Improved Conditional Differential Analysis on NLFSR-Based Block Cipher KATAN32 with MILP

In this paper, a new method for constructing a Mixed Integer Linear Programming (MILP) model on conditional differential cryptanalysis of the nonlinear feedback shift register- (NLFSR-) based block ciphers is proposed, and an approach to detecting the bit with a strongly biased difference is provided. The model is successfully applied to the block cipher KATAN32 in the single-key scenario, resulting in practical key-recovery attacks covering more rounds than the previous. In particular, we present two distinguishers for 79 and 81 out of 254 rounds of KATAN32. Based on the 81-round distinguisher, we recover 11 equivalent key bits of 98-round KATAN32 and 13 equivalent key bits of 99-round KATAN32. The time complexity is less than 
 
 
 
 2
 
 
 31
 
 
 
 encryptions of 98-round KATAN32 and less than 
 
 
 
 2
 
 
 33
 
 
 
 encryptions of 99-round KATAN32, respectively. Thus far, our results are the best known practical key-recovery attacks for the round-reduced variants of KATAN32 regarding the number of rounds and the time complexity. All the results are verified experimentally.


Introduction
Cryptographic techniques move into applications like access control, parking management, goods tracking, radio frequency identification tags, and integrated circuit (IC) printing [1]. At the same time, wireless sensor networks (WSNs) have been used for various critical industrial applications, such as heartbeat monitoring, temperature monitoring for precision agriculture, self-monitoring of autonomous vehicles, and power usage monitoring for smart grid [2,3]. In these new cryptography environments, RFID technology applications and sensor networks have similar features such as weak computation ability, small storage space, and strict power constraints. However, the data processed in these applications are sensitive [4]. The ever-increasing demand for security and privacy in these very constrained environments requires new cryptographic primitives, like low cost, tiny, and efficient ciphers. Hence, traditional block ciphers such as AES are not suitable for these constrained environments. Many lightweight ciphers, including KATAN and KTANTAN family [5] and Piccolo [6], have been proposed to tackle this problem.
The KATAN and KTANTAN block ciphers were proposed by Christophe DeCannière, Orr Dunkelman, and Miroslav Knezevic at CHES 2009 [5]. In order to reduce the energy consumed in data processing and improve the efficiency, KATAN uses nonlinear feedback shift registers (NLFSRs) as well as a linear key schedule [7]. Both KATAN and KTANTAN have three variants with 32-bit, 48-bit, and 64-bit block sizes, each requiring an 80-bit user key. In addition, KATAN and KTANTAN share the same data path specification, including round transformation and round constants. The only difference between KATAN and KTAN-TAN is the generation of subkeys. For KTANTAN, two bits of the 80-bit K = k 79 k 78 ⋯ k 1 k 0 are selected each round. However, the key schedule of the KATAN32 cipher (and the other two variants KATAN48 and KATAN64) loads the 80-bit key into an LFSR (the least significant bit of the key is loaded to position 0 of the LFSR). For each round, positions 0 and 1 of the LFSR are generated as the round subkey k 2i and k 2i+1 , and the LFSR is clocked twice. Because of the simple key schedule, KTANTAN was broken by Wei et al. [8], and while a more complex key schedule makes KATAN secure and stronger, the key schedule is also linear.  [9] using conditional differential cryptanalysis [10] and recovered four equivalent key bits for 78 of 254 rounds of KATAN32 in the single-key scenario. They subsequently analyzed KATAN32 in the related-key scenario with an improved technique using automatic tools and then obtained key-recovery attacks for 120 of 254 rounds of KATAN32 [11]. Finding the nonuniformity of the difference distribution after 91 rounds, Albrecht and Leander proposed a 91-round distinguisher with the time complexity being 2 32 encryptions [12]. These results on KATAN32 are listed in Table 1.
Other types of attacks formally published on this cipher are also listed in Table 1, such as all subkeys recovery (ASR), which is a variant of the meet-in-the-middle (MITM) attack [13], Match Box MITM attack [14], Dynamic Cube attack [15], and Multidimensional MITM attack [16,17]. As can be seen from the details in Table 1, each time complexity is too high to present a practical attack.
As stated in [18], related-key attacks are arguable in a practical sense, because a related-key attack is under the assumption that the attacker had known and even controlled the relation between multiple unknown keys. Because of this assumption, the related-key attack is arguable from the aspect of practical security, though it is meaningful during the design and certification of a cipher. In particular, the key of an ultra-lightweight block cipher in low-end devices such as a passive RFID tag may not be changed during its life cycle. In a practical sense, the security of a lightweight cipher under the single-key scenario is the most important. As shown in [19], even though the result of an attack in the related-key scenario is better, it is still meaningful to explore an attack in the single-key scenario.
Conditional differential cryptanalysis was first introduced by Biham and Ben-Aroya at Crypto 1993 in [10]. The idea is to control the propagation of differences by imposing conditions on the public variables of the cipher. In particular, we want to impose some conditions to filter plaintexts. Depending on whether these conditions involve secret variables or not, key-recovery or distinguishing attacks can be mounted. The key bit conditions lead to a keyrecovery attack. The technique has been extended to higher order differential cryptanalysis. Later, it has been a very popular technique in hash functions cryptanalysis [20]. It allows increasing the probability of a differential characteristic satisfying some conditions; it also can be useful for block ciphers.
In some attacks, attackers derive the conditions by hand, which is time consuming and error prone. This paper uses an automatic tool named Mixed Integer Linear Programming (MILP) to get minimum conditions and obtain new cryptanalytic results. MILP is a general mathematical tool for optimization that takes as inputs a linear objective function and a system of linear inequalities and finds solutions that optimize the objective function under the constraints of all inequalities. It was first applied by Mouha et al. in [21] and Wu et al. in [22] to count the active Sboxes of word-based block ciphers. It has been applied to search for differential characteristics and linear approximations [23,24]. It has also been applied to search for integral distinguishers and division trails [25,26] and impossible differentials [27,28]. In particular, it has been applied to key-recovery attacks of keyed Keccak MAC, where attackers implemented conditional cube attacks on Keccak with the propagation of cube variables controlled under conditions in the first several rounds and attacked keyed Keccak [29][30][31].
1.2. Our Contributions. In this paper, we improve conditional differential attacks from two aspects. On the one hand, we propose a method of automatic conditional differential cryptanalysis using MILP. This method helps us minimize the number of conditions under which the differential characteristic can hold because the fewer the conditions, the higher the probability of the differential path. On the other hand, we propose a method to quickly calculate the bias of every bit quickly and detect the bit, which has a strongly biased difference. Finally, using the standard differential attack, we extend the conditional differential attack to more rounds. The details are described in the following paragraphs.
We first propose a novel method using MILP to automatically search an initial difference and conditions for conditional differential cryptanalysis. In [9], Knellwolf et al. chose initial differences manually, and it is difficult to find the optimal choice, a crucial element in this attack. In this paper, we solve this problem by using MILP. We analyze how to identify conditions on internal state variables, and then, by modeling relations between differences in state bits and conditions, we construct a linear inequality system. The object function of this MILP problem is the minimum number of conditions in a certain number of rounds. Based on the method using MILP, we automatically obtain the initial difference and conditions. Second, we present an approach to detecting the bias in the difference of the update bit. In [9], Knellwolf et al. detected the bias experimentally by observing certain nonrandomness of a difference of the update bit. We find that the probability of a difference in the update bit is determined by the probabilities of differences in bits that generate the update bit. After the analysis, we present a formula for evaluating the probability of the difference in the update bit, helping us detect which bit has a strongly biased difference.
Given the initial difference, the conditions, and the bit's position with a bias, we can mount a key-recovery attack.
We apply conditional differential cryptanalysis with these two improvements to analyze the security of KATAN32. It is shown that we can retrieve ten equivalent key bits for the variant of KATAN32 with 79 initialization rounds and four equivalent key bits with 81 initialization rounds.
Using standard differential attacks, we extend the 81round conditional differential key-recovery attacks to 97round, 98-round, and 99-round with time complexity being 2 30 ,2 31 , and 2 33 encryptions, respectively. Extended keyrecovery attacks can recover 10, 11, and 13 equivalent key bits, respectively. It is the best known practical cryptanalytic result on KATAN32 so far.
All of our attacks succeed experimentally. All of our source codes and experiment results are available at https://www.dropbox.com/sh/028s4f06f363b2h/AADItFkz-N1KaAMZR7nIPTawa?dl=0.
1.3. Organization. The paper is organized as follows. In Section 2, some preliminaries are introduced. Section 3 describes the two improvements in conditional differential attacks. In Section 4, with these improvements, the attacks mounted on 79 and 81 of 254 rounds of KATAN32 are presented in detail. In Section 5, we extend the attacks to 97, 98, and 99 of 254 rounds of KATAN32 combined with standard differential attacks. Finally, we conclude the paper in Section 6.

Preliminaries
We present our notations in Table 2. They all have 80-bit keys, and the only difference between KATAN and KTANTAN is the key schedule. The round key bits of KATAN are the linear combination of the initial key bits, and the key bits of KTANTAN are extracted directly from the initial 80 key bits according to the predefined rule. Here, we will briefly introduce KATAN32, which is analyzed in this paper.
2.1.1. Key Schedule. The master key K =ðk 0 ,⋯,k 79 Þ is loaded into an 80-bit linear feedback register, and new round keys are generated by the linear feedback relation: In the remainder of this paper, for any i ≥ 80, we call k i one equivalent key bit, which is the linear combination of the initial key bits.
When t = 0, the plaintext is loaded as l t+i = x 18−i for 0 ≤ i ≤ 18 and s t+i = x 31−i for 0 ≤ i ≤ 12. At round t, for 0 ≤ t ≤ 253, two new bits s t+13 and l t+19 are produced according to the following equations: where a t is a round constant generated by the 8-bit LFSR using the recursive relation a t = a t−3 ⊕ a t−5 ⊕ a t−7 ⊕ a t−8 ðt ≥ 8Þ with the seed value ða 0 , a 1 , a 2 , a 3 , a 4 , a 5 , a 6 , a 7 Þ=ð1, 1, 1, 1, 1, 1, 1, 0Þ: After 254 rounds, the state is outputted as the ciphertext. The round function is depicted in Figure 1.

Conditional Differential Analysis.
Knellwolf et al. applied conditional differential cryptanalysis to NLFSR-based cryptosystems at ASIACRYPT 2010 [9]. This technique is based on differential cryptanalysis used to analyze initialization mechanisms of stream ciphers in [32,33]. After choosing an initial difference, it studies the propagation of the difference through NLFSR-based cryptosystems and identifies conditions on internal state bits to prevent difference propagation whenever possible. By taking the plaintext pairs conforming to these conditions as input, biases can be detected in differences of update bits at some rounds. Once a bias is detected, the key is considered to obey the expected conditions, and we obtain information for secret key bits. In some cases, there are single key bits or relations of key bits in the conditions; we call each of them one equivalent key bit, leading to a key-recovery attack.

Improved Conditional Differential Cryptanalysis
In [9], the authors traced differences through cryptosystems and prevented the propagation whenever possible by identifying conditions on internal state variables. They gave suggestions on manually choosing an initial difference rather than providing a specific method for acquiring it. They suggest that the difference propagation should be controllable for as many rounds as possible with fewer conditions. They also suggest there should not be too many conditions involving bits of K during initial rounds. While the initial difference is of crucial importance with respect to the number of rounds attacked, it is not easy to manually choose a suitable initial difference. In this paper, we propose a novel method using MILP to search for an initial difference, deriving as few conditions as possible and the differential characteristic that covers as many rounds as possible. We also present a method for evaluating the probability of the difference in the update bit, by which we can detect the bit with an obvious bias.
Using these two improvements, we apply the improved conditional differential cryptanalysis to block cipher KATAN32. The framework of the analysis is divided into the following four steps.
Search for an initial difference with MILP. With the method described in Section 3.1, one can formulate an MILP model of difference propagation, search for a differential characteristic with minimum conditions, and obtain the initial difference simultaneously.
Choose conditions. We trace the propagation of the initial difference and identify conditions that prevent the propagation of differences until the number of key bits and plaintext bits involved in conditions becomes too great to mount an attack (exceed the enumeration capability).
Calculate the bias. Given the initial difference and conditions chosen in the previous steps, the probability of the difference in each bit of the two NLFSRs can be easily derived when the conditions cease being applied. Taking this probability as the input of the method described in Section 3.2, we can calculate the probability of the difference in update bit at each subsequent round. According to these probabilities, we can locate the bit whose difference has an obvious bias, and the number of rounds is the largest.
Mount the key-recovery attack. Since the conditions include some equivalent key bits, if plaintexts are selected with the conditions consisting of correct equivalent key bits, the difference in the located update bit will show the bias. The equivalent key bits involved in the conditions can be recovered. The attack is involved in Algorithm 1.

Modeling the Difference Propagation of the Round
Function. By modeling the propagation of differences under the control of conditions, we obtain an initial difference and a conditional differential characteristic with the fewest conditions. The steps are as follows.
(1) Finding All Modes of Difference Propagation under the Control of Conditions. For KATAN32, at each round, only two bits are generated by some bits from the previous round, so the differences in these two bits are caused only by these bits. Equations (2) and (3) show the relation between these bits.
There are linear and nonlinear terms in Equations (2) and (3). If there are differences in nonlinear terms, the difference in the update bit can be canceled by imposing conditions even if there are differences in linear terms at the same time. If differences appear only in linear terms, there are no possible conditions that could be applied to cancel the differences; they only can be canceled by one another, or the difference appears in the update bit.
For example, for Equation (2): s t+13 = l t ⊕ l t+11 ⊕ l t+6 l t+8 ⊕ l t+10 l t+15 ⊕ k 2t+1 , if Δl t+6 = 1, with the other bits having no differences, we add the condition l t+8 = 0 to ensure that Δ s t+13 = 0. The number of conditions is 1, and the difference of the update bit is 0. If Δl t+11 = 1, with the other bits having no differences, no conditions could cancel the difference. The Wireless Communications and Mobile Computing difference appears in the update bit and propagates to the next round. In this case, the number of conditions is 0 and the difference of the update bit is 1. This shows that we can apply conditions to prevent the propagation of differences when the difference state (we call the difference of the internal state the difference state) is at some particular value. At some other values, there are no conditions that can prevent the propagation of the differences.
For each exact difference state, it can be confirmed whether conditions could be applied and whether there would be a difference in the update bit according to the previous strategy that is aimed at preventing the propagation of differences.
With respect to Equation (2), s t+13 is generated by six bits in the 19-bit NLFSR of round t so that the difference of s t+13 depends on the values and the differences of these six bits. Let c (the flag of adding a condition) denote whether a condition is applied to cancel the difference of the update bit, and let us search all values of the vector ðΔl t , Δl t+11 , Δl t+6 , Δl t+8 , Δl t+10 , Δl t+15 , Δs t+13 , cÞ following the following strategies.
Assuming that Δs t+13 may be 1 or 0 according to Equation (2). If a condition could be applied to ensure that Δs t+13 = 0, Δs t+13 takes value 0 and c takes value 1.
If there must be a difference in s t+13 and no conditions can cancel it, Δs t+13 takes value 1 and c takes value 0.
Meanwhile, with respect to Equation (3), we can also find all the difference state values (Δs t , Δs t+5 , Δs t+4 , Δs t+7 , Δs t+9 , Δl t+19 , c). It should be noted that in Equation (3) there is a Input: Equation (2) and Equation (3) Output: g: correct equivalent key bits Obtain an initial difference ΔX and a conditions set κ by MILP technique; κ ← {conditions chosen from κ in the previous rounds to make sure that the number of key bits and plaintext bits involved in conditions should not exceed the enumeration capability}; λ ← {the probability of the difference of each bit at round r from which conditions just cease being applied. It is derived from ΔX and κ}; P ← {the probabilities of the differences of each subsequent update bit after round r calculated by λ using the method described in Section 3.2}; t ← the bit derived from P having the nonzero bias and at the highest possible number of rounds; for g ∈ {enumerate equivalent key bits involved in κ} do count1 = 0; count0 = 0; for x ∈ {enumerate plaintext bits involved in κ} do if x, g satisfy κ then calculate Δt from x and ΔX; if Δt = 1 then count1 + +; else count0 + +; end end end When a t = 1, Equation (3) contains five Boolean variables s t , s t+5 , s t+4 , s t+7 , and s t+9 so that the difference state (Δs t , Δs t+5 , Δs t+4 , Δs t+7 , Δs t+9 ) can take on one of 2 5 = 32 different values deriving the 32 values of the 7-dimensional vector ðΔs t , Δs t+5 , Δs t+4 , Δs t+7 , Δs t+9 , Δl t+19 , cÞ shown in Table 4.
(2) Modeling the Vector Sets Using Linear Inequalities. Via SageMath at http://www.sagemath.org, we obtain 19 linear inequalities that accurately describe the set of the 64 8dimensional vectors in Table 3. This set of linear inequalities characterizes the difference propagation of Equation (2) under the control of conditions. Ten inequalities are remaining after a simple reduction. L 1 shows the ten inequalities.

Wireless Communications and Mobile Computing
(3) Formulating the MILP Model to Determine an Initial Difference and Minimum Conditions. With these linear inequalities, we can obtain the relationships among the differences of bits that generate the update bit, the flag of adding a condition and the difference of the update bit in one round. We then expand the linear inequalities to n rounds, where n is a selected number, to obtain constraints of MILP. The objective function to be minimized is ∑ n i=0 c i . The constraint of the initial difference is ∑ 31 i=0 Δx i ≥ 1. In our work, the MILP problem is solved by Cplex. With this solution, we can obtain both an initial difference and minimum conditions.
There are too many plaintext bits and key bits in the conditions applied in the later rounds, so we prefer applying the conditions in earlier rounds rather than all of them. No more conditions have been applied since a particular round, which leads to uncontrollable difference propagation in subsequent rounds. After several rounds, the probability of the difference in the update bit would always be 1/2. In Section 3.2, we propose a method to evaluate the update bit difference probability, which helps us find the bit whose difference probability deviates significantly from 1/2 and has the largest number of rounds.

3.2.
Detecting the Bias of the Difference. In [9,11], a bias was detected by experimentally observing certain nonrandomness, and we now present a method for automatically detecting the bias by programming. The method produces a formula for calculating the probability of the update bit difference, enabling us to find the bit whose probability of the difference has a bias from 1/2. The greater the bias, the higher probability of a successful attack.
The properties below show that we can evaluate the probability of difference in the update bit, given all the probabilities of difference in the bits that generate the update bit. When conditions cease being applied, we get the probability of difference in each bit of two NLFSRs at that round. Using these probabilities, we can calculate the update bit difference probability in each subsequent round. Property 1. Let a, b be two independent random Boolean variables, and then, the probability PfΔða ⊕ bÞ = 1g = PfΔa = 1g + PfΔb = 1g − 2PfΔa = 1gPfΔb = 1g: With Property 1, if the probabilities of the differences in a and b were known, we could evaluate the probability of the difference in a ⊕ b. It can be extended to the sum of four Boolean variables. Property 2. Let x, y, z, w be independent random Boolean variables, and then, the probability In the following, we consider the difference probability of two Boolean variables' products. Property 3 shows us how to evaluate the probability.
Property 3. Let a, b be the same as defined in Property 1, and then, the probability In Equations (2) and (3), there is no difference in the key and const, so k 2t+1 , k 2t , and a t do not influence the probability of the difference.
Accordingly, we can derive the results as follows. From Equation (2), we can obtain the formula to calculate the probability of Δs t+13 = 1: where P Δ l t+6 l t+8 From Equation (3), we can obtain the formula to calculate the probability of Δl t+19 = 1: Using the two formulas, we can calculate the probabilities of the differences in the update bits in Algorithm 2 at every subsequent round after the conditions stop being applied. After a certain round, the probability forever becomes 1/2. Before that, we can find the biased bit corresponding to the longest conditional differential characteristic.

Application to KATAN32
We have applied the MILP method to KATAN32 for different rounds to obtain different differential characteristics and minimum conditions. We choose two results with fewer conditions in the previous rounds.
For 64-round KATAN32 (we have modeled 64-round KATAN32 together), the minimum number of conditions is 27. However, we cannot apply all these conditions since there are too many key bits and plaintext bits involved in them, resulting in attack failure. We only choose 11 conditions from the first 23 rounds to impose in this analysis. Since other conditions from round 24 have not been applied, difference propagation becomes out of control, with more and more probabilities of differences in update bits tending to be 1/2. We calculate the probabilities of Δs t+13 = 1 and Δ l t+19 = 1 after round 23, and we find that finally the probability of Δs t+13 = 1 would always be 1/2 starting from s 79 and the probability of Δl t+19 = 1 would always be 1/2 starting from l 82 . Before l 82 , we detect an obvious bias in Δl 79 . l 79 is generated at round 60 and is the rightmost bit of the 19-bit NLFSR at round 79. Utilizing the bias of Δl 79 , we can recover 10 equivalent key bits of the 79-round KATAN32.
For 77-round KATAN32, the minimum number of conditions is 34. We only impose seven conditions from the first 16 rounds and recover four equivalent key bits of the 81-round KATAN32 with a bias in Δl 81 . l 81 is generated at round 62 and is the rightmost bit of the 19-bit NLFSR at round 81.
In this section, we present the details of our analysis and attacks on these two results.
At round 8, we have Δs 21 = l 23 , and we impose the condition At round 10, we have Δs 23 = x 2 , and we impose the condition x 2 = 0. At round 12, we have Δs 25 = l 20 , and we impose the condition At round 14, we have Δs 27 = l 24 , and we impose the condition At round 19, we have Δs 32 = l 34 . If we try to impose the condition l 34 = 0, it has too many variables, which would make the attack unavailable because of the significantly high computing complexity. So we skip this condition, and assume PfΔs 32 = 1g = 1/2. At round 21, we have Δs 34 = l 27 , and we impose the condition Input: fPfΔs t = 1g, PfΔs t+1 = 1g, ⋯PfΔs t+12 = 1gg: the set of probabilities of the difference for each bit of the 13-bit NLFSR at round t; fPfΔl t = 1g, PfΔl t+1 = 1g, ⋯PfΔl t+18 = 1gg: the set of probabilities of the difference for each bit of the 19-bit NLFSR at round t. Output: A: the set of the probabilities of the differences for update bits from round t to round u, there are two update bits at each round. S ≔ fPfΔs t = 1g, PfΔs t+1 = 1g, ⋯PfΔs t+12 = 1gg; L ≔ fPfΔl t = 1g, PfΔl t+2 = 1g, ⋯PfΔs t+18 = 1gg; A ≔ ∅; for i ∈ ft, t + 1, ⋯, ug do PfΔs i+13 = 1g ≔ the probability calculated from L according to formulas (8) and (9); PfΔl i+19 = 1g ≔ the probability calculated from S according to formulas (10) and (11); Algorithm 2. Calculating the probabilities of the differences in the update bits from round t to round u. 8 Wireless Communications and Mobile Computing At round 23, we have Δs 36 = l 31 , and we impose the condition The difference propagation and the conditions applied are presented in Table 6.
According to Algorithm 2, we can compute the bias of the difference in the update bit for each round after round 24 and find that starting from l 82 the probability of Δ l t+19 = 1 would always be 1/2. Among the bits whose positions are very close to l 82 , l 79 has the maximum biased difference, shown as follows: We confirmed the strongly biased difference in bit l 79 experimentally. Let us consider the conditions applied. There are ten equivalent key bits k 0 , k 1 , k 2 , k 3 ⊕ k 10 , k 5 , k 7 , k 8 , k 9 ⊕ k 24 , k 13 , k 16 and 21 bits of plaintext 31 involved in the conditions. We choose 2 8 key in which bits k 0 , k 1 , k 2 , k 3 , k 5 , k 7 , k 8 , k 9 are free, and the remaining bits are fixed. For each key, we enumerate 2 21 plaintexts of which the 21 bits involved in the conditions are free and other bits are zero. We then can use conditions (12)- (17) to filter the 2 21 plaintexts, and if the plaintext satisfied the conditions, we calculate Δl 79 with the initial difference ΔX = 0xc4200801 and count PfΔl 79 = 1g at last. The complexity of each experiment is less than 2 21+1 = 2 22 evaluations of the 60-round KATAN32 encryption because not every plaintext can pass the filtering. The experimental results verify the strongly biased difference in bit l 79 . All the results of these 256 experiments are that PfΔl 79 = 1g is lower than 0:5 − 0:00001.
Furthermore, we can mount a key-recovery attack. Looking at conditions (12)-(17), we consider k 0 , k 1 , k 2 , k 3 ⊕ k 10 , k 5 , k 7 , k 8 , k 9 ⊕ k 24 , k 13 , k 16 , the 10 equivalent key bits, as ten variables. In a key-recovery attack, since the key is unknown to the attacker, we enumerate 2 10 guesses of these ten equivalent key bits. For each guess, similar to the verification, we use conditions (12)-(17) to filter 2 21 plaintexts of which the 21 bits involved in conditions (12)-(17) are free and other 11 bits are fixed to zero, then calculate Δl 79 with initial difference ΔX = 0xc4200801, and finally count PfΔl 79 = 1g.
When the guess is correct, plaintexts are filtered by the conditions corresponding to the correct guessed equivalent key bits, and then, PfΔl 79 = 1g shows the obvious bias. In the 1024 statistical results from guesses of 10 equivalent key bits, the maximum bias in the results corresponds to the ten equivalent key bits' correct values. This allows us to recover k 0 , k 1 , k 2 , k 3 ⊕ k 10 , k 5 , k 7 , k 8 , k 9 ⊕ k 24 , k 13 , k 16 , with experimental complexity less than 2 10+21+1 = 2 32 evaluations of the 60-round KATAN32 encryption. We randomly choose four 80-bit keys and mount four key-recovery attack experiments and each time the ten equivalent key bits can be recovered correctly, as shown by the results listed in Table 7.

Key-Recovery
Attack on 81-Round KATAN32. The initial difference of the differential characteristic of 77-round KATAN32 weights three at position 7, 18, and 28 of the plaintext block, ΔX = 0x10040080.
At round 1, we have Δs 14 = x 2 and then impose the condition x 2 = 0 to prevent difference propagation.
At round 12, we have Δs 25 = l 27 , and we impose the condition Table 6: Differential characteristic and conditions for ΔX = 0xc 4200801.

Round
Difference  (17) 24 00000000 * 0000 0000010000000000000 The bold bits denote the update bits. The bold italic bits denote the bits that generate the update bits. The differential probability of the bit * is 1/2.
We compute the bias of the update bit of each round from the 17th round and find that starting from l 84 the probability of Δl t+19 = 1 would always be 1/2. Among the bits whose positions are very close to l 84 , l 81 has the maximum biased difference, shown as follows: P Δl 81 = 1 | all the conditions satisfied f g ≈ 0:5 + 0:000226: We experimentally verified the strongly biased difference in bit l 81 . There are four equivalent key bits k 5 , k 16 ⊕ k 1 , k 2 , k 3 ⊕ k 10 and 16 bits of plaintext (21). We choose 2 4 keys of which k 1 , k 2 , k 3 , k 5 are free and the other bits are fixed. For each key, we enumerate 2 16 plaintexts of which the 16 bits involved in conditions are free and other bits are fixed to 0. We then use conditions (19)- (21) to filter the 2 16 plaintexts, and if a plaintext satisfies the conditions, we calculate Δl 81 with the initial difference Δx = 0x10040080 and calculatePfΔl 81 = 1g. The complexity of each experiment is less than 2 16+1 = 2 17 evaluations of the 62-round KATAN32 encryption. In all the results of these 16 experiments PfΔl 81 = 1g is greater than 0:5 + 0:000226.
We now will describe mounting the key-recovery attack. Looking at conditions (19)-(21), we consider k 1 ⊕ k 16 , k 2 , k 3 ⊕ k 10 , k 5 these four equivalent key bits as four Boolean variables. There are 16 bits of plaintext involved in conditions (19)- (21). To enlarge the space of plaintexts after filtering, we choose other three bits of plaintext not included in any condition as free bits in addition to the 16 bits of plaintext involved in conditions (19)- (21). For each of the 2 4 guesses of these four variables, we use conditions (19)- (21) to filter the 2 19 plaintexts enumerated by the 19 bits we just choose with the remaining 13 bits fixed to 0. We then calculate Δl 81 with initial difference Δx = 0x10040080 and calculate PfΔl 81 = 1g. In the 16 statistical results obtained from 16 guesses of four equivalent key bits, the maximum bias in the results corresponds to the correct value of the four equivalent key bits, allowing us to recover k 1 ⊕ k 16 , k 2 , k 3 ⊕ k 10 , k 5 . The complexity of the experiment is less than 2 4+19+1 = 2 24 evaluations of the 62-round KATAN32 encryption. We choose five 80-bit keys randomly and mount five key-recovery attack experiments, and each time the four equivalent key bits can be correctly recovered. The results of these five key-recovery attack experiments are listed in Table 9.

Extension with the Standard Differential Attack
Combined with the standard differential attack, the conditional differential attack on 81-round KATAN32 can be   [34], we give the algebraic representation of the intermediate state using the ciphertext and round keys. Using Equations (2) and (3), we can get the expression of l t , s t in decryption direction: Suppose the output bits of 97-round KATAN32 corresponding to plaintext X are S 97 = ðs 97 , s 98 , ⋯, s 110 Þ and L 97 = ðl 97 , l 98 , ⋯, l 115 Þ, and the output bits of 97-round KATAN32 corresponding to plaintext X + ΔX are S′ 97 = ðs ′ 97 , s′ 98 , ⋯, s′ 110 Þ and L′ 97 = ðl′ 97 , l′ 98 , ⋯, l′ 115 Þ. For decryption direction, Δl 81 can be expressed by round keys and the ciphertext of 97-round KATAN32 by using Equations (23) and (24) According to this expression, one can calculate Δl 81 by using the ciphertexts of 97-round KATAN32 and six equivalent key bits k 175 , k 179 , k 183 , k 187 , k 191 , k 193 . We extend the attack described in Section 4.2 to 97-round. Plaintexts being filtered by the conditions are encrypted to ciphertexts by 97-round KATAN32. Δl 81 can be computed from ciphertexts of 97-round KATAN32 and the guess of these six equivalent key bits k 175 , k 179 , k 183 , k 187 , k 191 , k 193 . Given every guess of ten equivalent key bits (k 1 ⊕ k 16 ,k 2 ,k 3 ⊕ k 10 ,k 5 ,k 175 ,k 179 ,k 183 , k 187 ,k 191 ,k 193 ), we can calculate and count Δl 81 with respect to a set of filtered plaintexts. If the guess is right, PfΔl 81 = 1g shows an obvious bias. The computational cost of the experiment is less than 2 24+6 encryptions of 97-round KATAN32. We mount five key-recovery attack experiments with the same key as the experiments in Section 4.2, and each time the ten equivalent key bits can be correctly recovered.

Key-Recovery
The expression contains seven equivalent key bits k 175 , k 179 , k 183 , k 187 , k 191 , k 193 , k 195 , which makes the computational cost of the key-recovery attack be less than 2 24+7 times 98-round KATAN32 encryption. In this attack, 11 equivalent key bits k 1 ⊕ k 16  No.

80-bit key
Equivalent key bits with the maximum bias k 1 ⊕ k 16 There are nine equivalent key bits k 175 , k 179 , k 183 , k 187 , k 191 , k 193 , k 195 , k 196 , k 197 . So the computational cost of the key-recovery attack is less than 2 24+9 times 99-round KATAN32 encryption. In this attack, 13 equivalent key bits k 1 ⊕ k 16 , k 2 , k 3 ⊕ k 10 , k 5 , k 175 , k 179 , k 183 , k 187 , k 191 , k 193 , k 195 , k 196 , k 197 can be correctly recovered. Every experiment requires about 9.64 hours on a 2.5 GHz PC with our implementation.
It is thus possible to extend the conditional differential attack on 81-round KATAN32 to 114-round with the computational cost of less than 2 63 times 114-round KATAN32 encryption.

Conclusion
Conditional differential analysis towards the NLFSR is quite a recent research topic. We advance the research in this direction by using Mixed Integer Linear Programming on the NLFSR-based block cipher KATAN32, a newly typical and well-designed lightweight block cipher. It is the first time applying MILP in the automatically searching for conditional differential trails. Using MILP helps us efficiently obtain the initial difference and conditions of the conditional differential analysis. We propose a new method to quickly calculate the probability of the difference to detect the bit with a bias. We apply the improved conditional differential analysis to KATAN32 and obtain two results, recovering ten equivalent key bits of 79-round KATAN32 and four equivalent key bits of 81-round KATAN32, respectively.
Combined with the standard differential attack, we extend the 81-round conditional key-recovery attack to 99round with the time complexity being 2 33 encryptions of 99-round KATAN32 and recover 13 equivalent key bits. Compared with the previously best practical distinguisher on KATAN32, our results are extended more than seven rounds with less computation time and memory. We believe both strategies to be general to NLFSR-based ciphers. Applying these two strategies on other NLFSR-based ciphers will be one topic of interest in our future works.

Conflicts of Interest
The authors declare that they have no conflicts of interest.