −23:39 under 2 32 sample sizes and 100 random keys, the experimental correlation of the 6 rounds at the DL part is 2 −0:51 under 2 8 sample sizes and 100 random keys, the experimental correlation of the 9 rounds at the bottom is 2 −9:28 under 2 28 sample sizes and random keys.According to piling-up lemma, the experimental correlation is 2 IET Information Security TABLE 11: Twenty-six-round DL distinguisher for SIMON96 with theoretical correlation 2 −50:66 and experimental correlation 2 −45:69 , where the theoretical probability of the differential part, the theoretical correlation of the DL part, and the theoretical correlation of the linear part are 2 −30 ; 0:63 ¼ ð 2 −0:66 Þ, and 2 −10 , respectively.

FIGURE 2 :
FIGURE 2: An improved structure of DL distinguisher.

3. 3 .Proof 1 . 2 F 2 ,
Middle Part Model of SIMON-Like Ciphers.To model the middle part of ARX ciphers, Bellini et al. [15] proposed the continuous difference propagations of ARX operations (see Section 2.2) and modeled the continuous difference propagation using the MILP/MIQCP syntax over B. Inspired by this, to model the middle part of SIMON-like ciphers, we first propose the continuous difference propagation of AND operation, then model the continuous difference propagation of SIMON-like ciphers using the MILP/MIQCP syntax over B. Proposition 4. (Continuous Difference Propagation of AND).Let x; y 2 B, then the continuous difference propagation of AND is given by x ⊙ CΔ y ¼ 1 4 x þ ð y − xy − 1Þ.Suppose a; b; a 0 , and b 0 Pr a ≠ a 0 ð Þ¼p, and Pr b ≠ b 0 ð Þ¼q.According to Corollary 1, if Pr a ≠ a 0 ð Þ¼p and Pr b ≠ b 0

TABLE 1 :
The DL distinguishers for round-reduced SIMON and SIMECK.
this work, we consider how to construct the MILP/ MIQCP model to fully automatically search for DL distinguishers of SIMON-like ciphers.For the top part of the model, we first construct the differential MILP model of SIMON-like ciphers according to efficient computation for the exact differential behavior of SIMON-like round functions.For the middle part, we obtain continuous difference propagation of AND operation, so we can model the middle part of SIMON-like ciphers.For the bottom part, we construct the linear MILP model of SIMON-like ciphers by
Note: a Segmented experimental validation of theoretical correlation.Specifically, regrading the top and middle parts as a DL distinguisher, we obtain an experimental DL correlation with 2 32 sample sizes and 100 random master keys.For the bottom linear part, we obtain an experimental linear correlation.Finally, the experimental correlations are obtained based on piling-up lemma.

TABLE 2 :
The DL distinguishers of reduced-round SIMON.Note: a Practical correlation.The sample size for 13-round SIMON32 is 232, where we randomly chose 100 master keys.b Segmented experimental validation of theoretical correlation.Specifically, regarding the top and middle parts as a DL distinguisher, we obtain an experimental DL correlation with 2 32 sample sizes and 100 random master keys.For the bottom linear part, we obtain an experimental linear correlation.Finally, the experimental correlations are obtained based on piling-up lemma.
c Segmented experimental validation of theoretical correlation.Specifically, for the top, middle and bottom parts, we obtain an experimental differential probability, an experimental DL correlation, and an experimental linear correlation, respectively.Finally, the experimental correlations are obtained based on piling-up lemma.d Segmented experimental validation of theoretical correlation.Specifically, for the top and middle parts, we obtain an experimental differential probability and an experimental DL correlation, respectively.Finally, the experimental correlations are obtained based on piling-up lemma.

TABLE 12 :
Continued.The experimental correlation of the first 10 rounds is 2 −22:47 under 2 32 sample sizes and 100 random keys, and the experimental correlation of the 9 rounds at the DL part is 2 −0:31 under 28sample sizes and 100 random keys.According to piling-up lemma, the experimental correlation is 2 −22:47 × 2 −0:31 ×
The experimental correlation of the first 11 rounds is 2 −27:68 under 2 32 sample sizes and 100 random keys, and the experimental correlation of the 9 rounds at the DL part is 2 −0:31 under 28sample sizes and 100 random keys.According to piling-up lemma, the experimental correlation is 2 −27:68 × 2 −0:31 ×