Zero-Correlation Linear Cryptanalysis on SPARX-64

SPARX is a family of ARX-based block ciphers designed according to the long-trail strategy, which has 32-bit ARX-based SBoxes and has provable bounds against single-differential and single-linear cryptanalysis. Since its proposation, some third-party cryptanalysis methods have been presented. As far as we know, the best attacks against SPARX-64 covered 16 (out of 24) rounds. In this paper, we propose zero-correlation linear attacks on SPARX-64. At first, we construct some new zerocorrelation linear distinguishers covering 14-round and 15-round SPARX-64. Then, 15,16,17 and 18-round versions can be attacked using multidimensional or multiple zero-correlation linear attack models, under DKP(distinct known plaintexts) settings. These are the best attacks against SPARX-64 up to now, regarding to the number of attacked rounds. Finally, we transform the zero-correlation distinguishers into integral ones using existing methods, which are also longer than the ones proposed by the designers.


Introduction
SPARX [1], introduced by Dinu et al. at ASIACRYPT'16, is the first ARX based family of block ciphers with the aim of providing provable security against single-trail differential and linear cryptanalysis. To achieve this target, the designers developed the long trail strategy which is different from the well-studied wide trail strategy [2] used in the design of AES. The long trail strategy advocates the use of large and comparatively expensive SBoxes in conjunction with cheaper and weaker linear layers. All the instances of SPARX, (SPARX-64/128, SPARX-128/128 and SPARX-128/128) use three or four rounds of SPECK [3] with subkeys as the big SBox, which can be specified using three simple operations: addition modulo 2 16 (⊞), 16-bit rotations (≪<2 and ≫>7) and 16-bit Xor ( ⊕ ).
There have been some cryptanalysis results on the family of SPARX. The designers gave the provable bounds on the probability of differential characteristic and the bias of linear trail. There is no differential or linear trail with significant probability for 5 (or more) steps. Also, they made integral attacks with the help of Todo's division property [4]. For SPARX-64/128, the attack covers 15 rounds and recovers the key in time 2 101 using 2 37 chosen plaintexts. Morever, the integral attacks cover 22-round SPARX-128/128 and 24-round SPARX-128/256. Then Abdelkhalek et al. [5] attacked 16-round SPARX64-128 using impossible differential attack, with the help of one 13-round distinguisher and the dependencies between the subkeys. Later, Tolba et al. [6] proposed multidimensional zero-correlation linear attacks on up to 25 rounds of SPARX-128/256 and 22 rounds of SPARX-128/128. Recently, Ankele and List [7] presented chosen-ciphertext differential attacks on 16round SPARX-64/128. Previous attack results on SPARX-64/128 are compared in Table 1.
There is no zero-correlation cryptanalysis results on SPARX-64/128 from the literatures and we focus on this method in this paper. Zero-correlation [8] is one powerful tool in the cryptanalysis of block ciphers. Similar to that the impossible differential distinguisher uses a differential with probability zero, the zero-correlation distinguisher uses a linear hull with correlation zero. Then this technique develops a lot and some new models have been proposed, such as the multiple zero-correlation linear cryptanalysis [9], the multidimensional zero-correlation linear cryptanalysis [10] and some improved versions [11,12]. In particular, Sun et al. [12] removed the approximation from the χ 2 -distribution to the normal distribution during the construction of multiple and multidimensional zero-correlation linear attack (MPZC and MDZC) models, which released the restriction on the number 'ℓ' of zero-correlation linear hulls, i.e., 'ℓ' sholud be large enough. The new models were called χ 2 -MPZC and χ 2 -MDZC.
To improve the time complexity of linear attacks using algorithm 2, FFT technique was proposed in [13]. When the target bit for the linear distinguisher is a function of x ⊕ k where x, k are both n-bit values, the time can be improved from 2 2·n to 3 · n · 2 n simple calculations.
Our Contributions. We evaluate the security of SPARX-64/128 using the zero-correlation cryptanalysis in this paper: (1) We find some new zero-correlation distinguishers.
By extending the existing simple zero-correlation distinguisher proposed in [6], we construct several multidimensional zero-correlation distinguishers covering 14-round SPARX-64. Morever, with careful selection of the input mask, we can extend some distinguishers by one more round and get three 15round zero-correlation distinguishers. These are the longest zero-correlation linear distinguishers of SPARX-64 as we know (2) Using the new zero-correlation distinguishers, we make zero-correlation linear attacks with the help of multiple/multidimensional zero-correlation linear cryptanalysis model in [12]. The multidimensional zero-correlation attack covers 15-round and 16round using 14-round distinguishers. Then the zero-correlation attack with one single 15-round linear hull covers 17-round. What's more, with the help of FFT technique, we also can attack 18-round SPARX-64. These are the best attacks from the view of number of rounds attacked (3) Also, we transform the zero-correlation linear distinguishers into integral distinguishers. As a result, we can get some 14-round and 15-round integral distinguishers with balanced properties. The balanced property means that the numbers of each value in the output sets are equal for the integral distinguisher, while the zero-sum property means the Xor-sum is zero Outline. First, we describe the target block cipher SPARX-64/128 and the zero-correlation linear attack models in Sect.2. In Sect.3, we show how to construct the 14-round and 15-round zero-correlation linear distinguishers for SPARX-64. Then we give the multidimensional zerocorrelation and multiple zero-correlation linear cryptanalysis against SPARX in Sect.4 and 5. Sect.6 describes some new integral distinguishers and finally, Sect.7 concludes this paper. (vii) x R : right half (16-bit) of the word x (32-bit).
The 128-bit permutation used in the key schedule is simple, which is shown in Algorithm 1. For more details, please refer to [1].

χ 2 − Multiple/Multidimensional Zero-Correlation
Cryptanalysis. We start this section with the introduction of MPZC and MDZC models. Suppose that there are N plaintext-ciphertext samples and ℓ zero-correlation linear approximations for an n-bit block cipher. For the i-th approximation, the adversary counts the samples which make the linear approximation hold and gets the corresponding counter T i . Under the model of MPZC cryptanalysis, the adversary evaluates the following statistic: For MDZC model, the ℓ zero-correlation linear approximations form a linear space (considering the zero vector in) with dimension m and then ℓ = 2 m − 1. For each plaintext-ciphertext sample, the adversary evaluates the m base linear approximation and obtains an m-bit value z. By iterating all N samples, the adversary would get a counter vector V½z with z = 0, 1, ⋯, 2 m − 1. The statistic used in MDZC is: To estimate the data complexity and success probability, researchers [14] considered two sampling models, i.e., KP and DKP. In KP settings, the samples are obtained randomly while in DKP settings there is a restriction that the plaintext-ciphertext samples are non-repeating. In [14], Blondeau and Nyberg proved T MP and T MD followed the same distribution when the same sampling method are applied. They gave the estimation method of data complexity under these two sampling models for MPZC and MDZC. Later, Sun et al. proposed the χ 2 -MPZC and MDZC, in which they use the χ 2 -distributions to model the statistics [12], instead of the normal distributions.
Considering two types of errors: (i) Type-1 error: made by wrongfully discarding the cipher (false negative) and suppose the probability is α 0 . This is related to the success probability P S and P S = 1 − α 0 (ii) Type-2 error: made by wrongfully accepting a randomly chosen permutation as the cipher (false positive) and suppose the probability is α 1 . This is related to the time complexity T S of the exhaustive search phase and T S = 2 k · α 1 where k is the length of the main key Then the χ 2 -MPZC and MDZC evaluate the data complexity as follows.where χ ðlÞ 1−α 0 and χ ðlÞ α 1 are the respective quantiles of the χ 2 -distribution with l degrees of freedom evaluated on the points 1 − α 0 and α 1 .In the attacks, the threshold value to distinguisher the cipher and randomly chosen permutation is calculated as τ = χ ðlÞ 1−α 0 .

Theorem 1. in ([12])
Suppose that the linear approximations involved satisfy the hypotheses in [14]. The number N KP of KPs requires in a MPZC or MDZC linear attack is and the number N DKP of DKPs required in a MPZC or MDZC linear attack is

Zero-Correlation Linear Hulls of SPARX-64
The 12-round zero-correlation linear hull of SPARX-64 proposed in [6] is shown in Figure 2, which is ðα, 0Þ⟶ð0, βÞ, α ≠ 0, β ≠ 0. α 1 , α 2 are linear masks derived from the input mask α, while β 1 , β 2 are linear masks derived from the output mask β. The contradiction appears in the second linear permutation L, where the corresponding input mask is zero while the output mask is non-zero value α 2 ð= β 2 Þ . This distinguisher is like the 5-round zero-correlation linear hull of Feistel structure [8] with bijected F functions, which only takes advantage of the properties of the structures. In the fol-lowing subsections, we will study the detailed property of linear mask's propogation in SPECKEY and construct longer zero-correlation linear hulls.
Since there are only Xor ( ⊕ ), Modulo Addition (⊞), Branch (⊢) and Rotation (≪< or >≫), we review how the linear masks propogate through these operations. Let x, y, z be values and Γ x , Γ y , Γ z be the corresponding masks.
Only the Modulo Addition ('⊞') is non-linear and the corresponding correlation may be not one. However, when

Expand the Linear Hull with Input Mask ðα, 0Þ
Backward with Correlation One. In fact, by limiting the values of α and β, we can expand the number of rounds of zero-correlation linear hull. The main idea is to make the input mask (or output mask) go back (or forward) one more round with correlation one. The only non-linear operation in one SPECK round is'⊞', so we hope the corresponding input mask or output mask of'⊞' is 0x0000 or 0x0001, which leads to linear approximations with correlation one.
For the case of input mask α, we expect that Γ 1 , Γ 2 be 0x0001 or 0x0000, where Γ 1 , Γ 2 are the output masks of the '⊞' in Figure 3. It's easy to know that Γ 2 = α L ⊕ α R and Γ 1 = ðL T αÞ L ⊕ ðL T αÞ R where L T is the transform of the linear layer. So we can get the following four equations: According to we know that only the first and forth equations have possible solutions.
We set the condition α L = α R (See the left part of Figure 3) and then we can derive that the linear mask becomes after one decrypted round. In a further step, there is Γ 3 = ð α R >≫2Þ = Γ 4 : To expand one more round with correlation one, we hope the corresponding masks Γ 3 , Γ 4 also be 0x 0000 or 0x0001. Then we obtain the only non-zero solution α L = α R = 0x0004. At last, we get the linear mask after two decrypted rounds. Similarly, when the condition is α L = α R ⊕ 0x0001 (See right part of Figure 3), we can derive that Then there is Γ 3 = ðα R >≫2Þ ⊕ 0x00c1, Γ 4 = ðα R >≫2Þ ⊕ 0x0081: In this situation, there is no value of α satisfying Γ 3 , Γ 4 ∈ f0x0000, 0x0001g at the same time. This means that when α L = α R ⊕ 0x0001, we can only expand the linear hull backward one more round and can not expand the linear hull two more rounds backward with correlation one.

Expand the Linear Hull with Output Mask ð0, βÞ
Forward with Correlation One. For the output linear mask ð0, βÞ, we follow the similar method. See Figure 4. At first, we hope that the linear masks Γ 5 , Γ 6 taking value 0x0000 or 0x0001. So we can list the following equations.
According to we know that only the solutions are as follows.
We list the zero-correlation linear hulls in Table 3. #R denotes the number of rounds of the distinguishers.

Multidimensional Zero-Correlation
Cryptanalysis of SPARX-64 Using 14round Distinguishers In this section, we give 15-round and 16-round multidimensional attacks with 14-round zero-correlation distinguishers in DKP sampling setting.

15-Round Multidimensional Zero-Correlation Attack
with One 14-round Distinguisher. Wu use one 14-round multidimensional zero-correlation distinguisher 0, γ, 0, γ ð Þ⟶ 0x0207, 0x0206, 0x0002, 0x0002 ð Þ ð13Þ to mount the attack. By adding one round at the top, the attack would cover 15 rounds. The symbols X i , Y i denote the corresponding states derived from the plaintexts or ciphertexts (See Figure 5). For enough plaintext-ciphertext samples, we need to guess the corresponding subkeys and get the numbers of all possible values of Since the MSB of X 1,1 , i.e., X 1,1 ½15, is linear with K 2i,2 L ½ 15 and K 2i,2 R ½15, in the attack there is no need guessing these two key bits. For simplicity, we can set them as 0. Similarly, we can also set K 2i+1,2 L ½15 and K 2i+1,2 R ½15 as constant values. So in the round before the distinguisher, the keys need to be guessed are k 1 = ðK 2i,2 L ½14~0, K 2i,2 R ½14~0Þ and k 2 = ðK 2i+1,2 L ½14~0, K 2i+1,2 R ½14~0Þ. Since Y 1 is linear with K 2i+10,2 and K 2i+11,2 , no key bits need to be guessed in the backward rounds.
Suppose the number of samples in the attack is N, the attack procedure is as follows.
(iv) Step 4. For each guessed key, compute the statistic value used in the multidimensional zerocorrelation attack, i.e., where m = 17. When T is smaller than the threshhold value τ, the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs. By setting α 0 = 2 −2:7 and α 1 = 2 −23 , we can compute that the data complexity N ≈ 2 58:616 and threshold τ = 131593. The first three steps need encryptions. The last step needs 2 128 · α 1 = 2 105 times encryption. So the total time complexity is about 2 106 encryptions.

16-Round Multidimensional Zero-Correlation Attack
with One 14-round Distinguisher. We can append one more round at the bottom to attack 16 rounds (See Figure 6). To control the time complexity, we use part of the above distinguisher. In detail, we only consider the input mask with form γ = ð0 16−t * t Þ, which means the distinguisher has dimension t + 1.
(5) For each guessed key, compute the statistic value used in the multidimensional zero-correlation attack, i.e., where m = t + 1. When T is smaller than the threshhold value τ, the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs. By setting t = 8, α 0 = 2 −2:7 and α 1 = 2 −28 , we can compute that the data complexity N ≈ 2 62:531 and threshold τ = 543.

Zero-Correlation Cryptanalysis of SPARX-64 Using 15-round Distinguisher
In this section, we give 17-round and 18-round attacks with 15-round zero-correlation distinguisher in DKP sampling setting. Notice that there is only one single zero-correlation linear hull. However, we also can use the multiple zerocorrelation linear attack model to estimate the data complexity, as shown in [12].
to attack 17-round SPARX64/128. We add one round at the top and one round at the bottom to make the attack which is similar to the 16-round attack, except that the distinguisher here is 15-round (See Figure 7). The key bits involved in this attack are k 1

½11~2Þ.
The attack procedure is as follows.
(3) Guess 24 valid bits of k 2 , decrypt Y st1 by one round and we can get β 1 = ð0x0207, 0x0206Þ · ðY 2,0 , Y 2,1 Þ. Calculate the numbers of ½Y st2 according to the sign of β 1 (4) Guess 22 valid bits of k 3 , decrypt Y′ st2 by one round and we can get β 2 = ð0x0002, 0x0002Þ · ðY 2,2 , Y 2,3 Þ. Calculate the final counter C according to the sign of β 2 (5) For each guessed key, compute the statistic value used in the multiple zero-correlation attack, i.e., When T is smaller than the threshhold value τ, the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs.

½11~2Þ.
So the target counter C can be computed using FFT techniques for all possible keys (3) For each guessed key, compute the statistic value used in the multiple zero-correlation attack, i.e., When T is smaller than the threshhold value τ, the key is supposed to be a right key candidate and can then be checked using two plaintext-ciphertext pairs. By setting α 0 = 2 −2:7 and α 1 = 2 −1 , we can compute that the data complexity N ≈ 2 63:634 and threshold τ = 2. The first step needs N · 2 64 · 2/18 = 2 124:464 encryptions. The second step needs 2 64 · 3 · 46 · 2 46 = 2 117:109 simple calculations. The last step needs 2 128 · α 1 = 2 127 times encryption. So the total time complexity is T ≈ 2 127:2 encryptions.

Integral Distinguishers on SPARX
Zero-correlation linear distinguishers can be transformed into integral distinguishers according to the known results in [10,15]. Theorem 6 describes the result given in [15].

Theorem 2. (Corollary 4, [15])
Let F : F n 2 ⟶ F n 2 be a function on F n 2 , and let A be a subspace of F n 2 and b ∈ F n 2 \ f0g. Suppose that A ⟶ b is a zero correlation linear hull of F, then for any λ ∈ F n 2 , b · Fðx ⊕ λÞ is balanced on A ⊥ .
As a result, we can transform the linear hulls in Table 3 to some integral distinguishers. Partial integral distinguisher are geven in Table 4.
Suppose the state of SPARX64/128 is represented as ð x 0 , x 1 , 2 , x 3 Þ where x i is a 16-bit word. The 12-round integral distinguisher means if we set the value at x 0 and x 1 to consts and let the value at x 2 , x 3 take all possible values, the values at x 2 , x 3 after 4 steps (minus the last linear layer) will take all possible values. This is the same with that proposed in [1]. The 14-round distinguisher means that when letting the values at x 0 , x 1 , x 2 take all possible values and setting x 3 = x 1 , after one SPECKEY round, four full steps and one SPECKEY round, the one bit result of ð0x0207 · y 0 Þ ⊕ ð0x0206 · y 1 Þ ⊕ ð0 x0002 · y 2 Þ ⊕ ð0x0002 · y 3 Þ will be active, where ðy 0 , y 1 , y 2 , y 3 Þ means the value after 14-round encryption. We can expand this distinguisher one more round forward with probability 1 to get one 15-round distinguisher. The input set has 2 63 elements ðx 0 , x 1 , x 2 , x 3 Þ which satisfy ð0x0080 · x 0 Þ ⊕ ð0x4001 · x 1 Þ ⊕ ð0x0080 · x 2 Þ ⊕ ð0x4001 · x 3 Þ ='0' (or = '1').

Conclusion
We have given zero-correlation cryptanalysis results against SPARX-64/128 in this paper. 14 and 15-round zerocorrelation linear distinguishers have been proposed, which are the longest distinguishers as far as we know. Then, with the help of χ 2 -MTZD and MPZC models, we have given 15, 16, 17 and 18-round key recovery attacks of SPARX-64/128 with post-whitening key. Our attacks cover the most rounds, while the existing attack on SPARX-64/128 covers 16 rounds. Also, we have transformed the new zerocorrelation linear distinguishers into integral distinguishers. The longest one is 15-round, which is three rounds longer than the existing 12-round zero-correlation distinguisher.

Data Availability
The data used to support the findings of this study are included within the article