Related-Tweak Statistical Saturation Cryptanalysis and Its Application on QARMA

Statistical saturation attack takes advantage of a set of plaintext with some bits fixed while the others vary randomly, and then track the evolution of a non-uniform plaintext distribution through the cipher. Previous statistical saturation attacks are all implemented under single-key setting, and there is no public attack models under related-key/tweak setting. In this paper, we propose a new cryptanalytic method which can be seen as related-key/tweak statistical saturation attack by revealing the link between the related-key/tweak statistical saturation distinguishers and KDIB (Key Difference Invariant Bias) / TDIB (Tweak Difference Invariant Bias) ones. KDIB cryptanalysis was proposed by Bogdanov et al. at ASIACRYPT’13 and utilizes the property that there can exist linear trails such that their biases are deterministically invariant under key difference. And this method can be easily extended to TDIB distinguishers if the tweak is also alternated. The link between them provides a new and more efficient way to find related-key/tweak statistical saturation distinguishers in ciphers. Thereafter, an automatic searching algorithm for KDIB/TDIB distinguishers is also given in this paper, which can be implemented to find word-level KDIB distinguishers for S-box based key-alternating ciphers. We apply this algorithm to QARMA-64 and give related-tweak statistical saturation attack for 10-round QARMA-64 with outer whitening key. Besides, an 11-round attack on QARMA-128 is also given based on the TDIB technique. Compared with previous public attacks on QARMA including outer whitening key, all attacks presented in this paper are the best ones in terms of the number of rounds.

The basis of linear cryptanalysis is a linear approximation of a given block cipher H. If the linear approximation holds with probability p, then the value p − 1 2 is called its bias ε. Since the probability of the linear approximation is related to the value of user-supplied key κ used in the target cipher, the bias ε is dependent on κ. However, the entire linear hull is notoriously difficult to analyze for the immense number of linear trails comprising it. In [BBR + 13], Bogdanov et al. introduced a way to analyze the entire linear hull for key in Sect. 4, which can be implemented to search word-level KDIB distinguishers for S-box based key-alternating ciphers. Notice that this algorithm can also be used to search for TDIB distinguishers seeing that tweak can be seen as a kind of key. With this algorithm, we can obtain 8-round TDIB distinguishers for both versions of QARMA illustrated in Sect. 5.1, which are transformed into related-tweak statistical saturation distinguishers in Sect. 5.2.
Since its proposal, there have been several attacks such as meet-in-the-middle attacks [LJ18,ZD16] and impossible differential attacks [YQC18,ZDW18]. In [YQC18], Yang et al. proposed single-key single-tweak impossible differential attacks on 10/11-round QARMA-64 and -128. Unfortunately, their attacks are all invalid ones since the complexity of them are beyond the designer's security claims that the multiplication of time and data complexity for QARMA-64 and -128 should be less than 2 128− and 2 256− for a small (e.g. 2), separately. Besides, attacks proposed in [ZD16] and [ZDW18] didn't consider outer whitening key. According to the number of rounds, the best known valid attack considering outer whitening key can work on 9-round QARMA-64 and 10-round QARMA-128 [LJ18].
We mount related-tweak statistical saturation attacks on 10-round QARMA-64 in Sect. 6.1. Besides, a key recovery attack on 11-round QARMA-128 utilizing those 8-round TDIB distinguishers is proposed in Sect. 6.2 based on the TDIB cryptanalysis. In fact, we found that the complexity of TDIB attack on 10 rounds QARMA-64 is higher than that of related-tweak statistical saturation attack. On the other hand, the related-tweak statistical saturation attack on 11-round QARMA-128 has higher complexity than the TDIB attack. It means that the results of key recovery attacks based on the equivalent TDIB and relatedtweak statistical saturation distinguisher are very different. Therefore, the proposition of related-tweak statistical saturation distinguisher provides an additional cryptanalytic method to evaluate the security of block ciphers. All our results are presented in Table 1 along with those introduced in [LJ18]. From Table 1, our attacks for both versions of QARMA are the best ones considering outer whitening key according to the number of rounds and they all satisfy the security claim.

Key Difference Invariant Bias in Key-Alternating Ciphers
Daemen and Rijmen proposed the concept of key-alternating cipher in [DR02], which forms a special but important subset of the modern block ciphers. Many block ciphers can be classified into this set, like almost all SPN ciphers and some Feistel ciphers. Here we restate this conception as follows.

Definition 1. (Key-Alternating Block Cipher [DR02])
Let k i represent the n-bit round key in round i of an iterative block cipher with 1 ≤ i ≤ r. The block cipher is key-alternating, if k i is XORed into the state at the end of the i-th round. And there also exists a subkey k 0 which is introduced by XORing with the plaintext before the first round.
A linear approximation of iterative ciphers (e.g. key-alternating block ciphers) is called a linear hull [Nyb94]. A linear hull (Γ, Λ) consists of all possible linear trails with input mask Γ and output mask Λ. And it is said to be trivial if either Γ or Λ is zero. Otherwise, it is non-trivial. Assuming that there is a linear trail θ of an r-round iterative block cipher, the input mask of round i is θ i−1 and the output mask is θ i with 1 ≤ i ≤ r. Then we can denote the trail by a n(r + 1) bits column vector θ = (θ 0 , θ 1 , . . . , θ r ). The linear hull (Γ, Λ) contains all θ which satisfy θ 0 = Γ and θ r = Λ.
Denote F 2 as the field with two elements {0, 1} and F n 2 as the space of n-dimensional binary vectors over F 2 . The inner product of binary vectors is Γ · x = ⊕ n−1 j=0 Γ j · x j with x 0 be the rightmost bit of x, and the bias of the i-th round can be defined as where f : F n 2 → F n 2 represents the round function. And then the bias of the linear trail θ under κ for key-alternating cipher is For key-alternating cipher, the bias ε of a linear hull can be computed if we can know all biases of linear trails comprising the linear hull with the condition that they are estimated under the same fixed key value.
But the truth is that we cannot know all biases of linear trails in the linear hull due to their high number. To fully utilizing the entire linear hull for key-alternating ciphers, Bogdanov To find linear hulls with corresponding key difference ∆ = K ⊕ K satisfying the KDIB condition 1 , they proposed a sufficient condition of it. Let θ(j) be the j-th bit of the column vector θ. If θ(j) = 1, the j-th bit of ∆ is restricted to be zero. Otherwise, the j-th bit of ∆ can be 0 or 1. Thus, we can assure that the condition θ t · K = θ t · K holds for every θ in the linear hull 2 .
Suppose that we have obtained an r-round KDIB distinguisher comprised of λ nontrivial linear hulls, where λ is high enough, we can use it to mount a key recovery attack as follows. At first, we collect N plaintext-ciphertext pairs (P, C) under the user-supplied key κ and another N pairs (P , C ) under κ , where κ and κ satisfies K ⊕ K = ∆. Secondly, partial state value x and x covered by these linear hulls can be obtained respectively after guessing corresponding key bits. After that, for each linear hull, we compute S i and S i with 1 ≤ i ≤ λ to record the total number of times x and x satisfies this linear hull among all these N pairs, separately. And then we compute the statistic Finally, if the value of s is larger than some threshold s τ , we'll discard the corresponding key and choose a different one to do this again. Otherwise, we will accept it and check exhaustively all the possible keys by utilizing several plaintext-ciphertext pairs.

Proposition 3. ([BBR + 13], Subsection 4.1)
Assuming that one have obtained a KDIB distinguisher for a key-alternating block cipher which contains λ non-trivial linear hulls under the same fixed key difference ∆. Denote α 0 as the probability to reject the right key and α 1 as the probability to accept a wrong key. For sufficiently large N and λ, the data complexity N is and the decision threshold s τ is where q 1−α0 and q 1−α1 represent the lower quantiles of the standard normal distribution N (0, 1), respectively.
At the last part of this subsection, we have to mention that the KDIB cryptanalysis proposed for key-alternating ciphers can be simply extended to TDIB or TKDIB (tweak or tweakey difference invariant bias) attack for block ciphers with tweak or tweakey alternated, since the tweak or tweakey can be seen as a kind of key and has the same effect on the bias of linear hull. In order to mount TDIB or TKDIB attacks, we only have to replace the key with the tweak or tweakey in Proposition 2. Since methods proposed for TDIB attack can be easily applied to TKDIB attack, we only use the notation of TDIB in the rest part of our paper to simplify our description.

Brief Description of QARMA
QARMA block cipher [Ava17] is a family of lightweight tweakable block ciphers. It supports two kinds of block sizes with n = 64 and n = 128, denoted as QARMA-64 and QARMA-128, respectively. And the corresponding size of tweak is equal to n, while the key has 2n bits. Its structure is described in Figure 1, which implies that it belongs to the class of key-alternating SPN ciphers.
QARMA-64 is a 14-round block cipher with a central construction composed of two central rounds and a Pseudo-Reflector construction, while QARMA-128 has 22 rounds with a same so that 4 × 4 matrices operate column-wise on these values by left multiplication. The 2n-bit key is separated into two parts w 0 ||k 0 , where w 0 and k 0 , the whitening and core keys, have the same length. And we have w 1 = o(w 0 ) = (w 0 ≫ 1)⊕(w 0 (n−1)) and . . , b 0 ). As shown in Figure 1, the round tweakey is the XORed value of core key, round tweak and some constants. Every forward round function except for the first round, which only consists of AddRoundTweakey and SubCells(S), is composed by four operations: AddRoundTweakey, ShuffleCells(τ ), MixColumns(M ) and SubCells(S). The operation τ is same for both kinds of QARMA, and (τ (IS)) i = s τ (i) holds for 0 ≤ i ≤ 15 with τ = [0, 11, 6, 13, 10, 1, 12, 7, 5, 14, 3, 8, 15, 4, 9, 2]. Denote this following matrix by circ(0, ρ a , ρ b , ρ c ): then the matrix M used in QARMA-64 and QARMA-128 can be represented by circ(0, ρ, ρ 2 , ρ) and circ(0, ρ, ρ 4 , ρ 5 ), respectively. The multiplication of an element in IS with ρ i is just a simple left circular rotation of the element by i bits. And the i-th column of internal state after MixColumns is the corresponding column of M · IS. The backward round function is totally the inverse of the forward round function. Therefore, we omit it here. The Pseudo-Reflector construction contains four operations which are τ , a matrix multiplication(Q), AddRoundTweakey and the inverse of τ . In both versions of QARMA, we have Q = M .

Related-Tweak Statistical Saturation Cryptanalysis
In this section, we start from KDIB and TDIB distinguishers to respectively convert them into related-key and related-tweak statistical saturation ones. And the converting method for KDIB distinguishers has nothing different with the one used for TDIB distinguishers, which can be realized below. Therefore, we only focus on how to covert TDIB distinguishers into related-tweak statistical saturation ones since we will utilize these distinguishers to attack QARMA.
Related-tweak statistical saturation cryptanalysis (Related-tweak SS) fixes a part of the plaintext and takes all possible values for the other plaintext bits, and then considers the distribution of a part of the ciphertext value under related-tweak pairs (z, z ), where z = z ⊕ ∆ and ∆ is a fixed value for all possible values of z. Our result shows that the distribution of a part of the ciphertext value encrypted under z can be the same as the one obtained under z if the bias under z is equal to that under z for all possible linear trails of the linear hull in the TDIB distinguisher (See Theorem 1 for details.). This method can be regarded as an extension of statistical saturation cryptanalysis in the related-tweak setting.
To make it clear, we denote H : F n 2 × F k 2 → F n 2 as the target block cipher with block size n and tweak size k. And then we split the input of H into two parts (x, y), where x is the part fixed during our attack and y is the part taking all possible values. Similarly, the output of H is also divided into two parts (H 1 (x, y, z), H 2 (x, y, z)) and we only focus on the value distribution of H 1 (x, y, z). So we have

The function T I defined by
is actually the function H when the r bits in the first part of its input are fixed to I and only the t bits in the first part of its output are taken into account. Using these above notations, we introduce the conditional equivalent property between TDIB and related-tweak statistical saturation distinguisher as follows.

Theorem 1. Let (Γ, Λ) be the linear hull of the target block cipher with
then T I (y, z) has the same value distribution with T I (y, z ) and vice versa, i.e., for any I ∈ F r 2 , if one fixes x as I ∈ F r 2 , and takes all possible values for y, then we have To prove this theorem, we have to recall the theory of multidimensional linear cryptanalysis [HCN08].
If X is a random variable in F m 2 , the probability distribution p = (p 0 , p 1 , . . . , p 2 m −1 ) of X means that the probability that X takes value η is p η , where η ∈ F m 2 . The bias of the linear hull (Γ, Λ) for the block cipher H under the tweak z is where the probability is taken over all choices of inputs x||y. And then the correlation of the linear hull can be represented as Cor z (Γ, Λ) = 2ε(z).
For a fixed tweak z, H can be seen as a vectorial Boolean function from F n 2 to itself. Suppose that there are m linearly independent binary mask pairs (α i , β i ), i = 0, 1, . . . , m − 1. For each mask pair, there is one linear approximation g z i for H, where g z i is denoted as

The m independent linear approximations form the base linear approximations. Let
Cor(g z i ) be the correlation of g z i and g z = (g z 0 , g z 1 , . . . , g z m−1 ) be the target m-dimensional value, which is a vectorial Boolean function from F n 2 to F m 2 for a fixed tweak z. Let a ∈ F m 2 be a combined mask and the correlation of the combined linear approximation a · g z is denoted as Cor(a · g z ). Suppose that the probability distribution of g z is , the following corollary introduced in [HCN08] gives the relation between the probability p z η and the correlations for all 2 m linear approximations.
By applying the inverse Walsh-Hadamard transform to the above equality, we can achieve another corollary.
Proof. By using Corollary 1, we can find that holds for any a ∈ F m 2 . Following these two corollaries, we can prove our Theorem 1 in the following way.
, there is a linear approximation g z i for the target block cipher H, where g z i is Hence, (r + t) g z i consist of the base linear approximations, which implies that a · g z with a ∈ F r+t 2 \{0} contains all the possible mask pairs (Γ in , Λ out ). Recall that Since ε(z) = ε(z ) holds for all possible mask pairs (Γ in , Λ out ), we know that according to Corollary 1. Therefore, p z η = p z η holds for any η ∈ F r+t 2 . In terms of the definition of g z i , we can obtain That is to say, if one fixes x to be I ∈ F r 2 and takes all possible values for y, then T I (y, z) has the same value distribution with T I (y, z ).
As for the converse, since T I (y, z) has the same value distribution with T I (y, z ), we can see that p z η = p z η holds for any η ∈ F r+t 2 according to the previous proof. With the help of Corollary 2, we can obtain that Cor(a · g z ) = Cor(a · g z ) holds for any a ∈ F r+t 2 . One thing we have to mention is that the restriction to masks of the form (Γ in , 0) and (Λ out , 0), where the last bits are fixed to zero, is solely for the simplicity of notations. And according to the proof, we can see that positions of zero bits will not influence the applicability of our theorem.
Assume that we have obtained a related-tweak statistical saturation distinguisher where T I (y, z) has the same value distribution with T I (y, z ) if x is fixed to be some I ∈ F r 2 and y takes all possible values in F s 2 . We can utilize it to mount a key recovery attack by adding several rounds after it. At first, we choose a set of plaintexts P = (x, y) satisfying that x = I and y takes all possible values in F s 2 . Then we can get two sets of ciphertexts C and C by encrypting these plaintexts under z and z , separately. After guessing corresponding key bits, we can obtain partial state value T I (y, z) and T I (y, z ) covered by the distinguisher. If T I (y, z) and T I (y, z ) have the same value distribution, these guessed key bits will be taken as right key bits. Otherwise, they will be discarded. From Theorem 1, we can see that for right key guess, T I (y, z) has the same value distribution with T I (y, z ). Hence the probability to reject the right key α 0 is zero. To evaluate the probability of accepting a wrong key α 1 , we provide the following theorem.
Theorem 2. Following Theorem 1, the probability to accept a wrong key fulfills If the guessed key is wrong, V c and V c will be two independent random variables satisfying that It follows that the probability to accept a wrong key is According to Lemma 1 and 2 introduced in Appendix B, we have It follows that log 2 (α 1 ) ≤ (2 t − 1 − t) 2 s+1 − 2 s(2 t −1)/2 .

Searching for KDIB Distinguishers with STP
In this section, we will introduce how to find KDIB distinguishers for block ciphers. Like what we pointed out in the last part of Sect. 2.1, one can also find TDIB distinguishers by following the way illustrated in this section. To be simple, we will only introduce how to find KDIB distinguishers here. For ciphers which have been attacked using KDIB distinguishers such as LBlock [WZ11] and TWINE [SMMK12], we found that this method is suitable for word-level key-alternating ciphers with S-boxes. Hence, we targets at searching word-level KDIB distinguishers for S-box based key-alternating ciphers.
Recently, many cryptanalytic results have been proposed by utilizing various kinds of automatic searching tools. Among all of them, the Boolean Satisfiability Problem (SAT) [Coo71]/Satisfiability Modulo Theories (SMT) problem [BSST09] solver STP 3 has been playing an important role. The application of STP for cryptanalysis was firstly suggested by Mouha and Preneel in [MP13]. It is a decision procedure to confirm whether there is a solution to a set of equations. These equations must follow the rule of input language parsed by STP 4 .
Actually, finding KDIB distinguishers can be converted into an existence problem.
Word-level mask propagation properties of an operation in the round function and bit-level difference propagation properties for the key schedule, which can both be represented by some equations, should be precisely depicted. Considering mask propagation property in word-level, we actually described the propagation of necessary conditions on the family of consistent trails, which means that not all the KDIB distinguishers can be found by utilizing our algorithm. In the original paper of KDIB cryptanalysis [BBR + 13], KDIB distinguishers for LBlock and TWINE are derived at bit-level for key and word-level for data. In this way, longer distinguishers could be obtained and that is why we consider the key at bit-level. In addition to these propagation properties, equations representing the condition for KDIB distinguishers are also included. And extra equations, such as those restricting that at least one round key is non-zero, will be included in order to exclude trivial distinguishers. Whether these equations have a solution can directly help us to confirm whether the expected KDIB distinguisher exists.
In practice, if we aim at finding R-round KDIB distinguishers covered by R 1 forward rounds and R − R 1 = R 2 backward rounds, then we should describe mask propagation properties operations in the encryption and decryption procedure. Besides, equations describing difference propagation properties for R rounds of the key schedule shall be included, as well as some extra equations. These constraint equations can be divided into four parts. Part 1 contains equations depicting propagation properties between input and output mask of an operation in the round function at word-level. Part 2 is composed of equations describing the difference propagation property of key schedule at bit-level. To make our searching algorithm more general, we also describe the difference propagation property of S-box in this part to cover ciphers containing S-box in their key schedule. And then the propagation of key difference will have probability which leads to weak-key attacks. In Part 3, we describe equations representing the condition for KDIB distinguishers which is illustrated in Proposition 2. The last part, Part 4, comprises some extra but necessary equations.

Part 1. Equations for Basic Operations in Round Function
In this part, we utilize the theta variable to represent the active state of a word. The value of theta variable is 0 means this word isn't active. And theta=1 means that this word is definitely active or potentially active.

Property 1. (Substitution)
Let S be the S-box used in the round function of the target cipher. The active state of input mask is θ in , and the corresponding active state of output mask is denoted as θ out . Then we have θ out = θ in .

Property 2. (XOR) Let θ in1 and θ in2 represent active states of two input masks for the operation XOR, and the active state of output mask is θ out . Then the relation between them is θ out
When deriving the mask propagation property of the branching operation, we always have to decide the mask active state of one of these three branches according to mask active states of the other two branches. Thus, we have the following property.

Property 3. (Three-Branch)
Let θ 1 and θ 2 denote two known mask active states, and the mask active state to be decided is θ 3 . Then θ 3 = 1, which means that the corresponding branch is potentially active, if either θ 1 = 1 or θ 2 = 1 holds.
The linear layer can often be represented as matrix multiplication. To specify the wordlevel mask propagation property of this operation, we introduce the following definition.  Figure 4: The Column-wise Active State Transitions for Class I Matrices  To make it clear, we take the matrix M used in QARMA-64 [Ava17] as an example. The word-level column-wise active state transition for M is shown in Figure 3, where gray nibbles represent the active ones. Assume that the column vector M in = (x 0 , x 1 , x 2 , x 3 ) t and M out = (y 0 , y 1 , y 2 , y 3 ) t denote the active state of input and output mask for M , respectively. By observing all these possible transitions, there exist some deterministic patterns in Table 2, which can be used to produce the set G. Then we can use this set to give the mask propagation property for the matrix M used in QARMA-64. Let θ in and θ out respectively represent the column-wise active state of mask before and after M . Then θ out = (1, 1, 1, 1) t if θ in / ∈ G. Otherwise, it equals to the corresponding M out shown in Table 2.
Notice that when describing the mask propagation property of matrix-based linear layer, we only describe propagation from the input mask. To obtain the mask propagation property from the output, we only have to generate the set G for M −1 , the inverse matrix of M , and use Property 4 to derive corresponding equations.

Part 2. Equations for Basic Operations in Key Schedule
Property 5. (Substitution) Let S be the S-box used in the key schedule and DDT represents its differential distribution table. The input and output difference are δ in and δ out , respectively. If the corresponding differential propagation probability is denoted as p, we have p = DDT (δ in , δ out ). Then the relation is p = 0.

Property 6. (XOR) Let δ in1 and δ in2 represent the input differences, and the output difference is denoted as δ out . Then the relation between them is
Property 7. (Three-Branch) Let δ in represent the input difference of the operation, while δ out1 and δ out2 are the output differences. Then the relation between them is δ out2 = δ out1 = δ in .

Part 3. Equations Depicting the KDIB Condition illustrated in Proposition 2
Given an r-round linear hull (θ 0 , θ r ) and the corresponding difference on key {δ 0 , δ 1 , . . . , δ r }, we have the KDIB condition that ⊕ r j=0 θ j · δ j = 0 holds for all possible linear trails {θ 0 , θ 1 , . . . , θ r } with ε θ = 0 in this linear hull. Seeing that we only care about the active state of mask, it is hard for us to directly use this condition when searching for distinguishers. Hence, we will describe the KDIB condition under word-level.

Property 8. (Word-Level KDIB Condition)
Given an r-round linear hull (θ 0 , θ r ) and the corresponding difference on round key {δ 0 , δ 1 , . . . , δ r }. Then the difference of the i-th word δ j [i] must be zero if the active state of mask of it is 1 for all 0 ≤ j ≤ r.

Part 4. Extra Equations
In order to exclude trivial solutions to these equations, we have to add the constraints that at least one round key is non-zero. And equations describing the active state of input and output mask are also included in this part. For ciphers containing S-box in their key schedule, equations restricting the total propagation probability are included in this part.
Given all these properties, the searching algorithm for KDIB distinguishers is listed in Algorithm 1.

TDIB and Related-Tweak Statistical Saturation Distinguishers for QARMA
Our target cipher QARMA is briefly introduced in Sect. 2.2. In the specification of it [Ava17], the designer claimed that the attacker does not have control on the key, but she may have full control on the tweak. Therefore, we focus on related-tweak attacks on QARMA. In this section, we utilize the searching algorithm given in Sect. 4 to find TDIB distinguishers for

QARMA.
Under the restriction that there is only one active word in both the input and output mask, we have obtained many 6-round distinguishers for QARMA-64 and -128. To find longer distinguishers, we increase the number of active words in both input and output mask, and finally find 7 different kinds of 8-round TDIB distinguishers, which will be utilized to mount a key recovery attack on 11-round QARMA-128 in Sect. 6.2. And then, several 8-round related-tweak statistical saturation distinguishers for QARMA-64 are presented which are transformed from these 8-round TDIB distinguishers benefiting from Theorem 1. These related-tweak statistical saturation distinguishers will be used to mount key recovery attacks on 10-round QARMA-64 in Sect. 6.1.

TDIB Distinguishers for 8-Round QARMA
As we can see from Figure 1, QARMA has a central construction consisting of two central rounds and a Pseudo-Reflector construction in the middle of the encryption procedure. Thus, we have to construct equations for this part as well as those for all the other operations in the round function and tweak update function. Besides, since we only focus on related-tweak attacks, the difference of user-supplied key should be restricted to zero, while the difference on tweak is non-zero. Here, we set the number of active words in both the input and output mask to be 1.
Adding all the above extra equations into Algorithm 1, we obtained many 6-round distinguishers with 2 rounds before the central construction and another 2 rounds after for both versions of QARMA. However, if we release the restriction with one active word in both input and output mask, longer distinguishers may be obtained. As a result, we achieved 8-round TDIB distinguishers by setting two active words in both input and output mask. And these two active words in the input/output mask are restricted to be in the same column after the operation τ in the first/last round of our expected distinguisher, and they will be transfered into two active words in the same position after the operation M , which forces us to make some additional restriction on the mask value of them.
To be more specific, we denote these active words in the linear hull (Γ, Λ) as Γ[in 0 ], Γ[in 1 ], Λ[out 0 ] and Λ[out 1 ]. All possible combinations of (in 0 , in 1 ) satisfying the above restriction are shown in Table 3. Notice that the restriction on (out 0 , out 1 ) is actually the same as that on (in 0 , in 1 ). Thus, Table 3 can also be used to show all the possible combinations of (out 0 , out 1 ).  In order to get the expected distinguishers, we have to restrict the value of the input and output masks. For Type-I combinations shown in Table 3, the restriction of mask value is shown in Restriction 1. And Restriction 2 describes the constraint for Type-II combinations. To construct TDIB distinguishers based on linear hulls satisfying Restriction 2, it is necessary for us to determine whether there exists a same difference of tweak for linear hulls with the same position of active words. For both versions of QARMA, we found the corresponding difference of tweak for almost all Type-II combinations except for (in 0 , in 1 ) = (10, 15) with the help of STP. And the number of non-trivial linear hulls contained in the 8-round distinguisher is (2 4 − 1)(2 4 − 1) for QARMA-64 and (2 8 − 1)(2 8 − 1) for QARMA-128.

Restriction 1. For both versions of
Hence, we have obtained 7 different kinds of TDIB distinguishers for both versions of QARMA containing linear hulls satisfying Restriction 2. To be specific, the 8-round distinguisher with (in 0 , in 1 ) = (0, 5) for QARMA-64 is shown in Figure 4, while the concrete figure of the distinguisher with (in 0 , in 1 ) = (0, 5) for QARMA-128 is omitted due to the similarity between them. And we list the difference of tweak of these two distinguishers in Table 4. As for the other 6 different kinds of TDIB distinguishers, we will not show the concrete figure or the difference of tweak here due to the similarity with these two distinguishers and the limits of paper length. Table 4: Difference of Round Tweak for 8-Round QARMA with (in 0 , in 1 ) = (0, 5) round ∆ti for QARMA-64 ∆ti for QARMA-128 5 0x0000000040000000 0x00000000000000001600000000000000 6 0x0000000000004000 0x00000000000000000000000016000000 7 0x0000000004000000 0x00000000000000000016000000000000 8 0x0000000000000200 0x000000000000000000000000008B0000 9 0x0000000000000200 0x000000000000000000000000008B0000 10 0x0000000004000000 0x00000000000000000016000000000000 11 0x0000000000004000 0x00000000000000000000000016000000 12 0x0000000040000000 0x00000000000000001600000000000000

Related-Tweak Statistical Saturation Distinguishers for QARMA-64
Here, we will transform these 8-round TDIB distinguishers into related-tweak statistical saturation (SS) ones by utilizing Theorem 1. Since we mount attacks by only adding several rounds on the bottom of these distinguishers, the first round of them should be a reduced one. Notice that a reduced first round of QARMA is only composed of AddRoundTweakey and SubCells. One of such related-tweak SS distinguisher transformed from the TDIB distinguisher is shown in Figure 4  take all possible values in F 8 2 \{0} due to Λ[out 0 ] = Λ[out 1 ], Theorem 1 cannot be directly used to transform such TDIB distinguishers into related-tweak SS ones. But we can achieve it after changing the output of H and obtain the following theorem, which can be proved in a similar way with the one proposed for the Lemma 1 in [HCGW18]. Proof. We rewrite the cipher H with four inputs and three outputs:  y, z, κ)).
Recall that the bias of the linear hull (Γ, Λ) under (z, κ) can be represented by where Λ = (Λ out , 0) with Λ out = Λ[out 0 ]. Hence for the function H , the bias of (Γ, Λ ) under (z, κ) is the same as that under (z , κ). In other words, an 8-round TDIB distinguisher for H implies an 8-round TDIB distinguisher for H . Therefore, we can utilize Theorem 1 on H to obtain the following related-tweak invariant distribution property: To make it clear, we list all these 8-round related-tweak SS distinguishers in Table 5, which utilize the related-tweak invariant distribution illustrated in Theorem 3. Besides, tweak differences of these distinguishers are listed in Appendix C.

Key Recovery Attacks on Reduced-Round QARMA
In this section, we will proceed related-tweak SS attack on 10-round QARMA-64 and TDIB attack on 11-round QARMA-128. In fact, we have also tried to recover the key for QARMA-64  Discard this key;

Attack Complexity
According to Theorem 2, we can see that the probability to accept a wrong key is log 2 (α 1 ) ≤ 2 4 − 1 − 4 2 56+1 − 2 56(2 4 −1)/2 ≈ −2.7 × 10 126 . By running Algorithm 3, we can obtain 32 guessed key bits. Hence, the number of wrong keys left is 2 32 × α 1 ≈ 0, which means that the 32 guessed key bits left are actually the right ones. Data complexity of Algorithm 3 is 2 57 chosen plaintext-tweak pairs, while the memory requirements are 2 29.6 bits needed for these arrays. The main time cost of Algorithm 3 is 2 57 querying ciphertexts, which is 2 57 10-round encryptions. Obviously, the data complexity, memory requirements and total time complexity of procedures with No. 3, No. 4 and No. 7 distinguishers are the same as those of Algorithm 3. It follows that the total data complexity of this key recovery attack is N = 2 59 chosen plaintext-tweak pairs, while the memory requirements are M = 2 29.6 bits since these arrays can be reused for different procedures. And the total time complexity is T ≈ 2 59 10-round encryptions. Note that T N = 2 118 ≤ 2 126 , which means that this attack is a valid one.