Accelerating the Search of Diﬀerential and Linear Characteristics with the SAT Method

. The introduction of the automatic search boosts the cryptanalysis of symmetric-key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or ciphers with large state sizes. Compared with the extensive attention on the enhancement for the search with the mixed integer linear programming (MILP) method, few works care for the acceleration of the automatic search with the Boolean satisﬁability problem (SAT) or satisﬁability modulo theories (SMT) method. This paper intends to ﬁll this vacancy. Firstly, with the additional encoding variables of the sequential counter circuit for the original objective function in the standard SAT method, we put forward a new encoding method to convert the Matsui’s bounding conditions into Boolean formulas. This approach does not rely on new auxiliary variables and signiﬁcantly reduces the consumption of clauses for integrating multiple bounding conditions into one SAT problem. Then, we evaluate the accelerating eﬀect of the novel encoding method under diﬀerent sets of bounding conditions. With the observations and experience in the tests, a strategy on how to create the sets of bounding conditions that probably achieve extraordinary advances is proposed. The new idea is applied to search for optimal diﬀerential and linear characteristics for multiple ciphers. For PRESENT , GIFT-64 , RECTANGLE , LBlock , TWINE , and some versions in SIMON and SPECK families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the diﬀerential probability, as well as the linear bias. The acceleration method is also employed to speed up the search of related-key diﬀerential trails for GIFT-64 . Based on the newly identiﬁed 18-round distinguisher with probability 2 − 58 , we launch a 26-round key-recovery attack with 2 60 . 96 chosen plaintexts. To our knowledge, this is the longest attack on GIFT-64 . Lastly, we note that the attack result is far from threatening the security of GIFT-64 since the designers recommended users to double the number of rounds under the related-key attack setting.


Introduction
Differential [BS90] and linear [Mat93] cryptanalyses can be seen as the cornerstone of modern cryptanalysis techniques for symmetric-key ciphers.Resistance against these two attacks is regarded as the baseline in the design of new primitives.The first step for the evaluation of the security against these attack is to find differential and linear trails with non-random behaviours.Shortly after the introduction of linear cryptanalysis, Matsui [Mat94] proposed a branch-and-bound depth-first searching algorithm that can be used to identify the optimal differentials with the maximum probability of symmetric-key primitives.
The advantage of this algorithm is enhanced by taking in the customised optimisation for the specific cipher, which puts a high demand for sophisticated programming skills.
At the beginning of the last decade, the automatic method came on the stage and showed incredible performances in search of various distinguishers in cryptanalysis.The first category of the automatic search is based on the mixed integer linear programming (MILP) method, which was firstly introduced by Mouha et al. [MWGP11] to estimate the lower bound on the number of differential and linear active S-boxes.Later, this method was refined by Sun et al. [SHW + 14] to search for (related-key) differential characteristics concerning bit-oriented block ciphers.Following that, the MILP method is further applied to accomplish tasks in search of multiple sorts of distinguishers, such as differential and linear characteristics for ARX ciphers [FWG + 16], integral distinguishers [XZBL16], zerocorrelation distinguishers [CJF + 16], impossible differential distinguishers [ST17b], and non-blackbox polynomials manipulated in the cube attack [TIHM17].
Another important branch of the automatic search is based on the Boolean satisfiability problem (SAT) or the more general extension called satisfiability modulo theories (SMT) method.The initial work considering the usage of the SAT/SMT method in search of differential characteristics for ARX ciphers was proposed by Mouha and Preneel [MP13].Also, this method is generalised to find various cryptanalytic distinguishers, including differential and linear characteristics for the SIMON-like round function [KLT15], linear trails for ARX ciphers [LWR16], and division properties for ARX ciphers [SWW17].
The automatic method enables users to write relatively simple codes to convert the distinguisher searching problem into the underlying mathematical problem, which can be handled by some openly available solvers.However, since the performance of the automatic search is tied to the power of the mathematical problem solver, the efficiency is not always satisfactory for the search of long trails or ciphers with large state sizes.
Many works aimed at an improvement in the efficiency of the MILP method, and we only name a few.Sasaki and Todo [ST17a] put forward a new algorithm that ensures the minimum number of inequalities for modelling S-boxes in search of differential characteristics.Furthermore, the relation between the number of inequalities and the runtime was studied, and they experimentally showed that minimising the number of inequalities does not always minimise the runtime.At ISC 2018, Zhang et al. [ZSCH18] incorporated the Matsui's bounding conditions into the MILP model and observed acceleration in search of differential trails for PRESENT [BKL + 07] and SIMON [BSS + 13].Later, Li et al. [LWZZ19] investigated the relationship between the construction of the MILP model and the runtime.The results for PRESENT and GIFT [BPP + 17] were updated by carefully elaborating the MILP model.With the central observation that high-probability differential/linear characteristics are likely to have a lower number of active S-boxes at a certain round, Zhou et al. [ZZDX19] came up with a divide-and-conquer approach to optimise the search with MILP.The whole searching space was split into several subspaces, and the MILP model was separately implemented on every subspace.At the same conference, Boura and Coggia [BC20] created efficient MILP models for S-boxes and linear layers of SPN ciphers and showed an impact on AES [DR02] and SKINNY-128 Compared with the extensive attention regarding the improvement of the MILP method, few works consider the acceleration of the automatic search with the SAT/SMT method.As far as we know, the unique work related to this topic is proposed by Song et al. [SHY16].They practised a splicing heuristic method to find better differential trails for ARX ciphers.Consequently, this paper is motivated by this vacancy and endeavours to speed up the search with the SAT method.

Our Contributions
In this paper, we study how to accelerate the search of differential and linear characteristics with the SAT method.In light of the enhanced performance of the MILP method [ZSCH18] with Matsui's bounding conditions, we wonder the feasibility of integrating the bounding condition into the SAT method.Centred with this issue, the contributions of this paper can be classified into four parts.
Novel method to encode Matsui's bounding conditions.The standard SAT method applies the sequential encoding method to realise the transformation of the Boolean cardinality constraint n−1 j=0 x j k with O(n•k) variables and clauses.Thus, for the constraint e2 j=e1 x j m corresponding to Matsui's bounding condition, the direct conversion by reusing the previous method consumes O((e 2 − e 1 ) • m) variables and clauses.Nevertheless, when multiple bounding conditions are considered, this direct approach will notably raise the number of variables and clauses in the SAT problem, which may result in a negative influence on the efficiency of the searching phase.To overcome this shortcoming, we put forward a new method that manipulates the additional encoding variables of the sequential counter circuit for the original objective function.Without introducing any new variables, the number of clauses is reduced from O((e 2 − e 1 ) • m) to e 2 − e 1 or k − m depending on the concrete values of e 1 and e 2 .
Direction for the selection of the bounding condition.With the novel encoding method, multiple bounding conditions can be integrated into the standard SAT method, conveniently.However, whether the searching phase regarding the modified SAT problem can be accelerated is the actual problem.We take the distinguisher searching problem of GIFT-64 as an illustration and compare the runtime for solving SAT problems involving different sets of bound conditions.With the observations in the tests, we experimentally show the accelerating effect of the encoding method.Further, a strategy on how to select the sets of bounding conditions that potentially achieve extraordinary advances is proposed.We hope it may be helpful for both designers and attackers in search of differential and linear characteristics.

Complete bounds about differential and linear characteristics of multiple ciphers.
The new idea is exploited to search for various trails of multiple primitives.For PRESENT, GIFT-64, RECTANGLE [ZBL + 15], LBlock [WZ11], TWINE [SMMK12], and some versions in SIMON and SPECK [BSS + 13] families of block ciphers, we obtain the complete bounds (full rounds) on the number of active S-boxes, the differential probability, as well as the linear bias.To our knowledge, we are the first one to offer complete information about the optimal differential and linear characteristics.For GIFT-128, we obtain the full picture regarding the number of differential and linear active S-boxes.Beyond that, the optimal differential trails with the maximum probability of GIFT-128 for up to 29 rounds and the optimal linear characteristics with the maximum correlation for up to 25 rounds are discovered.Although Li et al. [LWZZ19] also found a 20-round differential trail with probability 2 −121.415, their searching method did not ensure the optimality.All the searches in this paper guarantee the optimality.A comparison of the maximum length of differential and linear trails with different approaches for SPECK is provided in Table 1.For all versions in the SPECK family of block ciphers, our results reach the maximum length of differential and linear trails among all methods targeting the optimal trail.Related-key differential attack on 26-round GIFT-64.The acceleration method also can be employed to speed up the search of related-key differential characteristics.In this way, for GIFT-64, we get an 18-round related-key differential distinguisher with probability 2 −58 .This distinguisher is utilised to launch a 26-round key-recovery attack.The data complexity is 2 60.96 chosen plaintexts, the time complexity is 2 123.23 26-round of encryptions, and the memory complexity is about 2 102.86 .As far as we know, this is the longest attack on GIFT-64.A summary of cryptanalytic results on GIFT-64 to date is provided in Table 2.We note that our result is far from threatening the security of GIFT-64 since the authors recommended users to double the number of rounds under the related-key attack setting.
Outline.The relevant contents on the automatic search with the SAT method are introduced in Sect. 2. In Sect.3, we propose a method to encode Matsui's bounding conditions into Boolean formulas with a minor increment on the number of clauses.To figure out the accelerating effect of the bounding condition, we investigate the performances regarding different sets of bounding conditions in Sect. 4. Also, a strategy for the selection of the bounding condition is presented.The novel searching method is applied to several block ciphers and derives many new findings in Sect. 5. We conclude the paper in Sect.6.The source codes are publicly available at https://github.com/SunLing134340/Accelerating_Automatic_Search.
2 Automatic Searches with the SAT Method

Preliminaries about SAT and SMT Problems
A formula is named as a Boolean formula if it is formulated with Boolean variables, operators AND (∧), OR (∨), NOT (•), and parentheses.Every Boolean formula can be converted into an equivalent formula that is in conjunctive normal form (CNF) [RN10,Sob10], which C ij , where each C ij (0 i n, 0 j m i ) is either an atomic formula, i.e., a variable or constant, or the negation of an atomic formula, and each disjunction mi j=0 C ij is called a clause.
The Boolean satisfiability problem (SAT) is the problem of determining whether there exists an evaluation for the binary variables such that the value of the given Boolean formula equals one.Although the SAT problem is the first problem that was proven to be NP-complete [Coo71], modern SAT solvers can solve problem instances comprising tens of thousands of variables and millions of clauses.
An extension of the SAT problem is satisfiability modulo theories (SMT) problem, in which some of the Boolean variables are replaced by predicates over a suitable set of binary and (or) non-binary variables.The predicates are binary-valued functions, such as linear inequalities, arrays, and all-different constraints.This kind of extension typically remains NP-complete, and a great deal of SMT solvers available to date follow the eager approach, which interprets SMT instances into SAT instances first and then transfers the CNF formulas to a SAT solver.

Related Works about the Search with the SAT/SMT Method
We investigate all literature involving the search of differential and (or) linear characteristics in cryptanalysis with the SAT/SMT method and find that most of these works [MP13, AJN14, Ste, KLT15, SHY16, AK18, LLL + 19, RLA20, ARS + 20] rely on the SMT method and utilise the SMT solver STP [GD07].The remaining two works [LWR16,SWW18] that claim to be SAT-based methods tie to the generalised SAT problem with XOR clauses in the CNF formula since the employed SAT solver, which is called Cryptominisat [SNC09], is specially designed to be compatible with XOR operations.Thus, none of the existing automatic tools is realised with the real SAT problem that only admits AND, OR, and NOT operations.
In this work, we aim at accelerating the search for optimal differential and linear characteristics with the real SAT method.The SAT solver we use is CaDiCaL [Bie19], which is based on the conflict-driven clause learning (CDCL) algorithm [SS96,JS97].The internal functioning of the CDCL algorithm is inspired by the Davis-Putnam-Logemann-Loveland (DPLL) algorithm [DP60,DLL62], which is the kernel of some frequently-used SAT solvers, including Cryptominisat as mentioned above.Nevertheless, the CDCL algorithm can learn new clauses with conflict analysis.Another notable distinction between the CDCL and DPLL algorithms is that the back jumping in the CDCL algorithm is non-chronological.Both the clause learning and the modified backtracking phases do not alter the soundness and completeness of the algorithm.We observe that CaDiCaL is faster than Cryptominisat regarding differential and linear trails searching problems, and this is the main reason that we choose this SAT solver.
To discover useful distinguishers with the off-the-shelf SAT solver, we should specify the distinguisher searching problem with CNF formulas.The clauses in a CNF formula regarding the search of the optimal differential or linear trail are classified into two groups.The first group represents the propagations of differences or linear masks inside the cipher, and the second one measures the non-random feature of the trail, which can be set as the number of active S-boxes, the differential probability, or the linear bias, optionally.In the remaining of this section, we first recall SAT models demonstrating the differential and linear propagations of some necessary operations, which act as components of the primitives analysed in this paper.Then, the second group of clauses constructed with the sequential encoding method is introduced.

SAT Models of Some Necessary Operations
We start with the non-probabilistic models of two linear operations, which are branching and XOR operations.The differential and linear propagations of these operations are deterministic.After that, probabilistic models of some non-linear operations are presented.

Non-probabilistic Models
In the following, α i (0 i n − 1) denotes the i-th bit of the n-bit vector α.We always use α 0 to stand for the most-significant bit.

Differential Model 1 (Branching). For the n-bit branching operation shown in
For the n-bit XOR operation illustrated in Figure 1 (b), we use α and β to represent the two input differences and denote the output difference as γ.The differential holds if and only if the values of α, β, and γ validate all the assertions in the following.
Generally, for the n-bit XOR operation with k inputs as in Figure 1 (c), we denote the k input differences as α 0 , α 1 , . .., α k−1 and the output difference as γ.There is a trade-off between the number of variables and the number of clauses when we construct the differential model of this operation.On the one hand, we can decompose the k-input XOR operation into (k − 1) 2-input XOR operations as in Figure 1 (d) and introduce (k − 2) • n auxiliary Boolean variables to keep track of the differences of the k − 2 intermediate states.After sequentially applying Differential Model 1 to the (k − 1) 2-input XOR operations, the differential propagation of the k-input XOR operation can be expressed with 4 • (k − 1) • n clauses.On the other hand, the propagation can be established with n • 2 k clauses without using any auxiliary variables.To be explicit, for each of the 2 k (k + 1)-tuple (a 0 , a 1 , . . ., a k ) of Boolean variables with Note that these equations are clauses in CNF formulas since α j i ⊕ a j equals α j i if a j is zero and equals α j i otherwise.At the same time, the valid differential propagation (α 0 , α 1 , . . ., α k−1 ) → (γ) fulfils these clauses, simultaneously.As the values of k for the XOR operations with more than two inputs in the subsequent probabilistic models are relatively small, we always pick the second option, which maintains the minimum number of variables.
Besides, to create the differential model of the matrix multiplication operation, which is exploited in multiple ciphers to provide the diffusion property, we note that this operation can be written as a sequence of branching and XOR operations [SLR + 15].Hence, the model can be generated with Differential Model 1 and 2.
Since the propagations of differences and linear masks concerning the branching and XOR operations are dual [SLR + 15], the linear model of the branching (resp.XOR) operation is the same as the differential model of the XOR (resp.branching) operation.Thus, we do not restate the non-probabilistic linear models.

Probabilistic Models
The propagations of differences and linear masks for non-linear operations are probabilistic.
Here, we consider three non-linear operations, which are S-box, modular addition operation, and SIMON-like round function.

S-box.
We implement the method in [SWW18] to create differential and linear models of S-boxes.For primitives with S-boxes as building blocks, the automatic searches of distinguishers in the field of differential and linear cryptanalyses accomplish two goals.One is finding optimal trails with the minimum number of active S-boxes, and the other one is discovering optimal trails with the maximum differential probability or linear correlation.We take the construction of the differential model concerning the number of active S-boxes as an instance.Likewise, we can generate remaining differential and linear models of S-boxes regarding different searching purposes.Denote (α 0 , α 1 , . . ., α s−1 ) and (β 0 , β 1 , . . ., β s−1 ) the input and output differences of the s-bit S-box as in Figure 2 (a).An extra binary variable w is required to characterise whether the S-box is active or not.With the differential distribution table (DDT), if (a 0 , a 1 , . . ., a s−1 ) → (b 0 , b 1 , . . ., b s−1 ) is a possible differential propagation with a nonzero probability, w is set as one.w equals zero if the differential propagation (a 0 , a 1 , . . ., a s−1 ) → (b 0 , b 1 , . . ., b s−1 ) is deterministic.Then, we enumerate all η (2 • s + 1)bit negative combinations (a such that neither of the two assignment rules is satisfied.The following η clauses constitute a primary differential model of the given S-box, To generate a model with fewer clauses, we first define a function f over the (2 • s + 1)-bit vector x = (x 0 , x 1 , . . ., x 2•s ) as Equivalently, f can be reformulated as the product-of-sum representation where c = (c 0 , c 1 , . . ., c 2•s ).After simplifying this representation with some openly available programs such as Logic Friday 1 and Espresso 2 , a smaller set of clauses is yielded, which is the differential model we adopt in the implementation.

Modular addition operation.
The modular addition operation is a crucial ingredient for ARX ciphers.The differential and linear models of the modular addition operation with CNF formulas are accommodated from the models in [MP13] and [LWR16], respectively.Note that the XOR operations signified by '⊕' in the following models are symbolic representations, which ensure compact descriptions of the models.In the implementation, these XOR operations are converted into CNF formulas with the method in Sect.2.3.1.

Differential Model 3 (Modular Addition, [MP13]
).For the n-bit modular addition operation as in Figure 2 (b), we use α and β to stand for the two input differences and denote the output difference as γ.The differential is valid if and only if the values of α, β, and γ validate all the assertions listed below.
The weight, which is the negative value of the binary logarithm of the differential probability, of the valid differential is Linear Model 1 (Modular Addition, [LWR16]).For the n-bit modular addition operation as in Figure 2 (b), we use α and β to represent the two input linear masks and denote the output mask as γ.Additionally, we introduce an n-bit vector z to assist us in evaluating the correlation.The correlation of the linear approximation is nonzero if the values of α, β, γ, and z fulfil all the constraints in the following.
Similarly, the binary logarithm of the absolute value of the correlation reflects the performance of the linear approximation in the attack.The opposite number of this feature is calculated as Differential Model 4 (SIMON-like Round Function, [KLT15]).For the n-bit SIMONlike round function, we denote α and β the input and output differences, respectively.Additionally, three n-bit variables varibits, doublebits, and z are incorporated so that we can evaluate the differential probability.If α is not an all-ones vector, the differential is valid if and only if the values of α, β, varibits, doublebits, and z validate all the constraints listed below.

SIMON-like round function. As in
The weight of the possible differential is The linear model (cf.Theorem 5) in [KLT15] is an elegant model that perfectly handles the dependency and thus results in a precise evaluation for the linear property of SIMON.However, for the difficulty of encoding this model with Boolean equations, we do not apply it.Instead, we regard the AND operations in the round function as independent S-boxes and claim the linear approximations of SIMON found in this paper are heuristic.Specifically, for the linear model, we consider the AND operation with two input bits as (x (i+a) mod n , x (i+b) mod n ) and view it as an S-box.After computing its linear approximation table (LAT), we exploit the model generating method for S-boxes to complete the formation of the linear model.
Linear Model 2 (SIMON-like Round Function).For the n-bit SIMON-like round function, we denote the input and output linear masks as α and β, respectively.Two auxiliary n-bit variables γ 0 and γ 1 are employed to record the two input masks of the AND operation.To estimate the linear correlation, we also import an n-bit variable z.The correlation of the linear approximation is nonzero if the values of α, β, γ 0 , γ 1 , and z validate all the constraints listed in the following.
The value of n−1 i=0 z i equals the opposite number of the binary logarithm of the absolute value of the correlation.
In the application, to characterise the differential or linear propagation inside the cipher, we first decompose the round function into a sequence of basic operations and generate SAT models for these operations.Then, the basic models are interlinked with each other by using some common variables expressing the differences or linear masks of the internal states.

Sequential Encoding Method
Since we always aim at trails with significant non-trivial features, according to the specific goal, we should restrict the number of active S-boxes, the differential probability, or the linear correlation in the distinguisher searching problem.All of these kinds of constraints can be abstracted as the Boolean cardinality constraint n−1 j=0 x j k, where x j 's are Boolean variables, and k is a non-negative integer.Following the approaches in [LWR16, SWW18], we take the sequential encoding method [Sin05] to convert this constraint into CNF formulas.
The sequential encoding method is based on the sequential counter circuit as shown in Figure 3.The circuit computes the partial sum s i = i j=0 x j for increasing the value of i from 0 to n − 2. To express this circuit with CNF formulas, we first introduce (n − 1) • k auxiliary variables s i,j (0 i n − 2, 0 j k − 1).The partial sum s i is represented as is equivalent to the following equations, Thus, the equality i j=0 s i,j holds.Accompanied by the notification that the sequence of the partial sum x j k is satisfied if the following implication predicates hold, simultaneously.
These predicates are interpreted as the following 2 formulate the SAT model of the Boolean cardinality constraint

Integrating Bounding Conditions into the SAT Method
At EUROCRYPT 1994, Matsui [Mat94] proposed a branch-and-bound depth-first searching algorithm that can be used to identify the optimal differential trails with the maximum probability of a symmetric-key primitive.The efficiency of Matsui's algorithm comes from the manipulation of the known upper bounds on probabilities of short trails.Denote Pr Opt (i) the maximum probability achieved by i-round differential trails for 1 i R − 1.With these messages, we aim at searching for R-round optimal trails.Let Pr Ini (R) be the initial estimation for the probability bound achieved by R-round trails.Now, suppose that we obtain a partial trail (α 0 , α 1 , . . ., α r ) covering the first r rounds (1 r < R), which is a child node located at the r-th level of the search tree created with Matsui's algorithm.The subtree originating from this node will not be explored if the following bounding condition is violated where Pr(α i → α i+1 ) is the probability of the differential propagation in the i-th round.
Note that the bounding condition has been incorporated in the automatic search of differential characteristics with the MILP method by Zhang et al. [ZSCH18].In this section, we show how to integrate the bounding condition into the SAT method without introducing new auxiliary variables so that the search for optimal differential and linear trails can be accelerated.Although the description in this section proceeds with the optimal differential trail possessing the maximum probability, we remind the readers that the method can be applied to the search of optimal linear characteristics as well.

Extracting the Essential of the Problem
Typically, to check the existence of R-round differential trail (α 0 , α 1 , . . ., α R ) with the probability being Pr Ini (R), the SAT method tries to find instantiations for α i 's such that We import Boolean variables w (4) On the other hand, the bounding condition in Eq. ( 2) is equivalent to Note that the right-hand side of Eq. ( 5) is a constant no more than k, and the left-hand side of Eq. (5) matches the weight of the trail covering the first r rounds.Generally, with the previously defined symbols, all bounding conditions can be replaced with an inequality constraint of the following form where e 1 0, e 2 n − 1, and m k.
Of course, we can reapply the sequential encoding method to Eq. ( 6) by introducing a new group of (e 2 − e 1 + 1) • m auxiliary variables and generating (2 • m + 1) • (e 2 − e 1 ) − m clauses.However, when multiple bounding conditions are considered, this direct approach will significantly expand the number of variables and clauses in the SAT problem.Since increasing the number of variables and clauses in the SAT problem may result in a negative impact on the efficiency of the SAT solver, which is a conjecture resulting from the experience and observations in the numerous tests, we attempt to find another way to encode the bounding condition.The new approach is motivated by the circuit of the sequential encoding method and reuses variables in the sequential counter circuit of the original objective function in Eq. (4).Without claiming any new variables, the number of clauses is reduced from O((e 2 − e 1 ) • m) to e 2 − e 1 or k − m depending on the concrete values of e 1 and e 2 .

Clausal Encoding of the Bounding Condition
Formally, we target a clausal encoding, whose definition is supplied in the following, of the two Boolean cardinality constraints x j m.Note that the following definition is adjusted from the one in [Sin05].
Definition 1 (Clausal Encoding of Two Boolean Cardinality Constraints).Denote X = {x 0 , x 1 , . . ., x n−1 } the set of variables in the constraints and {ς 0 , ς 1 , . . ., ς −1 } the set of additional encoding variables.A set C of clauses over the set of variables V = {x 0 , . . ., x n−1 , ς 0 . . .ς −1 } is a clausal encoding of the two Boolean cardinality constraints x j m if for all assignments Ψ X ∈ F n 2 of the variables in X that validate the two constraints the following holds: Ψ X validates the two constraints if and only if there is an extended assignment Ψ V of all variables in V such that the restricted value of Ψ V on X coincides with the value of Ψ X .
For the first constraint, we apply the normal sequential encoding method in Sect.2.4 with additional encoding variables s i,j (0 i n − 2, 0 j k − 1).The corresponding sequential counter circuit accomplishes the computation of the partial sum x j and e2 j=0 x j , which have been evaluated in the encoding of the first constraint.This observation reminds us to explore the possibility of reusing variables in the sequential counter circuit to realise the encoding of the second constraint.According to the values of e 1 and e 2 , we split the encoding problem regarding the second constraint into three different cases and construct SAT models, separately.
Case 1. s i,j , we also find that s i,j = 0 automatically implies s i,j = 0 for all j < j k − 1 by the intrinsic property of the unary numeral system.With these properties, we derive the following e 2 − e 1 predicates, which guarantee the satisfiability of the second constraint.
These predicates are converted into the following Boolean expressions.
Thus, the combination of clauses in Eq. ( 1) and (7) constitutes a clausal encoding of the two Boolean cardinality constraints in this case.
Case 2. x j is fixed as m.
if s e1−1,j = 0 then s e2,j+m = 0 endif for 0 j k − m − 1 These predicates are substituted with clauses listed below.
The combination of clauses in Eq. ( 1) and (8) can operate as a clausal encoding of the two Boolean cardinality constraints with e 1 > 0 and e 2 < n − 1.
Case 3. x j in this case.
The clauses in Eq. ( 1) and (9) make up a clausal encoding of the two Boolean cardinality constraints.Now, we finish the construction of SAT model for the bounding condition.This new process allows us to intermix multiple Matsui's bounding conditions into one SAT problem with a minor increment on the number of clauses.At the same time, the number of variables remains the same as the standard SAT method.Note that numerous bounding conditions are available.In the next section, we discuss which sets of bounding conditions produce better accelerating effect.

Accelerating Effect of the Bounding Condition
Suppose that we aim at the R-round differential trail with the weight being no more than k, the global constraint should be k, where we reuse the symbols in Sect.3.1.

Given the probability bounds Pr
where 0 r 1 r 2 R − 1, and r 1 and r 2 cannot reach the two endpoints, simultaneously.For simplicity, we denote the bounding condition starting from the r 1 -th round and terminating with the r 2 -th round as C (r1,r2) .Many queries should be answered.
• Whether the automatic search with the SAT method can be accelerated after integrating some of these bounding conditions?
• If we add all the bounding conditions into the SAT problem, does it result in the best performance of the search with the SAT solver?
• If this is not the case, which sets of bounding conditions potentially result in extraordinary advances?
In this section, we take the distinguisher searching problem of GIFT-64 [BPP + 17], which is a 28-round SPN cipher with the 64-bit block size, as an illustration, and compare the runtime for solving SAT problems with different sets of bounding conditions.By taking into account the observations in the test as well as our experience, we try to find answers for the above problems.At the end of this section, we provide a strategy concerning the selection of the sets of bounding conditions, which may be helpful for designers and attackers in search of differential and linear characteristics.All the tests in this section are implemented on a PC with Intel Core TM i5-9400F CPU @ 2.90GHz × 6, and we only use one core.
We set the goal as searching for the optimal differential trails with the minimum number of active S-boxes for GIFT-64 from 1-round to 28-round.After initialising both the number of rounds R and the number of active S-boxes τ as one, we invoke the SAT solver to determine the existence of the R-round trail with no more than τ active S-boxes.If this prediction is satisfiable, we obtain an R-round trail with τ active S-boxes, and the searching phase proceeds after respectively increasing the values of R and τ3 by one.Otherwise, we update the value of τ with τ + 1 and ask the SAT solver to verify the satisfiability.This procedure is terminated until we get the 28-round trail with the minimum number of active S-boxes.Denote #S D (i) the minimum number of active S-boxes achieved by i-round differential trails.Thus, in this procedure, we solve #S D (28) SAT problems in total.In the following, we view the runtime for solving the #S D (28) problems as a criterion and compare the runtime under different settings that integrate different sets of bounding conditions.The runtime for the standard SAT method with no bounding condition is 4306.9s,which is a benchmark for the accelerating effect.

Sets of Bounding Conditions with the Same Initial/Terminal Round
In [ZSCH18], by incorporating the Matsui's bounding conditions originating from the first round and (or) terminating with the last round, Zhang et al. realised a speedup on the search with the MILP method.Inspired by this work, we wonder the accelerating outcome of the set comprising bounding conditions with the same initial or terminal round on the SAT method.Denote C (r1, * ) the set of 28 − r 1 bounding conditions starting from the r 1 -th round and C ( * ,r2) the set of r 2 bounding conditions terminating with the r 2 -th round, 0 r 1 , r 2 27.After encoding the 56 sets of conditions into SAT problems, we conduct the test, separately, and present an intuitive comparison of the runtime in Figure 4.   From the results illustrated in Figure 4, we note that all the 56 sets C (r1, * ) and C ( * ,r2) indeed shorten the runtime.This observation allows us to provide a positive answer for the first issue, that is, the automatic search with the SAT method can be accelerated after integrating some of these bounding conditions.Besides, it also can be notified that the degrees of improvements for different sets exhibit apparent variation.The set C ( * ,27) results in the best performance in the test, and it only takes about 34.7/4306.9≈ 0.8% of the runtime for the standard SAT method to get precisely the same result.Also, the performance regarding the set C (0, * ) is good, although the corresponding runtime is slightly longer than that of C ( * ,27) .Lastly, the runtime has a sharp decline at the two points C (8, * ) and C ( * ,19) in Figure 4.In the same test regarding PRESENT, a similar decline occurs at the two points C (5, * ) and C ( * ,25) , which is shown in Figure 5.We conjecture this circumstance relates to the structure of the cipher as well as the optimising technique in the SAT solver and leave this issue as future work.

Unions of Multiple Sets Defined in Sect. 4.1
Now, we study whether the performance of the automatic search can be further improved by taking multiple sets defined in Sect.4.1 into account.Since the two sets C (0, * ) and C ( * ,27) obtain overwhelming advantages over the remaining ones, we generate the union sets (2 r 28) by accumulating multiple sets based on C (0, * ) and C ( * ,27) , respectively.Both U (r, * ) and U ( * ,r) are composed of r sets defined in Sect.4.1.A comparison on the runtimes under the 54 union sets can be found in Figure 6.All the 54 sets achieve improvements on the runtime in almost equal measure.Thus, probably, we cannot significantly improve the runtime with C (0, * ) and C ( * ,27) by combining multiple sets like C (r1, * ) or C ( * ,r2) into the SAT problem.For the two sets U (28, * ) and U ( * ,28) containing all the bounding conditions, the runtime does not attain the minimum value.This observation indicates that adding all the bounding conditions into the SAT problem does not always give the best performance.Furthermore, at the two points U ( * ,2) and U ( * ,4) in Figure 6, the tests get minor acceleration over the result with C ( * ,27) , which is the origin of the following conjecture.When the tests with C (0, * ) and C ( * ,R−1) do not meet the requirement in the application for a primitive with R rounds of encryption, the union sets U (r, * ) and U ( * ,r) with r being a small integer might be the last hope for better returns under the searching framework in this paper.

Sets of Conditions Covering the Same Number of Rounds
We also analyse the accelerating effect of the set of bounding conditions covering the same number of rounds.Denote C |r| the set of 28 − r bounding conditions covering r-round of encryption, i.e., C |r| = {C (x,x+r−1) | 0 x 28 − r}, 1 r 27.The runtime is illustrated in Figure 7.It can be notified that this kind of set speeds up the search when the value of r is relatively small.Nevertheless, the performance is getting worse with the increasing value of r, since r-round bounding conditions cannot be united into the R-round optimal trail searching problem with R < r.Moreover, we should remind that the automatic search with all the sets C |r| cannot get better performance than those achieved by C (0, * ) and C ( * ,27) .

How to Select the Sets of Bounding Conditions
Now, we sum up strategies concerning the selection of the sets of bounding conditions in the automatic search for R-round primitives with the SAT method.According to a considerable amount of experiments for different primitives and our experience, these strategies can be generally applied to various block ciphers, even though these ideas are explained with the tests on GIFT-64.
First of all, we think the two sets C (0, * ) and C ( * ,R−1) are the first choice and are more likely to show remarkable improvements in the runtime over the standard method with no bounding condition.Secondly, if the performances with C (0, * ) and C ( * ,R−1) do not meet the requirement, the union sets U (r, * ) and U ( * ,r) with r being a small integer worth a shot.
The last thing we want to mention is that we also study the efficiency of sets with randomly drawn bounding conditions and evaluate the outcome, correspondingly.The accelerating effect is not visible when the number of conditions in the set is not adequate.Also, the improvements cannot outperform those of C (0, * ) and C ( * ,R−1) .Therefore, we do not recommend using random sets.
Remark 1.Since we adopt CaDiCaL instead of Cryptominisat as the SAT solver, it is natural to question whether the acceleration is just achieved by using a different solver.To clearly illustrate the gain by the new encoding approach, we provide a comprehensive comparison of the runtime for various primitives regarding distinct searching targets.The comparison takes the two solvers as mentioned above and different sets of bounding conditions into account.It can be notified from the results that altering the solver is not the essential reason for the acceleration, and the significant improvement mainly benefits from the new encoding approach.Please refer to Appendix E for more details.

Applications to Several Block Ciphers
In this section, we apply the ideas in Sect. 3 and Sect. 4 to several block ciphers and gain many new results.All the tests in this section are performed by integrating the set C ( * ,R−1) , which is composed of bounding conditions terminating with the last round, into the SAT method.For the primitives studied in [ZZDX19] with the MILP method, we give a comparison on the runtime.The comparisons are not fair since the tests are implemented on different platforms.However, in all comparisons, our tests with the SAT method operate much faster than those with the MILP method.The source codes are publicly available at https://github.com/SunLing134340/Accelerating_Automatic_Search.For simplicity, we introduce the following notations.
• #S D : the minimum number of differential active S-boxes.
• #S L : the minimum number of linear active S-boxes.
• Pr Opt : the maximum probability of differential trails.
• Cor Opt : the maximum correlation of linear trails.
• T SAT : runtime in our tests on a PC with Intel Core TM i5-9400F CPU @ 2.90GHz.
• T MILP : runtime in [ZZDX19] on a PC with Intel Core TM i7-4790 CPU @ 3.60GHz.PRESENT is probably one of the first candidates that take lightweight hardware implementations into account and has a profound effect on the design of lightweight block ciphers.For PRESENT, we obtain full information about #S D , Pr Opt , #S L and Cor Opt from 1-round to 31-round.As far as we know, we are the first one to provide all these results.The experimental results are covered in Table 3.

Applications to GIFT.
As an improved version of PRESENT, GIFT [BPP + 17] attains a much-increased efficiency in all domains.Meanwhile, it corrects the well-known weakness of PRESENT with regards to linear hulls.GIFT is composed of two versions.GIFT-64 is a 28-round SPN cipher with the 64-bit block size, and GIFT-128 is a 40-round SPN cipher with the 128-bit block size.
• For GIFT-64, full information about #S D , Pr Opt , #S L and Cor Opt is known, and the test results can be found in Table 4.
• For GIFT-128, we get complete knowledge of #S D and #S L from 1-round to 40-round.Moreover, we discover the optimal differential trails for up to 29 rounds and the optimal linear characteristics for up to 25 rounds.Please check

Applications to Two Feistel Ciphers
For the two ciphers LBlock [WZ11] and TWINE [SMMK12] with Feistel structures, the entire messages about #S D , Pr Opt , #S L and Cor Opt are clear.Please find in Table 7 and Table 8 the results of LBlock and TWINE, respectively.

Related-Key Differential Attack on 26-Round GIFT-64
Note that the acceleration method also can be utilised to speed up the search of related-key differential characteristics if we view the n-bit cipher with k-bit master key as a function with an (n + k)-bit input and an n-bit output.With this method, for GIFT-64, we discover an 18-round related-key differential trail with probability 2 −58 , which is presented in Figure 8.The 128-bit master key of this trail is 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0028 0x0000.Since it is decoded from the experimental result of the search concerning the minimum number of active S-boxes, we do not claim it is an optimal 18-round related-key differential characteristic.
With the 18-round distinguisher, we launch a related-key differential attack on 26-round GIFT-64 by appending three and five rounds before and after the distinguisher, respectively.Please find in Appendix D.2 for a brief description of GIFT-64.The key-recovery attack is demonstrated in Figure 9, where X i and Y i denote the 64-bit input and output of the SubCells operation in the i-th round (0 i 25), and RK i stands for the i-th round key.We employ X i [j] to represent the j-th bit of X i .
Since there is no whitening key at the input of GIFT-64, we can construct structures at the position of Y 0 .In each structure, we fix the value of the eight bits Y 0 [16, 20, 21, 25, 33, 40, 44, 45] marked with '∆' in Figure 9 and traverse all the values of the remaining 56 bits.Then, one pair is generated by respectively drawing one element from two structures with the fixed 8-bit value being opposite with each other.Thus, 2 112 pairs can be created with two structures composed of 2 57 elements.
In the attack, we prepare S twin structures and obtain N 1 = S • 2 112 pairs.So, the data complexity is S • 2 57 .For each pair (Y 0 , Y 0 ), we compute the pair of plaintexts (P, P ) by applying GS −1 to every nibble of the two states (Y 0 , Y 0 ).By querying the oracle, we obtain the corresponding pair of ciphertexts (C, C ).To reduce the time complexity in the subsequent round key recovery phase, we apply the partial sum technique and take the property of the key schedule into account.
The 32-bit state of RK 0 is partitioned into 16 parts.We guess the value of RK 0 [0, 1] and check whether the 4-bit difference ∆Y 1 [0 − 3] fills the condition ∆Y pairs will participate in the following processes.This guess-and-check procedure is repeated for all the 16 parts until all the 32-bit value of RK 0 is traversed.The time complexity and the number of remaining pairs in each step are detailed in Table 11.After the enumeration of RK 0 , about N 1 •2 −46 pairs are left.Then, we proceed with the enumeration of the 8-bit value RK 1 [16 − 19, 28 − 31].Similarly, this procedure is split into four parts.For the first part regarding RK 1 [16, 17], we guess the 2-bit value and check the validity of the condition ∆Y According to the DDT of the S-box GS, if the input difference is '11 * * ', the prediction that the output difference equals 0x4 holds with probability 2 −2 .Thus, N 1 • 2 −46 • 2 −2 pairs fulfiling this constraint will receive further consideration.We repeat this procedure for the remaining three parts of RK 1 .The detailed analysis can be found in Table 11.After the enumeration of RK 1 , we obtain N N 1 • 2 −56 pairs that match the input difference of the 18-round distinguisher.Now, we turn to the tail of the distinguisher.With the property of the key schedule, we find that the 8-bit value of RK 25 [1, 3, 8, 10, 13, 15, 20, 22] is known since it corresponds to the guessed 8-bit value of RK 1 .Also, the 32-bit value of RK 24 is known as it is the output of a bit permutation on RK 0 .Hence, to calculate the values of the pairs (X 24 , X 24 ), we only need to guess the 24-bit unknown value of RK 25 .The time complexity of this step is 2 30 26-round of encryptions.The following steps concerning the enumerations of RK 23 and RK 22 are similar to those performed on RK 0 and RK 1 .The evaluation for the complexity is listed in Table 11.
We set a counter to record the number of right pairs that validate the input and output differences of the 18-round distinguisher.At last, for random key guesses, the number of right pairs is about N 1 • 2 −120 .For the right key guess, the number of right pairs is expected to be Thus, the number of right pairs follows a binomial distribution with parameters (N, p 0 = 2 −58 ) in the case of the good key and (N, p 1 = 2 −64 ) otherwise.We fix the threshold as Θ, and the key guess will be accepted as a candidate if the counter of right pairs is no less than Θ.Note that we already guess the value of the 112-bit in the master key.For all surviving key candidates, we exhaustively search for the value of the remaining 16-bit with at most two plaintext-ciphertext pairs.

Complexity Analysis
We apply the method in [BGT11] to estimate the complexity.Let α stand for the non-detection error probability and β be the false alarm error probability.Then, we have the following approximations for the values of α and β, where is the Kullback-Leibler divergence between two Bernoulli probability distributions with parameters being p and q, respectively.
The time complexity T 1 in the subkey enumeration phase is about We set the threshold Θ as Θ = 2 and try to find the minimum value of N = N 1 • 2 −56 such that the success probability P S = 1 − α of the attack is not less than 90%.With Eq. (10), we compute the values N ≈ 2 59.96 and P S ≈ 90%.Accordingly, we have β ≈ 2 −9.14 , and the time complexity of this attack is T 1 + T 2 ≈ 2 123.23 .The data complexity is S • 2 57 = N • 2 = 2 60.96 chosen plaintexts.The memory complexity is 2 112 • β ≈ 2 102.86 for memorising the right key candidates with Θ 2.

Conclusion
In this paper, we try to accelerate the search of differential and linear characteristics with the SAT method.The main idea is to encode Matsui's bounding conditions by reusing the sequential counter circuit for the objective function in the standard SAT method.The novel encoding method does not rely on new auxiliary variables.It enables us to incorporate multiple bounding conditions into one SAT problem with a minor increment on the number of clauses.With the observations and experience in a considerable amount of experiments, we come up with a strategy on how to organise the sets of bounding conditions that potentially achieve better performance.This new idea is applied to various primitives and obtains many updated cryptanalytic results.
As we mentioned in the paper, we observe a striking drop in the runtime regarding the tests with the sets C (r1, * ) and C ( * ,r2) for GIFT-64 and PRESENT.We think that figuring out the reason for this circumstance is an interesting future work.Probably, the reason may result in new ideas to further accelerate the automatic search with the SAT method.

A Experimental Results of Three SPN Ciphers
PRESENT.Please find in Table 3 for the experimental results of PRESENT.

D.1 18-Round Related-Key Differential Trail
The 18-round related-key differential trail is shown in Figure 8.The 128-bit master key of this trail is 0x0000 0x0000 0x0000 0x0000 0x0000 0x0000 0x0028 0x0000.

D.2 A Brief Introduction of GIFT-64
To clearly explain the key-recovery attack, we give a brief introduction of GIFT-64.
• Key schedule and round constants.Denote K = k 0 k 1 • • • k 7 the 128-bit master key.After extracting two 16-bit words of the key state as the round key RK = U V = k 6 k 7 , the key state is updated as follows, Since the values of the round constants do not affect the key-recovery attack, the generating method is not covered here.We refer readers to look up the document [BPP + 17] for more details.
Each round of GIFT-64 includes the following three steps.
• SubCells.The 4-bit S-box GS is applied to every nibble of the 64-bit cipher state • PermBits.It maps bits from bit position i4 of the cipher state to bit position P (i), • AddRoundKey.This step consists of adding the round key and round constants.
A 32-bit round key RK is extracted from the key state and is further partitioned into two 16-bit words as Then, U and V are XORed to {s 4•i+2 | 0 i 15} and {s 4•i+3 | 0 i 15} of the cipher state, respectively.To be specific,

D.3 An Illustration for the Key-Recovery Attack
The key-recovery attack is demonstrated in Figure 9.

D.4 Detailed Computation of Complexity
The detailed analysis of the complexity can be found in Table 11.

E Comprehensive Comparison of the Accelerating Effect
To clearly illustrate the accelerating effect of the new method, we test the runtime in different settings with two SAT solvers CaDiCaL and Cryptominisat.All the tests in this section are implemented on a server with AMD EPYC 7302 16-Core Processor, and each program utilises one processor.The following notations are exploited to distinguish the runtime in different cases.• T ∅ CaD : runtime using CaDiCaL without bounding condition.
• T 0 CaD : runtime using CaDiCaL with the set C (0, * ) .The value of the bit should be known.∆ The difference is known and must be nonzero.The value of the subkey bit should be known. i The subkey bit equals the i-th bit of the master key.i The master key bit with the nonzero difference.
Please find in Table 12 -21 for the experimental results of PRESENT, GIFT-64, RECTANGLE, LBlock, TWINE and all versions belonging to SPECK family of block ciphers.Note that the values of T MILP for SPECK32 and SPECK48 stem from [ZSCH18], where the authors claimed that the tests employed 16 threads of a server with Intel Xeon E5-2637V3 CPU 3.50 GHz.
Table 11: Detailed computation of complexity.
Step Guessed subkey Condition on the difference #{Remaining pairs} Time complexity In the following, we list some observations to assist readers in understanding the main reason for the acceleration.

Note that the difference between the values of T ∅
CaD and T ∅ Cry exhibits the gain resulted from applying a different solver.It can be seen from Table 12 -21 that changing the solver is not the crucial reason for the acceleration.

The comparison between the value of T ∅
CaD and the value of T R−1 CaD or T 0 CaD indicates the gain of the new encoding method.Therefore, we confirm that the significant improvement on the runtime mainly benefits from the new encoding approach.The results in Table 12 -21 evidence that the strategies proposed in Sect. 4 can be generally applied to various block ciphers concerning different searching tasks, even though the idea is demonstrated with the tests on GIFT-64.Also, the comparison between the value of T ∅ Cry and the value of T R−1 Cry or T 0 Cry reveals that the new encoding method also works for the solver Cryptominisat.

With the experimental results for all versions of SPECK family of block ciphers in
Table 17 -21, we note that the acceleration is not significant.As we mentioned in Sect.5.3, adding bounding conditions regarding the test for SPECK cannot significantly improve the automatic search with the SAT method.This circumstance coincides with the observation raised by Zhang et al. [ZSCH18].
4. Another interesting observation is that for problems that are not time-consuming, e.g., targeting the minimum number of active S-boxes, CaDiCaL does not show significant advantages.However, when it comes to more challenging tasks for the optimal trails with the maximum differential probability and linear bias, CaDiCaL dramatically reduces the runtime.This observation may help readers to select the SAT solver according to their customised searching problems.
Table 12: Experimental results of PRESENT.

Differential property
Round Figure 1 (a), denote α the input difference, β and γ the two output differences.The differential holds if and only if the values of α, β, and γ validate all the assertions in the following.
SIMON-like round function.
Figure 2 (c), the n-bit SIMON-like round function is defined as f (x) = (x ≪ a)∧(x ≪ b)⊕(x ≪ c), where a > b, n is even and gcd(n, a−b) = 1.This function serves as the round function of the SIMON block cipher family [BSS + 13].The differential model originates from [KLT15].
the weight of the differential propagation α i → α i+1 in the i-th round, i.e., − log 2 Pr(α i → α i+1 ) = define the symbols n R • , k − log 2 Pr Ini (R) , and x •i+j w (i) j .Then, Eq. (3) is rewritten as follows n−1 i=0 j for 0 i n − 2. Note that the second constraint focuses on the value of a consecutive partial sum of variables belonging to the first constraint, and it can be inferred from the values of e1−1 j=0

x
j m with e 1 > 0 and e 2 < n − 1 With a similar consideration as in Case 1, we create the following k − m predicates so that the least upper bound for the value of e2 j=e1

x
j m with e 1 > 0 and e 2 = n − 1 The constraint is adjusted as n−1 j=e1 x j m.By incorporating the property of the sequential counter circuit, we come up with the following predicates, which enable us to restrict the value of the summation n−1 j=e1
box with probability 2 −2 Active bit in the state Active bit in the round key

Table 1 :
The maximum length of trails with different approaches for SPECK.
Applications to PRESENT.
Table 5 for more details.
Applications to RECTANGLE.RECTANGLE [ZBL + 15] is a 25-round SPN cipher with the 64-bit block size.It facilitates fast implementations for multiple platforms by using bitslice techniques.Full knowledge about #S D , Pr Opt , #S L and Cor Opt is explicit with the acceleration method.The test results are provided in Table6.

SIMON and SPECK Families of Block Ciphers Applications to SIMON family of block ciphers.
We obtain the full learning of Pr Opt and Cor Opt for all versions in the SIMON family of block ciphers [BSS + 13].As mentioned in Sect.2.3.2,we claim that the result of the value Cor Opt for SIMON is heuristic.Please find the test results about SIMON in Table 9. Applications to SPECK family of block ciphers.The acceleration method is also practised on all versions of SPECK family of block ciphers.Especially for the two versions SPECK32 and SPECK64, we get complete pictures of Pr Opt and Cor Opt .In the test for SPECK, we notice that adding bound conditions cannot significantly improve the automatic search with the SAT method.This circumstance coincides with the observation raised by Zhang et al. [ZSCH18].That is, adding Matsui's bounding conditions into MILP models of ARX ciphers is not a good choice.

Table 3 :
Experimental results of PRESENT.Please find in Table 4 for the experimental results of GIFT-64.

Table 4 :
Experimental results of GIFT-64.Please find in Table5for the experimental results of GIFT-128.

Table 5 :
Experimental results of GIFT-128.Please find in Table 6 for the experimental results of RECTANGLE.

Table 6 :
Experimental results of RECTANGLE.

Experimental Results of Two Feistel Ciphers LBlock.
Please find in Table7for the experimental results of LBlock.

Table 7 :
Experimental results of LBlock.Please find in Table 8 for the experimental results of TWINE.

Table 8 :
Experimental results of TWINE.

Experimental Results of SIMON and SPECK SIMON family of block ciphers.
Please find in Table9for the experimental results.

Table 9 :
Experimental results of SIMON Family of Block Ciphers.

Table 16 :
Experimental results of TWINE.