Cryptanalysis of Reduced round SKINNY Block Cipher

. SKINNY is a family of lightweight tweakable block ciphers designed to have the smallest hardware footprint. In this paper, we present zero-correlation linear approximations and the related-tweakey impossible diﬀerential characteristics for diﬀerent versions of SKINNY .We utilize Mixed Integer Linear Programming (MILP) to search all zero-correlation linear distinguishers for all variants of SKINNY, where the longest distinguisher found reaches 10 rounds. Using a 9-round characteristic, we present 14 and 18-round zero correlation attacks on SKINNY-64-64 and SKINNY-64-128, respectively. Also, for SKINNY-n-n and SKINNY-n-2n, we construct 13 and 15-round related-tweakey impossible diﬀerential characteristics, respectively. Utilizing these characteristics, we propose 23-round related-tweakey impossible diﬀerential cryptanalysis by applying the key recovery attack for SKINNY-n-2n and 19-round attack for SKINNY-n-n. To the best of our knowledge, the presented zero-correlation characteristics in this paper are the ﬁrst attempt to investigate the security of SKINNY against this attack and the results on the related-tweakey impossible diﬀerential attack are the best reported ones.


Introduction
Because of the growing use of small computing devices such as RFID tags, the new challenge in the past few years has been the application of conventional cryptographic standards to small devices.Several lightweight block ciphers have been proposed to provide security for resource-constrained hardware environment.We can name PRESENT [BKL + 07], SIMECK [YZS + 15] SIMON, and SPECK [BTCS + 15] as some of the lightweight block cipher designs.
The SKINNY [BJK + 16] lightweight tweakable block cipher is introduced to compete with NSA recent design SIMON [BTCS + 15] in terms of hardware/software performances.Designers of this block cipher have investigated its security against the well known attacks in such contexts as linear and differential cryptanalysis [Mat93,BS91], impossible differential cryptanalysis [BBS99,Knu98], integral attack [DKR97,KW02], and etc.In this paper, we search for zero-correlation distinguishers [BR14] and the related-tweakey impossible differential characteristics [JD03] which have been missing in the security analysis presented by the designers so far.
The impossible differential attack which was independently proposed by Biham et al. [BBS99] and Knudsen [Knu98] is one of the most popular cryptanalytic tools for block ciphers.Impossible differential cryptanalysis starts with finding an input difference which results in an output difference with probability 0. Related-tweakey attacks [Bih94] give a cryptanalyst the possibility to choose an appropriate relation between tweakeys and then predict the encryptions under these tweakeys.Indeed, related-tweakey impossible differential attack [JD03] is a combination of the two aforesaid attacks.
Zero-correlation linear cryptanalysis is a novel cryptanalytic approach proposed by Bogdanov and Rijmen [BR14] in 2012.In contrast to conventional linear cryptanalysis which uses linear approximations with high correlation, zero-correlation linear cryptanalysis is based on linear approximations with a correlation exactly equal to zero for all keys.The main trouble in the original proposal is the data complexity of cryptanalysis, in which almost the whole codebook is required.In a follow-up work, Bogdanov et al. proposed a novel framework to reduce the data needed using multiple independent linear approximations with a correlation of zero simultaneously [BW12].To remove the independence assumption, a theoretical model was proposed based on the multidimensional linear distinguisher [BLNW12].
Mixed Integer Linear Programming was first introduced by Mouha et al [MWGP11] who used it to minimize the number of active s-boxes in a differential or linear characteristic.After that, Sun et al in [SHW + 14a, SHW + 14b] extended Mouha et al's work from byte oriented ciphers to bit oriented ciphers.They presented a method for constructing a model that finds the actual linear/differential trail with the specified number of active S-boxes.In their method, when a solution is found, the MILP model is updated in a way that a new constraint is added and the currently found solution is discarded in the next iteration.A binary variable x i is defined for every input or output bit mask/difference and is set to 0 if the corresponding bit mask/difference is zero and 1 otherwise.At each round, a new binary variable A j is defined for each S-box and is set to 0 if the input mask/difference of the corresponding S-box is zero and 1 otherwise.Hence, the activity of S-box is demonstrated by A j .Now, the objective function of the MILP model is set so as to minimize the number of active S-boxes (i.e.f = j A j ).In order to find the minimum number of active S-boxes in a linear or differential trail, only the binary values representing the activity of S-boxes concern us.Therefore, we need to restrict these variables to be binary and can let the others to be any real number, to speed up solving the problem.However, if we aim to find the exact values of all bit-level inputs and outputs, we must restrict all state variables to be binary, which makes the model an integer programming model that is harder to solve than a mixed integer programming model.MILP has been widely used for cryptanalysis of block ciphers recently so that [FWG + 16, XZBL16, AAA + 15, SBA17, BJK + 16, CJF + 16] can be mentioned as some examples.

Related Work.
In [LGS17], the authors could attack 19, 23, and 27 rounds of SKINNY-n-n, SKINNY-n-2n, and SKINNY-n-3n respectively, using related-tweakey impossible differential and rectangle attack.They extended a 14-round related tweakey impossible differential trail (with 4.5 rounds in both forward and backward directions) and 12-round related tweakey impossible differential trail (with 4.5 rounds in backward and 2.5 rounds in forward direction) to attack 23 and 19 rounds of SKINNY-n-n and SKINNY-n-2n, respectively.In our paper,the proposed impossible differential trail consists of 15 rounds which is one round more than the one proposed in [LGS17].Despite using the longer trail, we present 19 and 23-round attack against SKINNY-n-n and SKINNY-n-2n with less complexity.The main obstacle against reaching to an attack with more rounds in comparison with [LGS17] is the key schedule of skinny, which for attacking 25 rounds of SKINNY, the complexity is more than guessing the whole key.
The authors of [TAY17] utilized the 11-round impossible differential characteristic given in the main paper and presented 18, 20, and 22-round attack applying the key recovery attack on SKINNY-64-64 (or 128-128), SKINNY-64-128 (or 128-265), and SKINNY-64-192 (or 128-384), respectively.In [ABC + 17], the authors used an 11-round related-tweakey impossible differential characteristic to propose a 21-round attack.By assuming some tweakey bits as public key, they could extend the attack to 22 and 23 rounds (extending 6 rounds in forward and 4 rounds in backward direction).Sun et al. [SGL + 17] obtained 16 related-tweakey impossible differential characteristics for 12 rounds of SKINNY-64-128 using the constraint programming (CP) method and proposed an 18-round attack on SKINNY-64-128.Untill now, no result on the security of SKINNY against zero-correlation cryptanalysis has been published prior to this work.A brief comparison of these attacks with the results of this paper and the complexities are given in Table 1.

Our Contribution.
The main purpose of this paper is to search related-tweakey impossible differential and zero-correlation linear characteristics on SKINNY.In this paper, we searched all relatedtweakey impossible differential characteristics having only one active bit in the input mask and output mask or tweakeys using Mixed Integer Linear Programming (MILP) while the cell size s = 4.The longest related-tweakey impossible characteristics found under the assumption of having a single active bit are 13 and 14-round for SKINNY-64-64 and SKINNY-64-128, respectively.The same characteristics for SKINNY-128-128 and SKINNY-128-256 can be obtained by some slight changes.We also show that in special cases the 14-round SKINNY-64-128 distinguishers can be extended one round by assuming more than one active bits in input, output, and tweakeys.Based on the 15-round obtained distinguisher, we present key recovery attack and propose 23-round related-tweakey impossible differential attack on SKINYY-n-2n.We utilize the 13-round distinguisher to attack 19 rounds of SKINNY-n-n.Also, this paper proposes 9-round and 10-round zero correlation distinguishers on all variants of SKINNY.Based on the aforementioned 9-round zero correlation distinguisher, 14 and 18-round multidimentional zero-correlatin linear cryptanalysis is applied on SKINNY-64-64 and SKINNY-64-128, respectively.Our results are shown in Table 1.

Outline.
The remainder of this paper is organized as follows.Section 2 provides the required preliminaries, including a brief description of SKINNY.In section 3, related-tweakey impossible differential for different variants of SKINNY are proposed.In section 4, we describe 23-round related-tweakey impossible differential attack on SKINNY-n-2n in details.In section 5, zero-correlation linear characteristics for different variants of SKINNY are proposed and in section 6, the details of 18-round zero-correlation linear cryptanalysis of SKINNY-64-128 is presented.Finally, we conclude the paper in section 7.

Preliminaries
In this section, we give a brief description of SKINNY, its round function and key schedule.Then we give a summary of zero-correlation linear cryptanalysis.Finally, the method for using MILP in impossible differential and zero-correlation cryptanalysis is explained.The variables used in this section are introduced in the context.

A brief description of SKINNY
The lightweight block ciphers of the SKINNY family have 64-bit and 128-bit block versions.In both n = 64 and n = 128 versions (n is the block size), the internal state is viewed as a 4 × 4 square array of cells, where each cell can be a nibble (when n = 64) or a byte (when n = 128).SKINNY is built using the tweakey framework [JNP14] and there are three versions with tweakey sizes t = n, t = 2n and t = 3n.For simplicity in writing, we show the SKINNY with block size n and tweakey size t with SKINNY-n-t.
Initialization: The cipher takes a plaintext m = m 0 ||m 1 || • • • ||m 14 ||m 15 , while the m i are s-bit cells (we have s = 4 for the 64-bit block SKINNY versions and s = 8 for the 128-bit block SKINNY versions).The cipher's internal state is initialized as follows: The Round Function: One encryption round of SKINNY is composed of the following five operations: SubCells(SC), AddConstants(AC), AddRoundTweakey(ART), ShiftRows(SR) and MixColumns(MC) (illustration is in Figure 1(a)).
SubCells: Each cell of the cipher internal state goes through an s-bit S-box.For s = 4, this s-box is shown in Table 2.

Table 2:
The 4-bit S-box used in SKINNY-64 in hexadecimal form.
x 0 1 2 3 4 5 6 7 8 9 A B C D E F S 4 [x] C 6 9 0 1 A 2 B 3 8 5 D 4 E 7 F AddConstants: In this step the round constants derived from using a 6-bit LFSR are combined with the state.
AddRoundTweakey: The first and the second rows of all tweakey arrays are extracted and bitwise exclusive-ORed to the cipher internal state, respecting the array positioning.Then, the tweakey arrays are updated in 2 steps as shown in Figure 1(b).In the first step, the permutation P T = [9, 15, 8, 13, 10, 14, 12, 11, 0, 1, 2, 3, 4, 5, 6, 7] is applied on tweakey array.In the second step, every cell of the first and the second rows is individually updated with an LFSR as shown in Table 3.
Note that, no LFSR is used in TK-1 or single key case.More details about LFSRs in TK-3 model are given in [BJK + 16].
ShiftRows: The second, third, and the fourth cell rows are respectively rotated by 1, 2 and 3 positions to the right.This operation can be performed by applying a permutation P on the cells positions of the cipher internal state cell array.P = [0, 1, 2, 3, 7, 4, 5, 6, 10, 11, 8, 9, 13, 14, 15, 12] MixColumns: Each column of the cipher's internal state array is multiplied by a binary matrix M given below:

Zero-Correlation Linar Cryptanalysis
As described in [SN14], we consider an n-bit block cipher with input variable x ∈ F n 2 , and f-function f : If we call v and u as the input and output masks, respectively, the linear approximation is defined as follows: Its probability can be defined as: and it has the correlation of: We note that the correlation of an approximation will be equal to zero if the probability of approximation is 1 2 .In zero-correlation linear cryptanalysis, we look for a linear approximation with zero correlation for all keys.There are usually some XORs, F-functions and branches used in each round of any cipher.According to [BR14], there are three rules for these operations: Lemma 1. (XOR operation) Either the three linear selection patterns at an XOR ⊕ are equal or the correlation over ⊕ is exactly 0.

Lemma 2. (Branching operation)
Either the three linear selection patterns at a branching point • sum up to 0 or the correlation over • is exactly 0.

Lemma 3. (Permutation approximation)
Over a permutation φ, if the input and output selection patterns are neither both zero nor both nonzero, the correlation over φ is exactly zero.
In fact, lemma 1 means that in zero-correlation attack, the inputs and outputs of the XOR operation should be considered equal and if not, the correlation will be zero.Also, in lemma 2, for the branching operation, the input should be equal to the XOR of outputs.Otherwise, the correlation will be zero.

Zero correlation attack
In this subsection, we give a brief explanation about the zero-correlation attack.More details are given in [BW12,SN14,BR14].Similar to the most of the conventional attacks on block ciphers, zero correlation attack has two stages.In the first stage, the attacker should find a linear approximation with correlation zero for some rounds of the target cipher as a distinguisher.Then in the second stage, he adds some rounds before and after the distinguisher and tries to extract the subkeys of these additional rounds.
In the multidimensional case, there exist m independent linear base approximations such that all of their l = 2 m −1 nonzero linear combinations have correlation zero.As shown in [BLNW12], the statistical value T can be computed to find possible key candidates.In order to compute T , for each i ∈ F m 2 the attacker allocates a counter V [i] and initializes it to zero.Then for each distinct plaintext, he computes the corresponding data in F m 2 and increments the counter V [i] of this value by one.Then the attacker computes the statistical T as follows: The statistical T follows a χ 2 -distribution with mean and variance of µ 0 = l 2 n −N respectively, for the right key guess while it follows a χ 2 -distribution with mean and variance of µ 1 = l and σ 2 1 = 2l for the wrong guess key.With error probability type-I as α and error probability type-II as β, if one considers the decision threshold t = µ 0 + σ 0 z 1−α = µ 1 − σ 1 z 1−β , then the amount of required distinct known plaintexts (N ) is as follows: where z p = Φ −1 (p) for 0 < p < 1 and Φ is the cumulative function of the standard normal distribution.The number of required pairs of plaintext-ciphertext depends on the number of linear approximations with correlation zero, block length, and error probabilities type-I and II.

Using MILP in Impossible differential and Zero-correlation cryptanalysis
In [CJF + 16], Cui et al. proposed a method for searching impossible differential characteristic and zero-correlation linear distinguisher based on Mixed-Integer Linear Programming (MILP).In this MILP problem, we can set the objective function to the expression which conveys the differential characteristic's probability and the linear constraint phrase is configured to form the cryptosystem.Thus, with respect to the set cipher system, we can obtain the optimum probability of differential characteristic forming the cipher system corresponding to the answer to the MILP problem.Although, if we cannot obtain the answer to the MILP problem for a specific input or output differential, it shows that the differential characteristic cannot be formed in the specified cipher system for that input and output differential value.Hence, the input and output differentials will be invalid differential characteristics of the given cipher system.Achieving a case where the answer to the MILP problem cannot be obtained leads to searching for MILP-based impossible differential characteristics.
Recently, Sasaki et al. proposed a new impossible differential search tool from the design and cryptanalysis aspects in [ST17] using MILP.They presented an approach for evaluating s-boxes, including 8 × 8 s-boxes, in impossible differential cryptanalysis which was missing in [CJF + 16].In this paper, we utilize MILP approach and the results of aforementioned papers to search related-tweakey impossible differential and zero-correlation linear characteristics.

Searching Related-tweakey Impossible Differential Characteristics of SKINNY
In this section, we present related-tweakey impossible differential for different variants of SKINNY.Because of the special structure of SKINNY and its performance in key recovery, it is not enough to only search for the longest trails.It means that it is possible to recover more rounds with a 12-round characteristic than a 14-round characteristic.The place of the active bit differences of input, output, and tweakey can affect the final recovered rounds.[ABC + 17] can be mentioned as an example.Therefore, we tried to search and list all suitable characteristics in this section.It should be mentioned that we list the notations related to each section in the beginning of that section.

Related-tweakey Impossible Differential Characteristics of SKINNY in TK1 and TK2 model
The following notations are used in the rest of this subsection (also see Figure 2): (input) : represents input of the first internal state in the first round of impossible differential characteristic.S 1 : represents the internal state after SC in the first round of impossible differential characteristic.tk 1 1 , tk 1 2 : represents the first round tweakey in TK-1 and TK-2 model, respectively.(output) : represents output of the last internal state in the last round of impossible differential characteristic.∆[X] : represents a nonzero difference in at least one bit of state X. ∆ i [X] : represents a nonzero difference in the i-th cell (i = 0, . . ., 15) of state X. ∆ i j [X] : represents a nonzero difference in the j-th bit of the i-th cell j = 0, 1, 2, 3 (or j = 0, . . ., 7) and i = 0, . . ., 15 of state X. ∆ i 0xj [X] : represents difference of the i-th cell (i = 0, . . ., 15 of state X is 0xj."0" : represents zero difference."?" : represents an unknown difference. In [BJK + 16], the miss-in-the-middle approach was used to find 11-round impossible differential characteristic of SKINNY as ∆ 12 (input) 11 (∆ 8 (output).Then, they utilized it to attack 16-round SKINNY-64-64 (or 128-128) and 18-round SKINNY-64-128.In this paper, in order to find related-tweakey impossible differential characteristics, we use MILP technique to find all related-tweakey impossible differential characteristics based on bit-wise search for SKINNY in TK-1 and TK-2 model.The characteristics in the models are searched considering 1 active bit input or output.However, to reach the best trail in some models due to the structure of trails, we conducted the search under the assumption of having more than 1 bit difference in input or output.Since we can consider the difference in any of input, output, and tweakey inputs (tk 1 1 , tk 1 2 ), so we have considered the differential models as ∆(input), ∆(tk 1 1 ), ∆(output) and ∆(input), ∆(tk 1 1 ), ∆(tk 1 2 ), ∆(output) , for SKINNY in TK-1 and TK-2 model, respectively.Since in some characteristics, the difference value of input, output, tk 1 1 or tk 1 2 (in TK-2 model) can be considered zero, we classify the differential trails by the items with zero value.For example, the differential model ∆(input), 0, ∆(tk 1 2 ), ∆(output) in TK-2 model means that we have only considered the difference in input, tk 1 2 , and output bits and we do not have any difference in tk 1 1 .Given that the round-tweakey is combined with internal state after SC, we can consider the difference of the internal state after SC in the first round (S 1 ) instead of its input in some cases, so we are able to find longer characteristics.A summary of the best-known approximations for SKINNY in both TK-1 and TK-2 model is presented in Table 4.It should be mentioned that we searched the characteristics in case of s = 4.However, these characteristics are extendable for s = 8 by some slight changes in differences.In addition, in some models, since there are differences in all bits of a cell, we have considered the differential in that cell as truncated.

Searching Related-tweakey Impossible Differential characteristics of SKINNY
in TK-1 model.
Differences as ∆(input), ∆(tk 1 1 ), ∆(output) .Considering this case, we found out that the longest related-tweakey impossible differential characteristics reach 12 rounds.We listed all the related-tweakey impossible differential characteristics in Table 5.For example, if we pick n = A and choose (i, j, k) = (12, 8, 8), we can derive a 12-round Table 4: A summary of the known related-tweakey impossible differential characteristics for SKINNY in both TK-1 and TK-2 model.

Searching Related-tweakey Impossible Differential characteristics of SKINNY
in TK-2 model.
(2) m = n ⊕ p. ( The possible values of m, n, and p that satisfy conditions (2) and (3) are listed in Table 11.This table is constructed for s = 4.For s = 8, the table can be derived by the same approach.
For s = 4, the possible values of m, n, p, and q that satisfy conditions (2), (3), and (4) are listed in Table 12.For s = 8 the table can be derived by the same approach.

Notations
The following notations are used in the rest of paper: P : represents plaintext.C : represents ciphertext.tk i 1 , tk i 2 : represents the i-th round tweakey in TK-1 and TK-2 model, respectively.T Ki : represents the i-th round tweakey.This is equal to the result of exclusive-ORing the first and the second rows of tk i 1 and tk i 2 and T Ki[j] represents the j-th cell (0 ≤ j ≤ 15) of T Ki.X i : represents the internal state before SC in round i and X i [j] represents the j-th cell (0 ≤ j ≤ 15) of X i .Y i : represents the internal state before ART in round i and Y i [j] represents the j-th cell (0 ≤ j ≤ 15) of Y i .Z i : represents the internal state before SR in round i and Z i [j] represents the j-th cell (0 ≤ j ≤ 15) of Z i .W i : represents the internal state before M C in round i and W i [j] represents the j-th cell (0 ≤ j ≤ 15) of W i .col(i): represents the column i(1 ≤ i ≤ 4).
X : represents the corresponding variable under the related tweakey difference encryption.∆X i , ∆X i [j] : represents the difference at state X i and cell X i [j], respectively.

An Overview of Impossible Differential Cryptanalysis
We start with recalling the framework introduced by Boura et al in [BNPS14].In this method, the cipher is split to three parts: ∆Y and by propagating ∆X and ∆Y through E −1 1 and E 3 respectively, we obtain ∆ in and ∆ out with probability 1.Therefore, we can verify the differential ∆X ← ∆ in and ∆Y ← ∆ out with probability 1 2 c in and 1 2 c out respectively.Notice that c in and c out are defined as the number of bit-conditions needed to be verified to obtain ∆X from ∆ in and ∆Y from ∆ out , respectively.We consider k in and k out as the key information involved in E 1 and E 3 , respectively.
For a given pair of inputs, the probability of having a difference ∆X and an output difference ∆Y under a random key guess is 2 −(cin+cout) .The probability for a trial key to be placed in the set of possible keys should be small enough so that the number of pairs N can be chosen appropriately.This probability is calculated as: .
By adopting the strategy presented in [BNPS14], we consider the smallest value of pairs such that e −N ×2 −(c in +c out ) < 1 2 , to reduce the exhaustive search by at least one bit.Now, we need to find N pairs which verify a given differential.From [BNPS14], using the limited birthday problem, the cost of obtaining the N pairs (C N ) is: verifying that C N < 2 n , where n is the size of the block cipher.By considering the cost of one encryption as C E , the time complexity C T is given by the following equation: where C E is the ratio of the cost of partial encryption to the full encryption and 2 |K| P is the cost of the exhaustive search for the key K after the impossible differential attack.It should be noted that in [BNPS14], a generic complexity analysis of impossible differential attacks against block ciphers was presented.Afterwards, in [Der16], Derbez showed that the results of the paper [BNPS14] may be incorrect and sometimes can produce a miscalculation in time complexity.In fact, it is because of the structure of the key schedule which has a non-negligible impact on the time complexity of such attacks and it has to be added to the time complexity C T .Boura et al. did not consider this case in their investigations.Recently, Boura et al. in [BLNPS18], introduced techniques which complete and improve the method and the given analysis in [BNPS14].Based on this new paper, the part of the key schedule which connects the sub-keys of the first rounds to the sub-keys of the last rounds can be seen as a black box and the computation above should be taken into account in the estimation of time complexity.The details of this technique can be seen in [BLNPS18].Note that the formula provided for time complexity in [BNPS14,BLNPS18] is just a lower-bound approximation of the time complexity and for an exact determination of the complexity, one must perform the detailed attack step by step.Therefore, in this paper, we performed the detailed attack step by step to compute the time complexity.
To describe our related-tweakey impossible differential attack on the SKINNY-n-2n and SKINNY-n-n, first, we should introduce the following lemma [ABC + 17, LGS17]: Lemma 4. The equation S(x + ∆ i ) + S(x) = ∆ 0 has one solution x on average for ∆ i , ∆ 0 = 0. Similar result holds for the inverse S-Box, S −1 .
Using this lemma, we are going to present the 23-round related-tweakey impossible differential attack on SKINNY-n-2n in the following section.
There are some slight differences between different variants of SKINNY.SKINNY-64-64 and SKINNY-128-128 just differ in the cell size.SKINNY-64-128 and SKINNY-128-256 differ in cell size and the LFSR operation of the key schedule.Since our attacks are based on the same 15-round distinguisher for SKINNY-64-128 and SKINNY-128-256 and the same 13-round distinguisher for SKINNY-64-64 and SKINNY-128-128, we present the details of attacks as a function of the cell size s, where s = 4 and s = 8 in case of SKINNY-64 and SKINNY-128 respectively.The attack on the 19-round SKINNY-n-n work in a similar manner and is presented in Appendix A.

23-round Related Tweakey Impossible Differential Attack on SKINNYn-2n
In this section, the details of our 23-round attack on SKINNY-n-2n will be presented utilizing related-tweakey impossible differential cryptanalysis.We use the 15-round relatedtweakey impossible differential trail, which is shown in Figure 4, and extend it by 3 and 5 rounds in backward and forward directions respectively (see Figure 5).In this attack, instead of the tweakey T K1, we can obtain the equivalent tweakey ET K by using ET K = M C(SR(T K1)) in the first round, so we can start our tweakey recovery attack at Y 1 ; given that there is no tweakey used before Y 1 .The plaintext P can be recovered by applying M C −1 , SR −1 , AC −1 , and SC −1 layers on Y 1 .In the following section, we first describe the overall strategy of attack and then go through details.

Overall Strategy
In this section, we explain the overall strategy of the attack when s = 4 based on Figure 5.For s = 8, the attack can be followed by the same approach.
Figure 5  For example, from the first column of TDT, if we consider the value of difference in T K4[1] equal to 0x1 (∆T K4[1] = 0x1), the value of difference in T K18[7] must be 0x7 to construct a 15-round related-tweakey impossible differential trail (see Table 12).By choosing these differences, the other differences in T K2[7], T K20[1], and T K22[0] should be 0x9, 0xD, and 0x8, respectively.It should be mentioned that all the 255 differences in case of s = 8 can be calculated and form the TDT by the same approach.
In this 23-round attack, instead of using just one characteristic (one column of TDT), we use all of these characteristics (all columns of TDT).The general procedure of this attack is to use 15 lists L i (i = 1, • • • , 15) for storing pairs.In fact, during the attack procedure, the data related to column i of TDT is saved in L i list and the attack will be continued based on this list.Using this technique, the adversary will be able to remove more wrong keys than the case of using just one trail with the same initial data.For this purpose, for each pair of plaintext and ciphertext, first, the adversary guesses the value of 7th cell of ET K(ET K [7]) in the first round to calculate the value of difference ∆Y 2 [7] in the second round.Here, we study two cases.First, when the adversary uses one of the impossible differential characteristics and second when the adversary uses all characteristics.

Case a. When the adversary uses one of the impossible differential characteristics (one column of TDT):
In this case, the adversary should check the equality of ∆Y 2 [7] = ∆T K2[7] for each pair after calculating ∆Y 2 [7] based on the guessed ET K[7].This will lead to an s-bit filter on the remained pairs.Also, by knowing the value of difference in Y 2 , the probability of having those differences in Z 3 will be p = 2 −s .
Case b.When the adversary uses all impossible differential characteristics (all columns of TDT is considered in the attack): In this case, after guessing ET K[7] and calculating ∆Y 2 [7] for each pair, the adversary chooses i index based on the first row of TDT such that: Then stores this pair on list L i (T DT [m][n] means the mth row of nth column of TDT).For example, if ∆Y 2 [7] = 0xA, the corresponding pair will be saved on list L 3 and the same approach applies for storing the remained pairs.Obviously, each pair will be stored in one of the lists and there is no need to filtering in this step.Also, by knowing the value of differences in Y 2 , the probability of having the differences in Z 3 will be p = 1.Then the adversary can complete the attack based on these lists for each pair.As an example, consider the adversary calculates the value of ∆Y 4 [1] (i.e., the input of impossible differential characteristic) by guessing the related keys in the first rounds for the pairs in ith list (L i ).For each pair the adversary checks if: If the equation is not correct, the corresponding pair will be omitted from the list.The same process will be applied for the other lists.Therefore, this step results in a total of an s-bit filter on the remained pairs.This procedure should be continued for the other rounds to determine the value of difference ∆X 19 [8] and remove the wrong keys.
In this paper, the 23-round cryptanalysis is described in details based on the second case in the following section: and we have Y hence, by using lemma 4, we can determine will generally lead to an s-bit filter on all L i lists.

Complexity analysis
In this attack, the parameters are as follows: • c in = 3s.For more details, there is 2s bit-conditions in the ∆X 2 propagates to ∆X 3 , s bit-conditions in the ∆X 4 propagates to ∆Y 4 .So we can verify the differential ∆P → ∆Y 4 with probability 1 2 3s .• c out = 16s.For more details, there is 4s bit-conditions in the ∆X 23 propagates to ∆X 22 , 3s bit-conditions in the ∆X 22 propagates to ∆X 21 , 6s bit-conditions in the ∆X 21 propagates to ∆X 20 , 3s bit-conditions in the ∆X 20 propagates to ∆X 19 .
Thus, based on the method proposed in [BNPS14], we can calculate the data, time, and memory complexity as follows: The probability that a given pair of inputs has a difference ∆ in and an output difference ∆ out , under a random key guess, is 2 −(cin+cout) .The probability for a trial key to be placed in the set of possible keys should be small enough so that number of pairs, N , must be chosen appropriately.This probability is calculated as follows: By adopting the strategy presented in [BNPS14], we consider the number of pairs such that e −2 x−11s < 1 2 , to reduce the exhaustive search by at least one bit.By choosing x = 45.47 (resp.x = 91.40) in the case of SKINNY-64-128 (resp.SKINNY-128-256), the remaining 29-nibble subkey space is reduced to (resp. 2 29×8 e −2 91.40−11×8 2 216.70 ).By exhaustively searching the T K remain = 2 112 (resp. 2 216.70 ) remaining tweakey candidates with 2 3s remaining tweakey bits (T K remain × 2 3s ), which are not used in the attack, we can recover the tweakey candidates.

Data complexity of this attack is
(resp. 2 91.40+4×8+1 = 2 124.41 ) chosen plaintexts.Then, the time needed for obtaining N pairs of messages (D), multiplying the number of pairs by the average time needed for trying key candidates out (N.2 11s ) and the time needed for trying the remaining key candidates out and recovering the complete key will determine the complexity.So the the attack requires

Remark
In our attack, the time complexity of step 10 is N.2 11s .Actually, similar to the method used in [LGS17], this complexity can be reduced to N.2 9s and it reduces the total complexity as a factor of 2 −0.2 in our attack.For this purpose, step 10 can be performed as follows: For each pair on list L i , (i = 1, • • • , 15), the attacker guesses T K2 [2].Knowledge of this cell allows her to compute ∆Y 3 [14] and so ∆X 4 and by using lemma 4, X 4 [1] can be simply determined.Now, two subtweakey cells T K2[2, 6] can be calculated as given below: since , by constructing a table to store input values X 3 [1] and X 3 [11] for the two S-boxes for each possible right hand value, input values can be retrieved.For each right hand value, we have 2 s possible combinations of So the time complexity of this step can be considered as N.2 9s and the number of tests to verify the impossible distinguisher would be N.2 10s .
5 Zero-Correlation Linear Attack

Searching Zero-correlation Linear distinguishers of SKINNY
In this section, we use "0" to denote a zero mask, Γ i to denote a nonzero mask in i-th nibble (i = 0, . . ., 15), and "?" to denote a zero or nonzero mask.Also, we use Γ i in r Γ j out to show that the correlation of linear approximation of r-round SKINNY with input mask Γ i in (i-th nibble of input) to output mask Γ j out (j-th nibble of output) is zero.
If we combine (3) and (4) with each other, we derive a 9-round zero-correlation linear distinguisher for SKINNY.
We searched for all 9-round zero-correlation characteristics with the miss-in-the-middle technique and we list them all in Table 22.Based on this table, there are 172 different characteristics with single active cells in input and output masks.
Table 22: Zero-correlation linear approximations Γ i in r Γ j out for 9-round SKINNY.

10-round Zero-correlation linear distinguishers for SKINNY
Using the MILP technique, we found 16 zero-correlation linear characteristics reaching 10 rounds, which are listed in Table 23.After finding the trails by MILP results, we tried to verify them by miss-in-the-middle technique, for which the procedure comes in the following.
For example, one of the 10-round zero-correlation linear characteristics is (Γ 0 in ) 10 (Γ 4 out ).It should be noted that we tried to obtain this characteristic by using miss-in-the-middle approach and considering r 1 rounds forward and r 2 rounds backward (r 1 + r 2 = 10), but we did not reach any contradiction directly by considering different r 1 and r 2 rounds.Hence, to show that the 10-round zero-correlation linear characteristic with this input and output mask exists, we firstly construct a 9-round zero-correlation distinguisher as shown in Figure 7.This distinguisher consists of a forward part (along the encryption direction) and a backward part (along the decryption direction).After encrypting 4 rounds in the forward part and 5 rounds in the backward part, a contradiction will happen in the first cell of the middle state which is shown in Figure 7.
By decrypting (or encrypting) 1 more round in the backward part (or forward part), no contradiction will be found but we used a trick here to reach a contradiction in the 10-round characteristic.There are 3 possible types of cell conditions in each state: active, inactive, and unknown.As we know, the active and inactive cells have deterministic conditions but unknown cells can take any condition so we can assume them to be active or inactive and see whether this assumption can make any change in the condition of the deterministic cells to reach a contradiction.To explain more, the trick is to decrypt one more round after the contradiction place (which here is the state C) in the 9-round trail and derive state B. As we know, states A and B are equivalent but derived from two different directions, i.e., forward and backward.So, we can assume the unknown cells of state B to have the same condition of the corresponding cell in state A. In this step, we should try to assume some of these cells to have the corresponding condition; then, we encrypt one more round under this assumption to check if it will cause any changes in the deterministic cells of the first state of the next round.As it is shown in Figure 7, we assumed the 6-th and the 9-th cells to be inactive and encrypted one more round to derive D. As we can see, in this case, the 15-th cell of the input mask of this new round will change and become active and this is a contradiction.More details are depicted in Figure 7.

Zero-Correlation Linear Cryptanalysis of SKINNY
In this section, we investigate the security of SKINNY64-128 by using zero-correlation linear cryptanalysis.Note that we use the 9-round zero-correlation distinguisher described in the section 5.1, since it provides better results in terms of time and memory complexity.We present the key recovery attacks on 18-round SKINNY64-128.The 14-round attack of SKINNY64-64 is presented in Appendix B. In this section, s i means the internal state of i-th round and s i (j) means the j-th cell of the state i.

Zero-correlation linear cryptanalysis of SKINNY-64 with 128-bit tweakey
As shown in Figure 8, we can append 5 rounds after the distinguisher and add 4 rounds before the distinguisher.It means that the 9-round distinguisher starts from the 5-th round and ends at the 13-th round (round number starting from 1).In this way, we can attack 18-round SKINNY64-128.

Compute the statistical value
If T < t, then the guessed key is taken a possible candidate.
6. Do exhaustive search for all keys that correspond to the guessed subkey bits.

Attack complexity
The memory complexity of the attack is 2 56 bytes which is dominated by step 2. The time complexity of phase one is equal to N × 2 44 .The time complexity of the steps between 1 and 4 depends on the number of accesses to the memory.The time complexity for each round can be derived as follows.
The total complexity of time and data is available in Table 24 .

Conclusion
In this work, we presented the related-tweakey impossible differential and zero-correlation linear characteristics on different variants of SKINNY block cipher.For SKINNY-n-n and SKINNY-n-2n, we searched all of the related-tweakey impossible differential characteristics using MILP technique.Moreover, we found 13-round and 15-round related-tweakey impossible differential characteristics for SKINNY-n-n and SKINNY-n-2n, respectively.Utilizing these characteristics, we proposed 19-round related-tweakey impossible differential attack on SKINNY-n-n and 23-round attack on SKINNY-n-2n.We also constructed 9 and 10-round zero correlation linear distinguishers and attacked 14 and 18 round of SKINNY-64-64 and SKINNY-64-128 respectively, by extending the 9-round trail.Based on the MILP results, we claim that the given characteristics are the longest under the assumption of having a single active bit in input and output masks (and tweakeys in related-tweakey cases).
[ST17] Yu Sasaki and Yosuke Todo.New impossible differential search tool from design and cryptanalysis aspects.In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 185-215.Springer, 2017.

A 19-round Related Tweakey Impossible Differential Attack on SKINNY-n-n
In this section, we present the details of a 19-round attack on SKINNY-n-n utilizing the 13-round related-tweakey impossible differential trail shown in Figure 3 and extend it by 3 rounds in both backward and forward directions.The same as the previous section, instead of the tweakey T K1, we can obtain the equivalent tweakey ET K in the first round, start the tweakey recovery attack at Y 1 , and recover the plaintext P by applying M C −1 , SR −1 , AC −1 and SC −1 layers on Y 1 .

B Zero-correlation linear cryptanalysis of SKINNY-64 with 64-bit tweakey
As shown in Figure 10, by a key recovery attack we can add 2 rounds before the distinguisher and 3 rounds after the distinguisher.It means that the 9-round distinguisher starts from the round 3 and ends at the round 11 (round number starting from 1).In this way, we can attack 14-round SKINNY64-64.The description of this attack is given below:
6. Guess the nibble T K 13 (0).Then, allocate a counterN 4[s 3 , s 12 ] for each of 2 12 possible values of(s 3 ||s 12 ), where s 12 = s 12 (0, 12), and set them to zero.For all 2 12 possible values of s 13 , decrypt s 13 two rounds to obtain s 11 and update the value If T < t, the guessed key is taken as a possible candidate.
8. Do exhaustive search for all keys that correspond to the guessed subkey bits.

Attack complexity
The memory complexity of the attack is 2 44 × 3 bytes, which is dominated by step 2. The time complexity of step 1 and 2 is equal to the number of needed pairs of plaintextciphertext N .The time complexity of steps between 3 and 7 depends on the number of accesses to the memory.The time complexity for each round can be derived as follows.

Figure 6 :
Figure 6: The 9-round distinguisher for SKINNY.SR and MC stand for ShiftRows and MixColumns, respectively.SubCel, AddConstant and AddRoundTweakey are omitted since they are not related here.

Figure 7 :
Figure 7: Zero-correlation characteristic for 9-round (extended to 10-round) SKINNY.SR and MC stand for ShiftRows and MixColumns, respectively.Subcells, AddConstant and AddTweakey are omitted since they are not related here.
[2]) ⊕ S −1 (Y 18 [2] ⊕ ∆Y 18 [2]) = ∆X 18 [2].Now by using lemma 4, T K18[2] can be simply determined.(b) Guess T K18[6].Compute ∆X 17 [8] and for each pair on L i list, checking if ∆X 17 [8] = 0xi, this will lead to a total of an s-bit filter.The time complexity of this step is N.2 −s and the number of tests left for the next step is N.2 −2s . 5. Satisfying the round 2, by applying the following steps on all N message pairs on all lists for the remaining tweakeys, leads to the determination of the number of possible values of T K2[0, 1, 5]: (a) Guess T K2[0, 1, 5].Knowledge of these cells allows the attacker to compute Y 3 and ∆Y 3 as shown in Figure 9. Therefore, from the knowledge of T K3[0](= T K19[2]), ∆Y 4 [0] can be simply determined.For each pair on L i list, checking if ∆Y 4 [0] = 0xi, this will lead us to a total of an s-bit filter.The time complexity of this step is N.2 s and the number of tests to verify the impossible distinguisher is N .Complexity analysis In this attack c in = |∆ in | = 4s, c out = 8s, |∆ out | = 9s and |k in ∪ k out | = 13s.Thus, according to the formulas derived in the previous section, we can calculate the data, time and memory complexity as follows:

Figure 9 :
Figure 9: Related-tweakey impossible differential attack on 19-round of SKINNY-n-n.Differences which are added from tweakey to the state are shown only for the case of s = 4.

Table 1 :
Summary of the main results of attacks on SKINNY, where ID, RK-ID, and ZC denote impossible differential, related-key(tweakey) impossible differential, and zero correlation cryptanalysis, respectively.In this attack, 48 bits of the tweakey are considered publicly as tweak.So the upper bound for exhaustive search is 80 bits.

Table 3 :
The LFSRs used in TK-2 model of SKINNY.The s parameter gives the size of cell in bits.

Round 8 SR MC Round 11 ART AC SR MC ART AC SR MC ART AC Round 12 Round 13 SR MC P TK2 updates with LFSR T P TK2 updates with LFSR T P T ART AC Round 14 SR MC P T TK2 updates with LFSR P T P T P T TK2 updates with LFSR P T ART AC Round 15 SR MC
shows that in the state cells, what kind of information (just difference or just value or both difference and value) is needed to verify the differential path from ∆X 19 → ∆C and ∆Y 4 → ∆P .As an example, during the key recovery phase in rounds 19 to 23, those key guesses for which the given ciphertext pair follows the differential trail from ∆X 19 → ∆C (shown by gray cells) are collected.We can do this by checking if ∆X i+1 will lead to the required difference ∆W i or not for 19 ≤ i ≤ 23 in each round.Starting the procedure from ∆C, to calculate ∆X i in each round i, it is required to know the difference and the values of state in the active cells of the corresponding ∆Y i 's.To compute the required state values of Y i 's in each round i, knowledge of the state values of cells (that might not be active differentially) and also the key values in the next rounds (round i + 1 till round 23) are required, on which the Y i 's are dependent.In addition, these differentials are dependent on each other and by choosing any of input differentials of the 15-round impossible characteristic, the others can be defined.These differentials are shown in a table which we call it Tweakey Differentials Table (TDT) (see Table21).

Table 21 :
The TDT table.L 1 L 2 L 3 L 4 L 5 L 6 L 7 L 8 L 9 L 10 L 11 L 12 L 13 L 14 L 15 Collection The adversary should construct 2 x structures at Y 1 and consider all the possible values in 4 cells Y 1 [5, 7, 8, 15] for each structure, while the remaining cells take a fixed value.By using 2 x+|∆in| = 2 x+4s messages, we can generate 2 x+2|∆in| = 2 x+8s pairs of messages (P, P ), then ask the encryption oracle to obtain the corresponding ciphertexts (C, C).Then for each ciphertext pair, we check whether n − |∆ out | bits are zero or not and discard it if false.Note that in our 23-round attack on SKINNY-n-2n this step is skipped as n = |∆ out | and in our 19-round attack on SKINNY-n-n, this step is not skipped.The expected number of the remaining pairs is approximately N = 2 x+2|∆in|−(n−|∆uot|) = 2 x+8c plaintext pairs.This step requires a total of 2 x+|∆in|+1 = 2 x+8c+1 encryption calls.store the pair in the list L i and repeat this for the other pairs.Obviously, each pair will be saved in one list and there is no need to filtering in this step.The time complexity of this step is N.2 s and the number of tests left for the next step is N.2 s .2. Satisfying the round 23, by applying the following steps on all N message pairs on all lists, leads to the determination of the number of possible values of (b) We can compute ∆X 23 [14] from the knowledge of Z 23 [14] and ∆Z 23 [14].

Table 24 :
Time and data complexity for different values of α and β for SKINNY-64 with 128-bit tweakey The adversary should construct 2 x structures at Y 1 and consider all the possible values in 4 cells Y 1 [1, 4, 11, 14] for each structure, while the remaining cells take a fixed value.By using 2 x+4s messages, we can generate 2 x+8s pairs of messages (P, P ), then ask the encryption oracle to obtain the corresponding ciphertexts (C, C).We have 7 s-bit filters after peeling off the last M C layer from the ciphertext to W 19 .Therefore, we have N = 2 x+8s−7s=x+s remaining pairs to do the attack and decrypt them partially over SR −1 and compute Z 19 .b)Wecan compute ∆X 19[13]from the knowledge of Z 19 [13] and ∆Z 19 [13].Based on the properties of M C operation on col(2) of W 18 , we have ∆X 19 [13] = ∆X 19 [5].Since Y 19 [5] = Z 19 [5] ⊕ T K19[5] and we have S −1 (Y 19 [0]) ⊕ S −1 (Y 19 [0] ⊕ ∆Y 19 [0]) = ∆X 19 [0],thus by using lemma 4, T K19[0] can be determined.( T K19[2, 6].(d) From the knowledge of ∆Z 19 [8, 12] and Z 19 [8, 12], we can determine ∆X 19 [8, 12].Based on the properties of M C operation on col(1) of W 18 , we have ∆X 19 [8] = ∆X 19 [12]; checking the correctness of this equality, will lead to an s-bit filter.Also, checking if ∆X 19 [5] = 0xi, stores the pair on the list L i .Obviously, each pair will be saved on one list and there is no need to filtering in this step.Compute Y 2 and ∆Y 2 as shown in Figure 9. Checking if ∆Y 2 [1] = 0xi, for each pair on L i list, will lead to a total of an s-bit filter.Also, checking if ∆Y 2 [4] = ∆Y 2 [11], will lead to another s-bit filter.Compute Z 18 and ∆Z 18 as shown in Figure 9. Checking if ∆X 18 [10] = ∆X 18 [14], will lead to an s-bit filter.From the knowledge of Z 18 [14] and ∆Z 18 [14] we can compute ∆X 18 [14].Based on properties of M C operation on col(3) of W 17 , we have ∆X 18 [2] = ∆X 18 [14].Since Y 18 [2] = Z 18 [2] ⊕ T K18[2] we have S −1 (Y 18 The time complexity of this step is N and the number of tests left for the next step is N.2 −s .2.Since we know ET K[0, 1, 4, 5, 11, 13], from the knowledge of T K19[0, 2, 5, 6], we can satisfy the round 1 by applying the following steps on all N message pairs on all lists for the remaining tweakeys.This will lead to the determination of the number of possible values of ET K1[7, 9, 14]: (a) Since we know ET K[11], ∆Y 2 [11] can be computed.Based on the properties of M C −1 operation on col(2) of X 3 , we have ∆Y 2 [11] = ∆Y 2 [14].Since X 2 [14] = Y 1 [14] ⊕ ET K[14] and we have S(X 2 [14]) ⊕ S(X 2 [14] ⊕ ∆X 2 [14]) = ∆Y 2 [14], hence lemma 4 helps us to determine ET K[14].(b)Guess ET K[10].4.Satisfying the round 18, by applying the following steps on all N message pairs on all lists for the remaining tweakeys,leads to the determination of the number of possible values of T K18[2, 6]:(a)