Research on SKINNY Optimal Differential Trail Search

SKINNY is a tweakable lightweight block cipher algorithm. In order to test its security, this paper performs optimal differential trail search analysis on all SKINNY-64 versions under single-key setting based on the MILP (Mixed Integer Linear Programming) algorithm. Firstly, SKINNY round function is abstracted equivalently by precise constraints, and the objective function is set as the minimum number of active S-box number to optimize SKINNY-64MILPmodel. Experiments show the differential trail searched by this method is not necessarily optimal. In order to directly search for the optimal differential trail, the S-box differential probability coding information is added to the optimized SKINNY-64 MILP model, the S-box differential characteristic is reconstructed, and the objective function is set to the minimum value of the probability coding information, which improves the SKINNY-64 MILP model. ,e results of experimental show that the improved MILP model can directly search for the optimal differential trail, and the complexity is slightly increased, but the search efficiency is significantly improved. Under single-key setting, this method has obvious advantage in searching the optimal differential trails of SKINNY-64 with low round number.

Since the announcement of the SKINNY algorithm, some scholars have used various methods to analyze its security. Tolba et al. [2] performed impossible differential attack analysis on 18, 20, and 22 rounds of SKINNY-n-n, SKINNY-n-2n, and SKINNY-n-3n, respectively. Sadegh Sadeghi et al. [3] obtained the 12-round impossible differential trails of SKINNY-64-64 and SKINNY-64-128 in SKINNY's TK1 and TK2 models, respectively, using the method of intermediate encounter. Hong Dou [4] used the intermediate encounter technology to search out all 16 truncated impossible differential trails of the 11 rounds of the SKINNY encryption algorithm and used one of them to analyze 20 rounds of SKINNY-64-128 using the impossible differential technique under a single key setting. e main approach of these papers is to find trails that are impossible to occur in the ciphertext, leaving only a reasonable number of differential trails to consider.
Unlike methods that search for more impossible differential trails, Mixed integer linear programming(MILP) is a method that can search for differential trails directly. Mouha [5] and Wu [6] converted the minimum active S-boxes number of block ciphers into a MILP problem and applied the MILP method to cryptanalysis. However, this method has two shortcomings. One is that it cannot be directly applied to the SPN block cipher with a bit permutation layer because it does not consider the diffusion effect formed by the S-boxes replacement layer and the bit permutation layer. e second is that, for a given cryptographic algorithm, the MILP constraint set listed cannot fully describe the differential propagation characteristics of the linear diffusion layer [7]. Professor Sun [8] supplemented and optimized the method of Mouha and applied the method of obtaining the minimum number of active S-boxes to a bit-oriented block cipher. A linear inequality was generated based on the differential characteristics of S-boxes. Constraint inequality generated by XOR operation builds an MILP model to search for the differential characteristics of block ciphers under single-key and related-key setting [9], and the MILP model uses only partial linear inequality, making it solvable in real time.
In recent years, some scholars have applied the MILP method to the research of SKINNY cryptographic algorithms. e designers of SKINNY performed a security evaluation of SKINNY. Using the MILP method, they obtained the lower bound of the minimum number of active S-boxes under the single-key and related-key setting. According to the lower limit of the number of differential active S-boxes in SKINNY, they further assumed that each S-box used the maximum differential probability to evaluate the security boundary of SKINNY. However, it is not clear whether such a difference trail with maximum probability that satisfies the lower bound exists. erefore, Sun et al. [10] proposed a method to obtain stricter boundaries, verified whether the optimal differential trail using the maximum differential probability for all active S-boxes exists, and proposed the method of finding the optimal differential trail of the block cipher algorithm based on MILP. Liu et al. [11] firstly proposed the method of searching the actual differential trail of SKINNY under the relevant tweakable secret key model and used the indirect search method based on MILP to search the optimal differential trail of SKINNY-64 and SKINNY-128. e results show that the probability of the optimal differential trail is much smaller than that obtained from the lower bound of the active S-boxes in SKINNY with the increase of the number of rounds. However, their work is to analyze SKINNY under the related-key setting. Zhang et al. [12] proposed a method based on MILP to automatically search the number of 11 minimum active S-boxes of SKINNY-64/192 and obtained the number of 11 active S-boxes and the corresponding differential trail under this number, but their differential trails are no guarantee that are the optimal trails and other versions of SKINNY-64 are not considered.
In this paper, we analyze the differential propagation characteristics of all SKINNY-64 versions under the singlekey setting model by using MILP and obtain the optimal differential trails. e basic method is to establish the MILP model of SKINNY-64 under the single key setting and use the LPSolve optimizer to obtain an optimized solution with the objective function as the minimum number of active S-boxes. Combined with the differential probability coding information of S-boxes, the model was further improved to obtain the optimal differential trail. e rest of this paper is organized as follows. In Section 2, the MILP model of all SKINNY-64 versions is proposed first. To search the optimal differential trails directly, an improved MILP model of SKINNY-64 and an experimental plan are introduced in Section 3, and also the two experimental results are discussed and analyzed. Finally, Section 4 concludes the work.

Analysis of SKINNY Differential Trail
Based on MILP 2.1. SKINNY Differential Characteristic Optimization Based on MILP. Due to the differential analysis of single-key setting, the key is assumed to be fixed, the round key difference is not considered, and only the state difference is considered. erefore, the MILP model of all SKINNY-64 versions can be uniformly optimized by using the S-box constraint part, the Row Shift constraint part, and the column mixed constraint part. MILP model optimization is mainly carried out by reducing constraint inequalities and the number of variables. e specific parameters of a round of difference analysis before and after MILP optimization are shown in Table 1. It can be seen that the optimization reduces the calculation amount and improves the operation efficiency.
In Figure 1, X i and Y i represent the state difference of the ith round and Y ir is the state difference of Y i after Row Shifting, each containing 16 difference cells and a total of 64 bit difference. For example, X i represents the output difference of the (i − 1)th or the plaintext pair difference (x 0 , ‥K., x 63 ) when i � 1. Each state X i and Y i contains 16 difference cells, each cell is a nibble, respectively, represented by X j and Y j , where j ∈ (0, ‥K., 15). Each difference cell can be expressed as X j � (x 4j , x 4j+1 , x 4j+2 , x 4j+3 ).

S-Box Differential Characteristic Optimization.
e 1st round of SKINNY's differential feature changes for each S-box has a total of 97 differential characteristics, as shown in Table 2.
A set of truncated inequality describing these effective difference modes are obtained by computing the finite multipoint convex closure H-representations in a computational geometry system. rough the inequality generator function in the sage.geometry.polyhedron class of the SageMath, a convex closure of a specific S-box can be obtained and 202 inequalities are calculated. Our implementation follows the details presented in Appendix A. To obtain the optimal linear inequalities describing the SKINNY-64 S-box, we use the greedy algorithm to remove the invalid difference to optimize the model. Finally, it only needs 24 valid truncation inequalities (see Table 3) to solve SKINNY-64, which can accurately describe the difference feature of an S-box. e associated source codes of our implementation are listed at Appendix B.

Shift Row Differential Characteristic.
In the difference analysis, the Row Shift operation process is the same as the Row Shift process of the SKINNY round function; only the 1st row of the internal state value needs to be fixed, and the 2nd, 3rd, and 4th rows are shifted to the right by 1, 2, and 3 bits, as shown in Figures 1(b) and 1(c).

Mix Column after
Output difference X i +1 � M × Y ir for the 1st round, corresponding to the 2nd round of input is shown in Table 4.
Based on the XOR method of MILP modeling, the constraint conditions of Column Mixing can be obtained. If the input is tri-XOR, the intermediate variable u i , i ∈ (0, ..., 15), is introduced. In the column mixed operation, 64 sets of inequalities are generated. Let a⊕b � c, where a and b and c are the input and output differences of the XOR. Virtual variable d ⊕ is introduced, when input a and b and output c are all zero, the variable d ⊕ is zero. In any other cases, the variable d ⊕ is 1. It introduces 64 d ⊕ . erefore, a total of 336 constraint inequalities need to be listed in the 1st round of Column Mixing. Due to the large number of linear inequalities involved, representative constraint inequalities are listed in Table 5.

effective truncation inequalities Number of invalid difference modes removed/inequalities
x 89 � y 9 x 105 � y 21 + y 33 x 121 � y 9 + y 33 x 74 � y 10 + y 34 + y 62 x 90 � y 10 x 106 � y 22 + y 34 x 122 � y 10 + y 34 x 75 � y 11    constraint inequalities and 816 variables are included in the four rounds of skinny-64 differential trail MILP analysis model. To find the differential trail, the number of active S-boxes needs to be determined. S-boxes with nonzero input and output differences are called active S-boxes. Generally, when the number of active S-boxes is determined, the greater the state differential probability in the S-box, the higher the probability of the differential trail. Similarly, the smaller the number of the minimum active S-boxes, the higher the probability of the differential trail [13]. In order to solve the minimum number of active S-boxes, the objective function is set: Among them, A i � 1, the S − box is active, 0, otherwise, , i is the number of the difference units in each round.
Using the LPSolve software to solve the model, the minimum number of active S-boxes for four rounds is finally found to be 8, and the total probabilities of four 4-round differential trails are 2 − 18 (A 0 � 1), 2 − 18 (A 1 � 1), 2 − 21 (A 2 � 1), and 2 − 18 (A 3 � 1), and the result is shown in Figure 2. e average successful search time is 16.0465s (the main configuration of the computer: Intel i7 8700, CPU frequency 3.2 GHz, memory 32G, hard disk 2 TB 7200RPM + 512 GB SSD). However, the experimental results show that these four trails are not optimal. is method is not conducive to the direct search of the optimal differential trail, which needs further improvement.

Improved SKINNY Differential Trail
Search Method e above method can search multiple differential trails with the minimum number of active S-boxes, but the trails with the minimum number of active S-boxes are not all optimal S-box Shi row Security and Communication Networks differential trails. erefore, the MILP model of SKINNY-64 needs to be improved to make it directly find the optimal differential trail.

New S-Box Differential Characteristic Based on Improved MILP
Model. e improved MILP model is mainly to modify the S-box differential feature analysis of the above model, add probability coding information to the optimized MILP model, and reconstruct the S-box differential characteristic.
Each valid differential characteristic of 16 S-boxes (x 4i , ..., x 4i+3 , y i , ..., y 4i+3 ), i ∈ (0, ..., 15), in the 1st round is combined with the corresponding probability information coding, to construct a new difference pattern (x 4i , ..., x 4i+3 , y i , ..., y 4i+3 , p i , q i ) ∈ R 10 . e coding method of probability information is shown in Table 6: According to Table 6, the probability information of the S-box differential characteristic can be expressed as 2 − (p i + 2q i ) . e main idea of the improved method lies in the constraint of S-box difference mode and the choice of objective function. e constraints of the improved S-box model are combined with the coding information of the difference probability, which is closely related to the probability of the difference trail.
So, set the objective function to Although the S-box difference mode is changed after the probability coding information is added, the solution method is the same. Ninety seven new differential characteristics are available with the addition of probabilistic coding information, as shown in Table 7:

Analysis of Improved SKINNY-64 Four-Round MILP
Model. After improving the model, the 1st round of SKINNY-64 difference analysis process contains 816 constraint inequalities and 320 variables. erefore, SKINNY-64 four round differential trail MILP analysis model contains a total of 2928 constraint inequalities and 944 variables.
After the improvement, the optimal differential trail for SKINNY-64 4-round can be found directly. When the minimum number of S-box number in the 4-round is 4, the Security and Communication Networks maximum probability of 4 optimal difference trails is 2 − 16 , which just satisfies the upper bound of the differential probability in the 4-round is shown in Figure 3. e experimental results show that the average successful search time is 19.8945s, which is only 3.848s more than the former (the main configuration of the computer: Intel i7 8700, CPU frequency 3.2 GHz, memory 32G, hard disk 2 TB 7200RPM + 512 GB SSD). Obviously, compared with the previous method, this direct search method has advantages in low rounds.

Conclusion
In this paper, mainly analyze all SKINNY-64 versions' differential trails under single-key setting. During the differential analysis, the key is assumed to be fixed, the round key difference is not considered, and only the state difference is considered. erefore, the MILP model of all SKINNY-64 versions can be uniformly constructed. e state difference process of SKINNY is equivalently abstracted by specific constraints and variables to construct a MILP model. In order to improve the operation efficiency, the MILP model was optimized from two aspects: on the one hand, reducing the number of constraint inequalities, and on the other hand, reducing the number of variables. e optimized model reduces the number of constraints by 2912 and the number of variables by 64. However, the optimal trail cannot be searched directly in this scenario. In order to search the optimal trail more accurately, the MILP model is improved. e differential features of the S-box are reconstructed by adding the differential probability coding information of the S-box, and the model under the new difference mode of the S-box is obtained. Finally, the optimal difference trail of skinny-64 4-round is searched successfully. Our model has obvious advantages in searching the low rounds of SKINNY-64 the optimal differential trails under single-key setting.

Conflicts of Interest
e authors declare that they have no conflicts of interest.