An Efficient Strategy to Construct a Better Differential on Multiple-Branch-Based Designs: Application to Orthros

Abstract

As low-latency designs tend to have a small number of rounds to decrease latency, the differential-type cryptanalysis can become a significant threat to them. In particular, since a multiple-branch-based design, such as Orthros can have the strong clustering effect on differential attacks due to its large internal state, it is crucial to investigate the impact of the clustering effect in such a design. In this paper, we present a new SAT-based automatic search method for evaluating the clustering effect in the multiple-branch-based design. By exploiting an inherent trait of multiple-branch-based designs, our method enables highly efficient evaluations of clustering effects on this-type designs. We apply our method to the low-latency PRF Orthros, and show a best differential distinguisher reaching up to 7 rounds of Orthros with \(2^{116.806}\) time/data complexity and 9-round distinguisher for each underlying permutation which is 2 more rounds than known longest distinguishers. Besides, we update the designer’s security bound for differential attacks based on the lower bounds for the number of active S-boxes, and obtain the optimal differential characteristic of Orthros, Branch 1, and Branch 2 for the first time. Consequently, we improve the designer’s security bound from 9/12/12 to 7/10/10 rounds for Orthros/Branch 1/Branch 2 based on a single differential characteristic.

Detailed Explanation of Branch 1 and Branch 2

Fig. 7.

Overview of Orthros.

Orthros is a two-branch-based design in which the underlying components are SPN-based PRPs as shown in Fig. 7. The underlying two keyed permutations consist of S-box (SB), bit-permutation (\(P_{brN}\)), nibble-permutation \((P_{nN}\)), MixColumn (MC), AddRoundKey (AK) and AddConstant (AC). We provide the detailed explanation of those function. Note that we do not give the explanation of a key scheduling because our evaluation does not consider the impact of the round keys.

SB:

A 4-bit S-box will be applied to each nibbles in parallel for Branch1 and Branch2. The specification of the 4-bit S-box is given in Table 8.

\(P_{brN}\),\(P_{nN}\):

For the first 4 rounds of Branch1 and Branch2, \(P_{br1}\) and \(P_{br2}\) will be applied, respectively. From the 5th round to the 11th round, the nibble permutations \(P_{n1}\) and \(P_{n2}\) will be adopted in each branch respectively. The details of the permutation \(P_{brN}\) and \(P_{nN}\), where \(N \in \{1, 2\}\), are shown in Table 9 and Table 10, respectively.

Table 8. 4-bit S-box of Branch1 and Branch2.

Table 9. BP of Branch1 and Branch2.

Table 10. NP of Branch1 and Branch2.

MC :

Let \(M_{b}\) be \(4\times 4\) binary matrix over nibbles defined as

$$ M_b = \begin{pmatrix} 0 &{} 1 &{} 1 &{} 1 \\ 1 &{} 0 &{} 1 &{} 1 \\ 1 &{} 1 &{} 0 &{} 1 \\ 1 &{} 1 &{} 1 &{} 0 \end{pmatrix}. $$

Four nibbles \((a_0, a_1, a_2, a_3)\) will be updated as follows:

$$ (a_0, a_1, a_2, a_3)^T \leftarrow M_b\cdot (a_0, a_1, a_2, a_3)^T. $$

\(\boldsymbol{R}_{\boldsymbol{f_N}}\) :

Figure 8 and 9 show the first four and remaining rounds of each branch. Note that MC and NP are not applied in the final round.

Fig. 8.

The first four rounds.

Fig. 9.

The 5th to 11th round.