Impossible Differential Cryptanalysis of Reduced-Round mCrypton-64

Hajari, Masroor; Salmasizadeh, Mahmoud; Mohajeri, Javad; Ahmadi, Siavash; Rasoolzadeh, Shahram

doi:10.22042/isecure.2025.214371

Impossible Differential Cryptanalysis of Reduced-Round mCrypton-64

Document Type : Research Article

Authors

Masroor Hajari ¹

Mahmoud Salmasizadeh ²

Javad Mohajeri ²

Siavash Ahmadi ²

Shahram Rasoolzadeh ³

¹ Department of Electrical Engineering, Sharif University of Technology, Tehran, Iran

² Electronics Research Institute, Sharif University of Technology, Tehran, Iran

³ Faculty of Computer Science, Ruhr University Bochum, Bochum, Germany

https://doi.org/10.22042/isecure.2025.214371

Abstract

Impossible-differential cryptanalysis is one of the powerful methods utilized for evaluating the robustness of block ciphers; however, mCrypton is one of the block ciphers whose master key has not been recovered with this method in the single-key scenario. This paper first clarifies the branch number of the linear layer of mCrypton block ciphers with an observation. It has been shown that the branch number of the linear layer in mCrypton block cipher is four. Then, using this result, a 4-round impossible differential in a single-key scenario has been found. On the other hand, by exploiting the result of several observations, some vulnerabilities in the key-schedule algorithm were discovered and introduced. As a result, by exploiting the discovered vulnerabilities and 4-round property, impossible-differential cryptanalysis was successfully applied to seven rounds of mCrypton-64. To our knowledge, this is the first impossible differential cryptanalysis applied on mCrypton-64. In addition, this method requires 2^36.0 bytes of memory, 2^59.0 chosen plaintexts (with the corresponding ciphertexts), and 2^59.6 encryptions to recover the master key.

Keywords

Lightweight Block Ciphers

Impossible-Differential Property

Impossible-Differential Cryptanalysis

mCrypton

[1] Chae H Lim and Tymur Korkishko. mcrypton–a lightweight block cipher for security of low-cost rfid tags and sensors. In International workshop on information security applications, pages 243–258. Springer Berlin Heidelberg, 2005.
[2] Andrey Bogdanov, Lars R Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J B Robshaw, Yannick Seurin, and Charlotte Vikkelsoe. Present: An ultra-lightweight block cipher. In Cryptographic Hardware and Embedded Systems-CHES 2007: 9th International Workshop, Vienna, Austria, September 10-13, 2007, pages 450–466. Springer Berlin Heidelberg, 2007.
[3] Subhadeep Banik, Andrey Bogdanov, Takanori Isobe, Shibutani Kyoji, Harunaga Hiwatari, Toru Akishita, and Francesco Regazzoni. Midori: A block cipher for low energy. In Advances in Cryptology–ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, pages 411–436. Springer Berlin Heidelberg, 2015.
[4] Christof Beierle, J´er´emy Jean, Stefan K¨olbl, Gregor Leander, Amir Moradi, Thomas Peyrin, Yu Sasaki, Pascal Sasdrich, and Siang S Meng. The skinny family of block ciphers and its low-latency variant mantis. In Advances in Cryptology–CRYPTO 2016: 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, pages 123–153. Springer Berlin Heidelberg, 2016.
[5] Yanis Belkheyar, Joan Daemen, Christoph Do-braunig, Santosh Ghosh, and Shahram Rasoolzadeh. Bipbip: A low-latency tweakable block cipher with small dimensions. IACR Transactions on Cryptographic Hardware and Embedded Systems, pages 326–368, 2023.
[6] Xiantong Huang, Lang Li, Hong Zhang, Jinling Yang, and Juanli Kuang. Iovcipher: A low-latency lightweight block cipher for internet of vehicles. Ad Hoc Networks, 160:103524, 2024.
[7] Wei Sun, Lang Li, and Xiantong Huang. Ltlbc: a low-latency lightweight block cipher for internet of things. Cluster Computing, pages 1–12, 2024.
[8] Mohsen Shakiba, Mohammad Dakhilalian, and Hamid Mala. Cryptanalysis of mcrypton-64. International Journal of Communication Systems, 28:1401–1418, 2015.
[9] Yonglin Hao, Dongxia Bai, and Leibo Li. A meet-in-the-middle attack on round-reduced mcrypton using the differential enumeration technique. In In Network and System Security: 8th International Conference, NSS 2014, Xi’an, China, October 15-17, 2014, Proceedings 8, pages 166–183. Springer International Publishing, 2014.
[10] Dong Yang, Wen F Qi, and Hua J Chen. Observations on the truncated differential of sp block ciphers and their applications to mcrypton and crypton v1.0. IET Information Security, 12:419–424, 2018.
[11] Kitae Jeong, HyungChul Kang, Changhoon Lee, Jaechul Sung, Seokhie Hong, and Jong I Lim. Weakness of lightweight block ciphers mcrypton and led against biclique cryptanalysis. Peer-to-Peer Networking and Applications, 8:716–732, 2015.
[12] H¨useyin Demirci and Ali A Sel¸cuk. A meet-in-the-middle attack on 8-round aes. In Fast Software Encryption: 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Revised Selected Papers, pages 116–126.
Springer Berlin Heidelberg, 2008.
[13] Jinliang Wang, Christina Boura, Patrick Derbez, Kai Hu, Muzhou Li, and Meiqin Wang. Crypt-analysis of full-round bipbip. IACR Transactions on Symmetric Cryptology, pages 68–84, 2024.
[14] Siavash Ahmadi and Mohammad R Aref. Generalized meet in the middle cryptanalysis of block ciphers with an automated search algorithm. IEEE Access, 8:2284–2301, 2019.
[15] Zahra Ahmadian, Akram Khalesi, Dounia M’Foukh, Hossein Moghimi, and Mar´ıa Naya-Plasencia. Improved differential meet-in-the-middle cryptanalysis. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 280–309. Springer Nature Switzerland, 2024.
[16] Shahram Rasoolzadeh and H˚avard RaddumG. Faster key recovery attack on round-reduced prince. In Lightweight Cryptography for Security and Privacy: 5th International Workshop, LightSec 2016, Aksaray, Turkey, September 21-22, 2016, Revised Selected Papers, pages 3–17. Springer International Publishing, 2017.
[17] Siavash Ahmadi, Zahra Ahmadian, Javad Mohajeri, and Mohammad R Aref. Low-data complexity biclique cryptanalysis of block ciphers with application to piccolo and hight. IEEE Transactions on Information Forensics and Security, 9:1641–1652, 2014.
[18] Atiye Mirzaei, Siavash Ahmadi, and Mohammad R Aref. Integral cryptanalysis of roundreduced shadow-32 for iot nodes. IEEE Internet of Things Journal, 11:10592–10599, 2024.
[19] Mehmet E G¨onen, Muhammed S G¨undo˘gan, and Kamil Otal. Boomerang attacks on reduced-round midori64. ISecure, 16:191–203, 2024.
[20] Lorenzo Grassi, Irati M Ayala, Martha N Hovd, Morten Øygarden, H˚avard Raddum, and Qingju Wang. Cryptanalysis of symmetric primitives over rings and a key recovery attack on rubato. In Annual International Cryptology Conference, pages 305–339. Cham: Springer Nature Switzerland, 2023.
[21] Zahra Eskandari and Abbas G Bafghi. extension of cube attack with probabilistic equations and its application on cryptanalysis of katan cipher. ISecure, 12:1–12, 2020.
[22] Eli Biham, Alex Biryukov, and Adi Shamir. Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In Advances in Cryptology—EUROCRYPT’99: International Conference on the Theory and Application of Cryptographic Techniques Prague, Czech Republic, pages 12–23. Springer Berlin Heidelberg, 1999.
[23] Behnam Bahrak and Mohammad R Aref. Impossible differential attack on seven-round aes-128.ISeCure IET Information Security, 2:28–32, 2008.
[24] Hamid Mala, Mohammad Dakhilalian, Vincent Rijmen, and Mahmoud Modarres-Hashemi. Improved impossible differential cryptanalysis of 7-round aes-128. In In Progress in Cryptology-INDOCRYPT 2010: 11th International Conference on Cryptology in India, Hyderabad, India, December 12-15, 2010., pages 282–291. Springer Berlin Heidelberg, 2010.
[25] Seyyed A Azimi, Siavash Ahmadi, Zahra Ahmadian, Javad Mohajeri, and Mohammad R Aref. Improved impossible differential and biclique cryptanalysis of hight. International Journal of Communication Systems, 31:e3382, 2018.
[26] Mohamed Tolba, Muhammad ElSheikh, and Amr M Youssef. Impossible differential cryptanalysis of reduced-round tweakable twine. In Progress in Cryptology-AFRICACRYPT 2020: 12th International Conference on Cryptology in Africa, Cairo, Egypt, July 20–22, 2020, pages 91–113. Springer International Publishing, 2020.
[27] Yanhong Fan, Muzhou Li, Chao Niu, Zheny Lu, and Meiqin Wang. Related-tweakey impossible differential attack on reduced-round skinny-aead m1/m3. In Cryptographers’ Track at the RSA Conference, pages 247–271. Springer International Publishing, 2022.
[28] Hosein Hadipour, Simon Gerhalter, Sadegh Sadeghi, and Maria Eichlseder. Improved search for integral, impossible differential and zerocorrelation attacks: Application to ascon, fork-skinny, skinny, mantis, present and qarmav2. IACR Transactions on Symmetric Cryptology 2024, pages 234–235, 2024.
[29] Farokhlagha Moazami and Hadi Soleimany. Impossible differential cryptanalysis on deoxys-bc-256. In Cryptology ePrint Archive. IACR, 2018.
[30] Hamid Mala, Mohammad Dakhilalian, and Mohsen Shakiba. Cryptanalysis of mcrypton —a lightweight block cipher for security of rfid tags and sensors. International Journal of Communication Systems, 25:415–426, 2012.
[31] Qian Wang and Chenhui Jin. Bounding the length of impossible differentials for spn block ciphers. Designs, Codes and Cryptography, 89:2477–2493, 2021.