Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128


  • Rui Zong Verification & Validation Technology Corporation Limited, Shenzhen, China
  • Xiaoyang Dong Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China
  • Huaifeng Chen The 6-th Research Institute of China Electronics Corporation, Beijing, China
  • Yiyuan Luo School of Computer Science and Engineering, Huizhou University, Huizhou, China; Network and Data Security Key Laboratory of Sichuan Province, University of Electronic Science and Technology of China, Chengdu, China
  • Si Wang China Telecom Corporation Limited, Guangzhou, China
  • Zheng Li Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China



GIFT, Differential Trail, Linear Trail, Distinguisher Search Strategy, SUNDAE-GIFT, GIFT-COFB


When analyzing a block cipher, the first step is to search for some valid distinguishers, for example, the differential trails in the differential cryptanalysis and the linear trails in the linear cryptanalysis. A distinguisher is advantageous if it can be utilized to attack more rounds and the amount of the involved key bits during the key-recovery process is small, as this leads to a long attack with a low complexity. In this article, we propose a two-step strategy to search for such advantageous distinguishers. This strategy is inspired by the intuition that if a differential is advantageous only when some properties are satisfied, then we can predefine some constraints describing these properties and search for the differentials in the small set.
As applications, our strategy is used to analyze GIFT-128, which was proposed in CHES 2017. Based on some 20-round differentials, we give the first 27-round differential attack on GIFT-128, which covers one more round than the best previous result. Also, based on two 17-round linear trails, we give the first linear hull attack on GIFT-128, which covers 22 rounds. In addition, we also give some results on two GIFT-128 based AEADs GIFT-COFB and SUNDAE-GIFT.




How to Cite

Zong, R., Dong, X., Chen, H., Luo, Y., Wang, S., & Li, Z. (2021). Towards Key-recovery-attack Friendly Distinguishers: Application to GIFT-128. IACR Transactions on Symmetric Cryptology, 2021(1), 156–184.